[clamav-users] Proofpoint and Heuristics.Phishing.Email.SpoofedDomain

micah anderson micah at riseup.net
Sun Mar 15 17:35:06 EDT 2020


Hi,

I keep having people complaining about False Positives due to
Heuristics.Phishing.Email.SpoofedDomain because of Proofpoint.

I really didn't want to do this, but I added a few entries to the
local.wdb to whitelist it:

 X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17-
 X:.+urldefense\.proofpoint\.com([/?].*)?:.*([/?].*)?:17-

That seemed to work for a while, but people are getting hit by it again,
it seems like the URLs changed, they used to be:

 https://urldefense.proofpoint.com/v2/url?u="

the newer ones prepend
 https://urldefense.com/v3/__

but that regexp should match, unless I'm misreading it. Does someone
have a better solution that works for this?

thanks!

-- 
        micah


More information about the clamav-users mailing list