It's my experience that Heuristics.Phishing.Email.SpoofedDomain engine checks URL's to make sure the hyperlink actually takes you to a site related to what the text shows. I'm not aware of any public information on whitelisting these, but do know it can be done by adding and x- or m- entry in the database which is something that the ClamAV signature team should probably do for everybody rather than providing a local whitelist.

Or are you seeing something else in these messages that causes an FP?

-Al-

Hi

You cannot whitelist a sender in ClamAV. Whitelisting happens in the
software that calls ClamAV.

The alternative is to disable spoofing checks in ClamAV configuration.
They're not enabled by default, so if your ClamAV checks spoofing, then
someone enabled it on purpose.


As Al already pointed out you can whitelist the offending link
construct. To identify the offending link in the mail you need to
perform a bit of analysis:
clamscan /path/to/mailfile.eml --debug 2>&1 | less

I don't have a working example at hand, so here's a little outline from
my memory:
search in less output for the word "different"
nearby that match (a few lines above, iirc) you'll find the offending
value looking something like
yada yada yaday amazon.com:amazon.de yada yada yada
(using amazon just as an example)

In your clamav signature directory you then create a file called
spoofing.wdb with this content:
X:amazon\.com:amazon\.de
(copy the hit from clamav debug output, prepend X: and escape all regex
specials)

Alternatively have the sender fix the broken link you identified above.

HTH

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml