[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com
Mathieu Morier
mathieu.morier at sogetel.com
Mon Jun 13 23:27:59 UTC 2022
Yea for now I just created the line as peer the doc ( https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format ) and it’s working.
For Heuristics.Phishing.Email.SpoofedDomain it’s not an « ignore list » bit an « allow list of real URL and display URL that you want to allow.
echo "M:can01.safelinks.protection.outlook.com<http://can01.safelinks.protection.outlook.com>:www.desjardins.com<http://www.desjardins.com>" >> /var/lib/clamav/local.wdb
systemctl restart clamd
Too many people including banks putting all their confidence in big cloud service.
Mathieu Morier,
Administrateur Internet / Network Administrator
Ce message est confidentiel et destiné uniquement aux destinataires dûment nommés. Il peut contenir de l'information couverte par le secret professionnel. Il est strictement défendu à toute personne qui n'est pas un destinataire dûment nommé de diffuser ce message ou d'en faire une copie. Si vous n'êtes pas un destinataire dûment nommé ou un employé ou mandataire chargé de livrer ce message à un destinataire dûment nommé, veuillez nous aviser sans tarder et supprimer ce message ainsi que toute copie qui peut en avoir été faite.
This message is confidential and intended only for the named recipients. It may contain information that is privileged. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have.
Le 13 juin 2022 à 17:59, G.W. Haywood via clamav-users <clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>> a écrit :
Hi there,
On Mon, 13 Jun 2022, Mathieu Morier via clamav-users wrote:
Look like many Canadian Banks are switching their corporate email to
Office 365 ( Microsoft cloud ) and all the links in their email are
then automatically change ...
Don't get me started.
... links to ... hit the Heuristics.Phishing.Email.SpoofedDomain .
... Can this rule be changed ...
Speaking personally, I don't want it to be changed but you could for
example add an 'ignore' rule:
https://docs.clamav.net/manual/Signatures/AllowLists.html?highlight=ignore#signature-ignore-lists
Then will have to trust Microsoft ...
... currently the second worst spam support provider in the world, and
rarely out of the top five:
https://www.spamhaus.org/statistics/networks/
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220613/32c67d3d/attachment.htm>
More information about the clamav-users
mailing list