[Clamav-users] Phishing.Heuristics.Email.SpoofedDomain Query
I've upgraded to 0.95.1 and have a few mails that are getting quarantined as Phishing.Heuristics.Email.SpoofedDomain How do I go about checking for spoofed domains in the email headers? Its quite possible that the domain has been spoofed but I would like to just double check? Cheers Greg ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Phishing.Heuristics.Email.SpoofedDomain Query
On 2009-04-29 11:43, Greg McCarthy wrote: I've upgraded to 0.95.1 and have a few mails that are getting quarantined as Phishing.Heuristics.Email.SpoofedDomain How do I go about checking for spoofed domains in the email headers? Its quite possible that the domain has been spoofed but I would like to just double check? You should look at the body of the mail, not the headers (headers in an email can be easily forged, so they're usually not to be trusted anyway). You can use clamscan --debug to find out why ClamAV considers the email phishing, the output should be similar to the following: $ clamscan --debug /path/to/emailfile.eml 21|grep -i phish LibClamAV debug: Initializing phishcheck module LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$ LibClamAV debug: Phishcheck module initialized LibClamAV debug: Skipping signature Email.Phishing.DblDom-72 @ main.ndb:54219 LibClamAV debug: Module PHISHING On LibClamAV debug: Phishcheck:Checking url http://fake.example.com-banksite-example.com LibClamAV debug: Phishcheck:URL after cleanup: http://fake.example.com-banksite-example.com LibClamAV debug: Phishing: looking up in whitelist: http://fake.example.com:banksite-example.com; host-only:0 LibClamAV debug: Phishcheck:host:.banksite-example.com LibClamAV debug: Phishcheck:host:.fake.example.com LibClamAV debug: Phishing: looking up in whitelist: .fake.example.com:.banksite-example.com; host-only:1 LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different LibClamAV debug: found Possibly Unwanted: Phishing.Heuristics.Email.SpoofedDomain /path/to/emailfile.eml: Phishing.Heuristics.Email.SpoofedDomain FOUND In this case the reason is that the 2 domains are different (the former is the URL real target of the hyperlink, the latter is the URL as shown to the user). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] ClamAV filling up /usr/local/share/clamav
I am having a problem with ClamAV. It is working great in combination with MailScanner, so no problem there. It is on RH4U5 server. BUT It is filling up /usr/local/share/clamav folder with subfolders like this : drwxr-xr-x 2 clamav clamav 4096 Apr 13 20:14 clamav-ff1b8054ca4da18830a21a1d1926faea drwxr-xr-x 2 clamav clamav 4096 Apr 13 02:33 clamav-ff308f1b0172692d11d8fcfc10acfbff drwxr-xr-x 2 clamav clamav 4096 Apr 4 06:18 clamav-ff6e299d847b7d8c0431e2171761f588 drwxr-xr-x 2 clamav clamav 4096 Apr 23 07:01 clamav-ff97ffcfe89c09096003ac3934f2418a drwxr-xr-x 2 clamav clamav 4096 Mar 6 02:54 clamav-fffa3aecbc960a3e99a66058a18e6c3d Also in the same folder are files : -rw-r--r-- 1 clamav clamav 974848 Feb 26 14:42 daily.cld -rw-r--r-- 1 clamav clamav 44391424 Feb 18 12:22 main.cld -rw--- 1 clamav clamav 104 Apr 29 10:55 mirrors.dat In each of the subfolders is something like this : -rw-r--r-- 1 clamav clamav 17992 Feb 5 23:27 COPYING -rw-r--r-- 1 clamav clamav 214 Feb 5 23:27 daily.cfg -rw-r--r-- 1 clamav clamav 25954 Feb 5 23:27 daily.db -rw-r--r-- 1 clamav clamav5554 Feb 5 23:27 daily.fp -rw-r--r-- 1 clamav clamav5904 Feb 5 23:27 daily.ftm -rw-r--r-- 1 clamav clamav 14296 Feb 5 23:27 daily.hdb -rw-r--r-- 1 clamav clamav1098 Feb 5 23:27 daily.hdu -rw-r--r-- 1 clamav clamav 762 Feb 5 23:27 daily.ign -rw-r--r-- 1 clamav clamav 713 Feb 5 23:27 daily.info -rw-r--r-- 1 clamav clamav 320 Feb 5 23:27 daily.ldb -rw-r--r-- 1 clamav clamav 4188187 Feb 5 23:27 daily.mdb -rw-r--r-- 1 clamav clamav 26056 Feb 5 23:27 daily.mdu -rw-r--r-- 1 clamav clamav 272178 Feb 5 23:27 daily.ndb -rw-r--r-- 1 clamav clamav5179 Feb 5 23:27 daily.ndu -rw-r--r-- 1 clamav clamav3372 Feb 5 23:27 daily.pdb -rw-r--r-- 1 clamav clamav2088 Feb 5 23:27 daily.wdb -rw-r--r-- 1 clamav clamav3450 Feb 5 23:27 daily.zmd The problem is that my /usr partition is 90% full, and this folder is taking up 4,8Gb of space. So my question is : can I delete some of it (there are over 1000 subfolders), or should I move it to another place? Does ClamAV need this to operate as it should? WHAT are thise things? My guess is some sort of updates to AV database (so can I remove old ones?). Best form Velda -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Using milter_watch
Hello, We just updated our Debian server with version 0.95.1+dfsg-0volatile2. Anyway we have been using milter_watch (used to be clmilter_watch) from: http://www.itg.uiuc.edu/itg_software/milter_watch/ This used to work fine with the 0.94 version but now when I try running milter_watch on the new 0.95 version I get the following: --- # milter_watch -d local:/var/run/clamav/milter.ctl Submit_message called with KkgrSCQhRUxJRi1UU0VULVNVUklWSVROQS1EUkFETkFUUy1SQUNJRSR9NylDQzcpXlAoNDVYWlBc NFtQQUAlUCFPNVg= X43.C*LIAME-TSET-EBU-ITNA-DRADNATS-EBUTG*NENDI2*3NBSN.1NDAQBDJ4C*SJX Milter didn't respond within 15s timeout --- And on my syslog I see this: clamav-milter[3037]: ClamAV: st_optionneg[-162030672]: 0x1f does not fulfill action requirements 0x30 Anyone have an idea on how to fix this problem? Thanks, Ken ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Phishing.Heuristics.Email.SpoofedDomain Query
Thanks for the info. I've run the scan on the body file and headers file and get: LibClamAV debug: Initializing phishcheck module LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$ LibClamAV debug: Phishcheck module initialized LibClamAV debug: Skipping signature Email.Phishing.DblDom-72 @ main.ndb:54219 LibClamAV debug: Module PHISHING On LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up The mail has been quarantined though - I don't have the .eml file. I've scanned the hf and df files. 2009/4/29 Török Edwin edwinto...@gmail.com: On 2009-04-29 11:43, Greg McCarthy wrote: I've upgraded to 0.95.1 and have a few mails that are getting quarantined as Phishing.Heuristics.Email.SpoofedDomain How do I go about checking for spoofed domains in the email headers? Its quite possible that the domain has been spoofed but I would like to just double check? You should look at the body of the mail, not the headers (headers in an email can be easily forged, so they're usually not to be trusted anyway). You can use clamscan --debug to find out why ClamAV considers the email phishing, the output should be similar to the following: $ clamscan --debug /path/to/emailfile.eml 21|grep -i phish LibClamAV debug: Initializing phishcheck module LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$ LibClamAV debug: Phishcheck module initialized LibClamAV debug: Skipping signature Email.Phishing.DblDom-72 @ main.ndb:54219 LibClamAV debug: Module PHISHING On LibClamAV debug: Phishcheck:Checking url http://fake.example.com-banksite-example.com LibClamAV debug: Phishcheck:URL after cleanup: http://fake.example.com-banksite-example.com LibClamAV debug: Phishing: looking up in whitelist: http://fake.example.com:banksite-example.com; host-only:0 LibClamAV debug: Phishcheck:host:.banksite-example.com LibClamAV debug: Phishcheck:host:.fake.example.com LibClamAV debug: Phishing: looking up in whitelist: .fake.example.com:.banksite-example.com; host-only:1 LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different LibClamAV debug: found Possibly Unwanted: Phishing.Heuristics.Email.SpoofedDomain /path/to/emailfile.eml: Phishing.Heuristics.Email.SpoofedDomain FOUND In this case the reason is that the 2 domains are different (the former is the URL real target of the hyperlink, the latter is the URL as shown to the user). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Using milter_watch
cla...@pcez.com wrote: clamav-milter[3037]: ClamAV: st_optionneg[-162030672]: 0x1f does not fulfill action requirements 0x30 Anyone have an idea on how to fix this problem? Not really but from the look of it I believe it's a protocol version mismatch between the milter tan the watcher. Maybe check if a newer version of milter watch is available. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus Infected Message for recipient
martinnitram wrote: At clamav 0.94, it can config clamav-milter that send a Virus Infected notify email to recipient when a virus scanned. But from 0.95.1, the milter only had 'Blackhole' option that direct drop the virus email without any user notification like 0.94. Is that had any option for milter at 0.95.1 to do this? Thank. clamav-milter has 5 options for this Accept -- not recommended if a virus is detected Reject -- sending server or client will get a 5xx error message Defer -- message acceptance is temporarily rejected for later retry Blackhole -- sends to oblivion silently Quarantine -- saves the message for the administrator to verify and either accept, reject, etc. I personally use the Reject option; but I've also heard of the Quarantine option being used heavily as well. The old Virus Infected messages were discouraged; since it causes unnecessary back-scatter (most virus programs don't use a valid e-mail address for the return party; or if they did they ended up being random e-mail address entries from the true infected machine and not the host sending the infection) James signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus Infected Message for recipient
I also came across the same issue. Of course I Reject the messages, but for my own personal domain I like to have the notices of infected email go through to the intended local recipient just to keep track of things. James Kosin mentioned the backscatter with faked sender addresses, but we aren't looking to return the email notice to the sender. I just want to send a notice to the local recipient that the message was not accepted due to a virus. Dan - Original Message - From: martinnitram martinnit...@excite.com To: clamav-users@lists.clamav.net Sent: Wednesday, April 29, 2009 8:39 AM Subject: [Clamav-users] Virus Infected Message for recipient At clamav 0.94, it can config clamav-milter that send a Virus Infected notify email to recipient when a virus scanned. But from 0.95.1, the milter only had 'Blackhole' option that direct drop the virus email without any user notification like 0.94. Is that had any option for milter at 0.95.1 to do this? Thank. -- View this message in context: http://www.nabble.com/%22Virus-Infected%22-Message-for-recipient-tp23296120p23296120.html Sent from the clamav-users mailing list archive at Nabble.com. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus Infected Message for recipient
