Discussion:
[clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon
Al Varnell
2017-11-14 09:44:37 UTC
Permalink
I'm not very good at regex, but I'm surprised that this current X record doesn't already take care of this:

X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?

-Al-
Hello List,
i think i found an fp in incoming mail. I cant submit mail as FP on website, because it contains private data.
LibClamAV debug: Phishcheck:URL after cleanup: https://sellercentral-europe.amazon.com- <https://sellercentral-europe.amazon.com-/>>http://www.amazon.de <http://www.amazon.de/>
LibClamAV debug: Phishing: looking up in whitelist: https://sellercentral-europe.amazon.com:http://www.amazon.de <https://sellercentral-europe.amazon.com:http://www.amazon.de>; host-only:0
LibClamAV debug: Looking up in regex_list: https://sellercentral-europe.amazon.com:http://www.amazon.de/ <https://sellercentral-europe.amazon.com:http://www.amazon.de/>
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck:host:.www.amazon.de <http://www.amazon.de/>
LibClamAV debug: Looking up in regex_list: www.amazon.de/ <http://www.amazon.de/>
LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de <http://www.amazon.de/>","www.amazon.de/ <http://www.amazon.de/>"
LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de <http://www.amazon.de/>","www.amazon.de/ <http://www.amazon.de/>"
LibClamAV debug: calc_pos_with_skip:amazon.de <http://amazon.de/>
LibClamAV debug: Got a match: www.amazon.de/ <http://www.amazon.de/> with /ed.nozama
LibClamAV debug: Before inserting .: .www.amazon.de <http://www.amazon.de/>
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/>
LibClamAV debug: Phishing: looking up in whitelist: .sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/>:.www.amazon.de <http://www.amazon.de/>; host-only:1
LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/>:www.amazon.de/ <http://www.amazon.de/>
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain
Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect <https://sellercentral-europe.amazon.com/nms/redirect>..... which redirects to http://www.amazon.de/gp/help/survey?p <http://www.amazon.de/gp/help/survey?p>....
These are default links from amazon to rate seller/product and should be an allowed combination of redirects.
It is possible to do a global update of this combination within heuristics?
X:.+sellercentral-europe\.amazon\.com:.+amazon\.de
Thanks,
Hajo
Al Varnell
2017-11-14 09:50:20 UTC
Permalink
Hello,
Post by Al Varnell
X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?
me too. in which file is this regex located?
daily.cld / .cvd

-Al-
Post by Al Varnell
-Al-
Hello List,
i think i found an fp in incoming mail. I cant submit mail as FP on website, because it contains private data.
LibClamAV debug: Phishcheck:URL after cleanup: https://sellercentral-europe.amazon.com- <https://sellercentral-europe.amazon.com-/> <https://sellercentral-europe.amazon.com-/ <https://sellercentral-europe.amazon.com-/>>>http://www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
LibClamAV debug: Phishing: looking up in whitelist: https://sellercentral-europe.amazon.com:http://www.amazon.de <https://sellercentral-europe.amazon.com:http://www.amazon.de> <https://sellercentral-europe.amazon.com:http://www.amazon.de <https://sellercentral-europe.amazon.com:http://www.amazon.de>>; host-only:0
LibClamAV debug: Looking up in regex_list: https://sellercentral-europe.amazon.com:http://www.amazon.de/ <https://sellercentral-europe.amazon.com:http://www.amazon.de/> <https://sellercentral-europe.amazon.com:http://www.amazon.de/ <https://sellercentral-europe.amazon.com:http://www.amazon.de/>>
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck:host:.www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
LibClamAV debug: Looking up in regex_list: www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>","www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>"
LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>","www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>"
LibClamAV debug: calc_pos_with_skip:amazon.de <http://amazon.de/> <http://amazon.de/ <http://amazon.de/>>
LibClamAV debug: Got a match: www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>> with /ed.nozama
LibClamAV debug: Before inserting .: .www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/> <http://sellercentral-europe.amazon.com/ <http://sellercentral-europe.amazon.com/>>
LibClamAV debug: Phishing: looking up in whitelist: .sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/> <http://sellercentral-europe.amazon.com/ <http://sellercentral-europe.amazon.com/>>:.www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>; host-only:1
LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/> <http://sellercentral-europe.amazon.com/ <http://sellercentral-europe.amazon.com/>>:www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain
Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect <https://sellercentral-europe.amazon.com/nms/redirect> <https://sellercentral-europe.amazon.com/nms/redirect <https://sellercentral-europe.amazon.com/nms/redirect>>..... which redirects to http://www.amazon.de/gp/help/survey?p <http://www.amazon.de/gp/help/survey?p> <http://www.amazon.de/gp/help/survey?p <http://www.amazon.de/gp/help/survey?p>>....
These are default links from amazon to rate seller/product and should be an allowed combination of redirects.
It is possible to do a global update of this combination within heuristics?
X:.+sellercentral-europe\.amazon\.com:.+amazon\.de
Thanks,
Hajo
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
Hajo Locke
2017-11-14 10:20:00 UTC
Permalink
Hello,

based on my working whitelist regex i would say the 2nd part should not
look only for amazon\.com


If i understood it the correct way it should be something like:

X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.(com|de)([/?].*)?

Using this regex shows a clean mail. May be more extensions are needed
on right side, dependent on amazon changes/uses on different domains.

Thanks,
Hajo
Post by Al Varnell
Hello,
Post by Al Varnell
X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?
me too. in which file is this regex located?
daily.cld / .cvd
-Al-
Post by Al Varnell
-Al-
Hello List,
i think i found an fp in incoming mail. I cant submit mail as FP on website, because it contains private data.
LibClamAV debug: Phishcheck:URL after cleanup: https://sellercentral-europe.amazon.com- <https://sellercentral-europe.amazon.com-/> <https://sellercentral-europe.amazon.com-/ <https://sellercentral-europe.amazon.com-/>>>http://www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
LibClamAV debug: Phishing: looking up in whitelist: https://sellercentral-europe.amazon.com:http://www.amazon.de <https://sellercentral-europe.amazon.com:http://www.amazon.de> <https://sellercentral-europe.amazon.com:http://www.amazon.de <https://sellercentral-europe.amazon.com:http://www.amazon.de>>; host-only:0
LibClamAV debug: Looking up in regex_list: https://sellercentral-europe.amazon.com:http://www.amazon.de/ <https://sellercentral-europe.amazon.com:http://www.amazon.de/> <https://sellercentral-europe.amazon.com:http://www.amazon.de/ <https://sellercentral-europe.amazon.com:http://www.amazon.de/>>
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck:host:.www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
LibClamAV debug: Looking up in regex_list: www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>","www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>"
LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>","www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>"
LibClamAV debug: calc_pos_with_skip:amazon.de <http://amazon.de/> <http://amazon.de/ <http://amazon.de/>>
LibClamAV debug: Got a match: www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>> with /ed.nozama
LibClamAV debug: Before inserting .: .www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/> <http://sellercentral-europe.amazon.com/ <http://sellercentral-europe.amazon.com/>>
LibClamAV debug: Phishing: looking up in whitelist: .sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/> <http://sellercentral-europe.amazon.com/ <http://sellercentral-europe.amazon.com/>>:.www.amazon.de <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>; host-only:1
LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/> <http://sellercentral-europe.amazon.com/ <http://sellercentral-europe.amazon.com/>>:www.amazon.de/ <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain
Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect <https://sellercentral-europe.amazon.com/nms/redirect> <https://sellercentral-europe.amazon.com/nms/redirect <https://sellercentral-europe.amazon.com/nms/redirect>>..... which redirects to http://www.amazon.de/gp/help/survey?p <http://www.amazon.de/gp/help/survey?p> <http://www.amazon.de/gp/help/survey?p <http://www.amazon.de/gp/help/survey?p>>....
These are default links from amazon to rate seller/product and should be an allowed combination of redirects.
It is possible to do a global update of this combination within heuristics?
X:.+sellercentral-europe\.amazon\.com:.+amazon\.de
Thanks,
Hajo
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-Al-
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Marcus Schopen
2018-08-23 18:08:14 UTC
Permalink
Hi,
Hello,
based on my working whitelist regex i would say the 2nd part should not
look only for amazon\.com
X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.(c
om|de)([/?].*)?
Using this regex shows a clean mail. May be more extensions are needed
on right side, dependent on amazon changes/uses on different domains.
Anything new on this? Is above rule still working? Some of my amazon
mails are blocked by "Phishing.Email.SpoofedDomain" too, e.g.:

http://www.adobe.com/de/products/acrobat/readstep2.html
-> https://sellercentral-europe.amazon.com/...

or

Amazon.de
-> https://sellercentral-europe.amazon.com/...

Cheers
m

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Reindl Harald
2018-08-23 18:58:09 UTC
Permalink
Post by Marcus Schopen
Hi,
Hello,
based on my working whitelist regex i would say the 2nd part should not
look only for amazon\.com
X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.(c
om|de)([/?].*)?
Using this regex shows a clean mail. May be more extensions are needed
on right side, dependent on amazon changes/uses on different domains.
Anything new on this? Is above rule still working? Some of my amazon
http://www.adobe.com/de/products/acrobat/readstep2.html
-> https://sellercentral-europe.amazon.com/...
that BULLSHIT never worked and makes more problems than it solves for
years now, either run two instances where the one with
"PhishingScanURLs" don't make hard-rejects (in my example it#s part of
spamassassin scroing) or disable that option


[***@mail-gw:~]$ cat /etc/clamd.d/scan.conf | grep PhishingScanURLs
PhishingScanURLs no

[***@mail-gw:~]$ cat /etc/clamd.d/scan-sa.conf | grep PhishingScanURLs
PhishingScanURLs yes
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Loading...