On 8/24/07 2:12 PM, "John W. Baxter" <[EMAIL PROTECTED]> wrote: > Daily sigs: 4054; main 44. ClamAv 0.91.2-1 > > Installed on CentOS-4.5 from Dag's packages. Freshly updated via the > packages from the ancient 0.90-2 (also Dag's).
(of course > For the moment, I'm turning what should be the quite valuable option > PhishingScanURLs > off. > > 1. Have others with similar setups noticed this seeming problem? > > 2. Have I in fact found the right switch to turn off the scanning which > produces Phishing.Heuristics.Email.SpoofedDomain We're seeing 1. Mail from Yahoo groups (or some mail from Yahoo groups) being marked as Phishing (for URL reasons) 2. Same for a Seattle Times mailing list. 3. Same for a Democracy in Action mailing. 4. Customer (unwise, usually) forwarding of messages with URLs being marked as Phishing although they came in unscathed. We're about to install emergency code which will initially ignore all Phishing "hits", but is written so we can be more selective. (It can ignore any particular hit--tested with EICAR.) Should the following settings have the effect of disabling any detection regarding Phishing? (Actually, I don't think the signature-based phishing detection is causing our problems.) (I haven't found any extra config files in the wrong places (that is, where they are being used but not where I'm editing them). And I am restarting what needs restarting.) # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes #PhishingSignatures yes PhishingSignatures no # Scan urls found in mails for phishing attempts. # (available in experimental builds only) # Default: yes #PhishingScanURLs yes PhishingScanURLs no # Use phishing detection only for domains listed in the .pdb database. It is # not recommended to have this option turned off, because scanning of all # domains may lead to many false positives! # (available in experimental builds only) # Default: yes #PhishingRestrictedScan yes # Always block SSL mismatches in URLs, even if the URL isn't in the database. # This can lead to false positives. # (available in experimental builds only) # # Default: no #PhishingAlwaysBlockSSLMismatch no # Always block cloaked URLs, even if URL isn't in database. # This can lead to false positives. # (available in experimental builds only) # # Default: no #PhishingAlwaysBlockCloak no _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
