[clamav-users] Proofpoint and Heuristics.Phishing.Email.SpoofedDomain

Kris Deugau kdeugau at vianet.ca
Mon Mar 16 11:17:00 EDT 2020


micah anderson via clamav-users wrote:
> 
> Hi,
> 
> I keep having people complaining about False Positives due to
> Heuristics.Phishing.Email.SpoofedDomain because of Proofpoint.
> 
> I really didn't want to do this, but I added a few entries to the
> local.wdb to whitelist it:
> 
>   X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17-
>   X:.+urldefense\.proofpoint\.com([/?].*)?:.*([/?].*)?:17-
> 
> That seemed to work for a while, but people are getting hit by it again,
> it seems like the URLs changed, they used to be:
> 
>   https://urldefense.proofpoint.com/v2/url?u="
> 
> the newer ones prepend
>   https://urldefense.com/v3/__
> 
> but that regexp should match, unless I'm misreading it. Does someone
> have a better solution that works for this?

I only use Heuristics.Phishing.Email.SpoofedDomain in a ClamAV instance 
that doesn't blindly pass/fail a message based only on the ClamAV result.

For outbound mail, I handle this by calling ClamAV from MIMEDefang, 
where I can do anything I like with the ClamAV result.

For inbound mail, I have a secondary clamd instance configured *without* 
the stock signatures, but with this option and a selection of riskier 
local and third-party signatures.  This is called from SpamAssassin, and 
I can score different specific signatures or signature groups differently.

-kgd


More information about the clamav-users mailing list