It's not necessary to whitelist the heuristic. If you choose to, you can whitelist the domain which can be done using a .wdb signature. There is documentation on how to write an entry in the phishsigs_howto.pdf document.
-Kevin On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger <cswi...@mac.com> wrote: > On Aug 25, 2015, at 9:41 AM, Alex <mysqlstud...@gmail.com> wrote: > > Thanks very much. I've submitted an fp, but it appears to be the result > of this: > > > > LibClamAV debug: Looking up hash > > 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for > > urldefense. > > proofpoint.com/ <http://proofpoint.com/ > >(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB > > > fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane > > > 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293) > > LibClamAV debug: Phishcheck:URL after cleanup: > > https://urldefense.proofpoint.com- <https://urldefense.proofpoint.com-/ > >>http://www.bankofamerica.com <http://www.bankofamerica.com/> > > LibClamAV debug: Phishing: looking up in whitelist: > > https://urldefense.proofpoint.com:http://www.bankofamerica.co > <https://urldefense.proofpoint.com:http://www.bankofamerica.co> > > m; host-only:0 > > LibClamAV debug: Phishing: looking up in whitelist: > > .urldefense.proofpoint.com <http://urldefense.proofpoint.com/>:. > www.bankofamerica.com <http://www.bankofamerica.com/>; host-only:1 > > LibClamAV debug: Looking up in regex_list: > > urldefense.proofpoint.com:www.bankofamerica.com/ > > LibClamAV debug: Lookup result: not in regex list > > LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too > different > > LibClamAV debug: found Possibly Unwanted: > > Heuristics.Phishing.Email.SpoofedDomain > > > > Looks like the proofpoint "secure URL" product has mangled the URL so > > badly that clamav can't decipher it? > > Actually, ClamAV recognized and decoded the URL spoofing just fine. > So they should be able to whitelist it without any special trouble. > > > In any case, how would I go about whitelisting either the sender > > and/or the email the next time this happens, so I don't have to wait > > for the sig team to perform an update? > > If Bank of America was my bank, I'd contact them and ask them to send > their own emails from their own domain rather than sending emails > which rather precisely resemble email spoofing attempts. > > If they declined, I'd find myself another bank who cared enough about email > and online security that they weren't outsourcing it to proofpoint.com < > http://proofpoint.com/>. > > Regards, > -- > -Chuck > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml