Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

On 6/15/2022 4:51 PM, Maarten Broekman via clamav-users wrote: https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format There are examples of the wdb format a bit lower on the page. Essentially, you would create

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format There are examples of the wdb format a bit lower on the page. Essentially, you would create a file "good_urls.wdb" in the same directory as the existing ClamAV database files and put in an appropriate line to handle the domains t

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

On 6/15/2022 11:47 AM, G.W. Haywood via clamav-users wrote: Hi there, On Wed, 15 Jun 2022, joe a wrote: To semi-hijack, I was attempting to deal with my own occasional false positive by using this thread as a clue. Attempting to follow the docs, I hit a wall here: "To help you identify what

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Hi there, On Wed, 15 Jun 2022, joe a wrote: To semi-hijack, I was attempting to deal with my own occasional false positive by using this thread as a clue. Attempting to follow the docs, I hit a wall here: "To help you identify what triggered a heuristic phishing alert, clamscan or clamd wil

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

joe a wrote: To semi-hijack, I was attempting to deal with my own occasional false positive by using this thread as a clue. Attempting to follow the docs, I hit a wall here: "To help you identify what triggered a heuristic phishing alert, clamscan or clamd will print a message indicating the

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

On 6/13/2022 7:27 PM, Mathieu Morier via clamav-users wrote: Yea for now I just created the line as peer the doc ( https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format  ) and it’s working. For Heuristics.Phish

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Yea for now I just created the line as peer the doc ( https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format ) and it’s working. For Heuristics.Phishing.Email.SpoofedDomain it’s not an « ignore list » bit an « allow list of real URL and display URL that you want to allow. echo

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Hi there, On Mon, 13 Jun 2022, Mathieu Morier via clamav-users wrote: Look like many Canadian Banks are switching their corporate email to Office 365 ( Microsoft cloud ) and all the links in their email are then automatically change ... Don't get me started. ... links to ... hit the Heurist

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

For now I have done that and it work ! echo "M:can01.safelinks.protection.outlook.com:www.desjardins.com" >> /var/lib/clamav/local.wdb systemctl restart clamd But it will be great if Desjardins rules are on the up-to-date

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Hi, Look like many Canadian Banks are switching their corporate email to Office 365 ( Microsoft cloud ) and all the links in their email are then automatically change to https://can01.safelinks.protection.outlook.com with a long string. So all the links to desjardins.com

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com

Hi there, On Mon, 30 May 2022, Mathieu Morier via clamav-users wrote: desjardins.com is a Québec Canada Coop Bank Institution and for a couple weeks, all their email to our email server as flag my CLAM for Heuristics.Phishing.Email.SpoofedDomain ... They probably did so

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com

Hi, desjardins.com is a Québec Canada Coop Bank Institution and for a couple weeks, all their email to our email server as flag my CLAM for Heuristics.Phishing.Email.SpoofedDomain . It might be something in the signature of their email. But it’s starting to be problemati

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain False Positive

Hi You cannot whitelist a sender in ClamAV. Whitelisting happens in the software that calls ClamAV. The alternative is to disable spoofing checks in ClamAV configuration. They're not enabled by default, so if your ClamAV checks spoofing, then someone enabled it on purpose. As Al already pointed

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain False Positive

It's my experience that Heuristics.Phishing.Email.SpoofedDomain engine checks URL's to make sure the hyperlink actually takes you to a site related to what the text shows. I'm not aware of any public information on whitelisting these, but do know it can be done by adding and x- or m- entry in th

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain False Positive

Hi, We are looking for documentation that will help us "whitelist" a sender's email. Thank you for any suggestions. Wed Aug 8 07:37:00 2018 -> Message w78BaxBt005717 from to <> with subject 'RE: ' message-id '<8q3v8vqrv8bva5u46f6qy0mf.1533728212...@email.android.com>' date 'Wed, 8 Aug 2018 11

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Comment about this feature, which I've never turned on before. I flipped it on, for a single mail router in a pool of 9. Over the course of a day and MANY messages, it tripped for only 4 messages, all of which seem legit. So I'm turning it back off. __

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, The heuristics engine is only used for selected financial institution domains (currently 263) listed in daily.pdb as H: >>> It looks like I only have daily.cld. Can you explain what you mean here? >> >> cd /tmp && sigtool --unpack-current=daily >> >> there you find what you hav

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On Sun, Feb 02, 2014 at 10:41 AM, Benny Pedersen wrote: > > On 2014-02-02 18:43, Alex wrote: >>> The heuristics engine is only used for selected financial institution >>> domains (currently 263) >>> listed in daily.pdb as H: >> It looks like I only have daily.cld. Can you explain what you mean h

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On 2014-02-02 18:43, Alex wrote: The heuristics engine is only used for selected financial institution domains (currently 263) listed in daily.pdb as H: It looks like I only have daily.cld. Can you explain what you mean here? cd /tmp && sigtool --unpack-current=daily there you find what you

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, >>> running clamscan --debug against the file. >>> http://www.tdcanadatrust.com/tdvisa/agreements appears >>> several times in the body of the message but links to >>> http://ems1.aeroplan.com/a/l.x?t=icholbpbeophbeocnlmimpbc&; >>> M=1&L=2&v=4. >> >> Ah, thanks. I should have known that. >>

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On Feb 1, 2014, at 3:01 PM, Alex wrote: > Hi, > > I found another false-positive, this time with > Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring > out what domain within the email it thinks is spoofed. > > I've pasted the email here: > > htt

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, I found another false-positive, this time with Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring out what domain within the email it thinks is spoofed. I've pasted the email here: http://pastebin.com/S7XkCg9a Any ideas greatly ap

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On Feb 1, 2014, at 1:44 PM, Alex wrote: > Hi, > > On Sat, Feb 1, 2014 at 5:32 AM, Al Varnell wrote: >> >> On Jan 31, 2014, at 5:26 PM, Alex wrote: >> >>> Hi, >>> >>> I found another false-positive, this time with >>> Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring >>>

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, On Sat, Feb 1, 2014 at 5:32 AM, Al Varnell wrote: > > On Jan 31, 2014, at 5:26 PM, Alex wrote: > >> Hi, >> >> I found another false-positive, this time with >> Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring >> out what domain within the email it thinks is spoofed. >> >

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On Jan 31, 2014, at 5:26 PM, Alex wrote: > Hi, > > I found another false-positive, this time with > Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring > out what domain within the email it thinks is spoofed. > > I've pasted the email here: > > http://pastebin.com/S7XkCg9a >

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, I found another false-positive, this time with Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring out what domain within the email it thinks is spoofed. I've pasted the email here: http://pastebin.com/S7XkCg9a Any ideas greatly appreciated. Thanks, Alex __