Hi, On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger <cswi...@mac.com> wrote: > On Aug 25, 2015, at 9:41 AM, Alex <mysqlstud...@gmail.com> wrote: >> Thanks very much. I've submitted an fp, but it appears to be the result of >> this: >> >> LibClamAV debug: Looking up hash >> 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for >> urldefense. >> proofpoint.com/ >> <http://proofpoint.com/>(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB >> fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane >> 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293) >> LibClamAV debug: Phishcheck:URL after cleanup: >> https://urldefense.proofpoint.com- >> <https://urldefense.proofpoint.com-/>>http://www.bankofamerica.com >> <http://www.bankofamerica.com/> >> LibClamAV debug: Phishing: looking up in whitelist: >> https://urldefense.proofpoint.com:http://www.bankofamerica.co >> <https://urldefense.proofpoint.com:http://www.bankofamerica.co> >> m; host-only:0 >> LibClamAV debug: Phishing: looking up in whitelist: >> .urldefense.proofpoint.com >> <http://urldefense.proofpoint.com/>:.www.bankofamerica.com >> <http://www.bankofamerica.com/>; host-only:1 >> LibClamAV debug: Looking up in regex_list: >> urldefense.proofpoint.com:www.bankofamerica.com/ >> LibClamAV debug: Lookup result: not in regex list >> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different >> LibClamAV debug: found Possibly Unwanted: >> Heuristics.Phishing.Email.SpoofedDomain >> >> Looks like the proofpoint "secure URL" product has mangled the URL so >> badly that clamav can't decipher it? > > Actually, ClamAV recognized and decoded the URL spoofing just fine. > So they should be able to whitelist it without any special trouble.
So then where did it become a fp then? >> In any case, how would I go about whitelisting either the sender >> and/or the email the next time this happens, so I don't have to wait >> for the sig team to perform an update? > > If Bank of America was my bank, I'd contact them and ask them to send > their own emails from their own domain rather than sending emails > which rather precisely resemble email spoofing attempts. It's actually not bankofamerica.com that's doing it. It apparently was the sender that mangled every domain in the email to precede it with this urldefense crap. Thanks, Alex _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
