[clamav-users] Proofpoint and Heuristics.Phishing.Email.SpoofedDomain
kdeugau at vianet.ca
Mon Mar 16 11:17:00 EDT 2020
micah anderson via clamav-users wrote:
> I keep having people complaining about False Positives due to
> Heuristics.Phishing.Email.SpoofedDomain because of Proofpoint.
> I really didn't want to do this, but I added a few entries to the
> local.wdb to whitelist it:
> That seemed to work for a while, but people are getting hit by it again,
> it seems like the URLs changed, they used to be:
> the newer ones prepend
> but that regexp should match, unless I'm misreading it. Does someone
> have a better solution that works for this?
I only use Heuristics.Phishing.Email.SpoofedDomain in a ClamAV instance
that doesn't blindly pass/fail a message based only on the ClamAV result.
For outbound mail, I handle this by calling ClamAV from MIMEDefang,
where I can do anything I like with the ClamAV result.
For inbound mail, I have a secondary clamd instance configured *without*
the stock signatures, but with this option and a selection of riskier
local and third-party signatures. This is called from SpamAssassin, and
I can score different specific signatures or signature groups differently.
More information about the clamav-users