[clamav-users] FP with Heuristics.Phishing.Email.SpoofedDomain

Kris Deugau

2018-08-29 19:30:34 UTC

Post by Paul
Hi
I have 2 emails which have tripped
Heuristics.Phishing.Email.SpoofedDomain (4 times in each email using
clamscan -x option)
Is the output from clamscan -x --debug shown below indicate the
offending url pair triggering Heuristics.Phishing.Email.SpoofedDomain?
.clicktime.symantec.com:.www
.barclays.co.uk; host-only:1

Seems likely; this is exactly the kind of URL mismatch it's intended to
trigger on.

I have yet to find a guaranteed consistent way to take these entries and
convert them to a local whitelist entry for a local .wdb file, but some
variation of one of these should work:

M:clicktime.symantec.com:barclays.co.uk
X:\.clicktime\.symantec\.com:www\.barclays\.co\.uk/

However, locally I've also given up on having this enabled where it's an
absolute black/white test; I've disabled it for the main Clam instance,
and set up a secondary one with this test and a list of variously risky
third-party signatures whose results are scored in SpamAssassin instead.

-kgd
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml