[clamav-users] Proofpoint and Heuristics.Phishing.Email.SpoofedDomain
Kris Deugau
kdeugau at vianet.ca
Mon Mar 16 15:17:00 UTC 2020
micah anderson via clamav-users wrote:
>
> Hi,
>
> I keep having people complaining about False Positives due to
> Heuristics.Phishing.Email.SpoofedDomain because of Proofpoint.
>
> I really didn't want to do this, but I added a few entries to the
> local.wdb to whitelist it:
>
> X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17-
> X:.+urldefense\.proofpoint\.com([/?].*)?:.*([/?].*)?:17-
>
> That seemed to work for a while, but people are getting hit by it again,
> it seems like the URLs changed, they used to be:
>
> https://urldefense.proofpoint.com/v2/url?u="
>
> the newer ones prepend
> https://urldefense.com/v3/__
>
> but that regexp should match, unless I'm misreading it. Does someone
> have a better solution that works for this?
I only use Heuristics.Phishing.Email.SpoofedDomain in a ClamAV instance
that doesn't blindly pass/fail a message based only on the ClamAV result.
For outbound mail, I handle this by calling ClamAV from MIMEDefang,
where I can do anything I like with the ClamAV result.
For inbound mail, I have a secondary clamd instance configured *without*
the stock signatures, but with this option and a selection of riskier
local and third-party signatures. This is called from SpamAssassin, and
I can score different specific signatures or signature groups differently.
-kgd
More information about the clamav-users
mailing list