- Original Message - From: martinnitram martinnit...@excite.com To: clamav-users@lists.clamav.net Sent: Wednesday, April 29, 2009 8:39 AM Subject: [Clamav-users] Virus Infected Message for recipient At clamav 0.94, it can config clamav-milter that send a Virus Infected notify email to recipient when a virus scanned. But from 0.95.1, the milter only had 'Blackhole' option that direct drop the virus email without any user notification like 0.94. Is that had any option for milter at 0.95.1 to do this? Thank. -- View this message in context: http://www.nabble.com/%22Virus-Infected%22-Message-for-recipient-tp23296120p23296120.html Sent from the clamav-users mailing list archive at Nabble.com. - Original Message - From: Dan Metcalf snort-...@metcalfs.com To: ClamAV users ML clamav-users@lists.clamav.net Sent: Wednesday, April 29, 2009 9:45 AM Subject: Re: [Clamav-users] Virus Infected Message for recipient I also came across the same issue. Of course I Reject the messages, but for my own personal domain I like to have the notices of infected email go through to the intended local recipient just to keep track of things. James Kosin mentioned the backscatter with faked sender addresses, but we aren't looking to return the email notice to the sender. I just want to send a notice to the local recipient that the message was not accepted due to a virus. Dan Just wanted to apologize for top posting... Dan ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus Infected Message for recipient
Hi, you can use for send a message to i.e postmaster etc i.e in clamd.conf # Execute a command when virus is found. In the command string %v will # be replaced with the virus name. # Default: no #VirusEvent /usr/local/bin/send_sms 123456789 VIRUS ALERT: %v but i agree i also miss functions of the old milter behave Dan Metcalf schrieb: I also came across the same issue. Of course I Reject the messages, but for my own personal domain I like to have the notices of infected email go through to the intended local recipient just to keep track of things. James Kosin mentioned the backscatter with faked sender addresses, but we aren't looking to return the email notice to the sender. I just want to send a notice to the local recipient that the message was not accepted due to a virus. Dan - Original Message - From: martinnitram martinnit...@excite.com To: clamav-users@lists.clamav.net Sent: Wednesday, April 29, 2009 8:39 AM Subject: [Clamav-users] Virus Infected Message for recipient At clamav 0.94, it can config clamav-milter that send a Virus Infected notify email to recipient when a virus scanned. But from 0.95.1, the milter only had 'Blackhole' option that direct drop the virus email without any user notification like 0.94. Is that had any option for milter at 0.95.1 to do this? Thank. -- View this message in context: http://www.nabble.com/%22Virus-Infected%22-Message-for-recipient-tp23296120p23296120.html Sent from the clamav-users mailing list archive at Nabble.com. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus Infected Message for recipient
Robert Schetterer schrieb: Hi, you can use for send a message to i.e postmaster etc i.e in clamd.conf # Execute a command when virus is found. In the command string %v will # be replaced with the virus name. # Default: no #VirusEvent /usr/local/bin/send_sms 123456789 VIRUS ALERT: %v but i agree i also miss functions of the old milter behave Dan Metcalf schrieb: I also came across the same issue. Of course I Reject the messages, but for my own personal domain I like to have the notices of infected email go through to the intended local recipient just to keep track of things. James Kosin mentioned the backscatter with faked sender addresses, but we aren't looking to return the email notice to the sender. I just want to send a notice to the local recipient that the message was not accepted due to a virus. Dan - Original Message - From: martinnitram martinnit...@excite.com To: clamav-users@lists.clamav.net Sent: Wednesday, April 29, 2009 8:39 AM Subject: [Clamav-users] Virus Infected Message for recipient At clamav 0.94, it can config clamav-milter that send a Virus Infected notify email to recipient when a virus scanned. But from 0.95.1, the milter only had 'Blackhole' option that direct drop the virus email without any user notification like 0.94. Is that had any option for milter at 0.95.1 to do this? Thank. -- View this message in context: http://www.nabble.com/%22Virus-Infected%22-Message-for-recipient-tp23296120p23296120.html Sent from the clamav-users mailing list archive at Nabble.com. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml i apologize too for top posting *g -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus Infected Message for recipient
Robert Schetterer wrote: i apologize too for top posting *g And for failure to prune unnecessary parts of the message? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus Infected Message for recipient
Dennis Peterson schrieb: Robert Schetterer wrote: i apologize too for top posting *g And for failure to prune unnecessary parts of the message? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml i like this nonsense educations discussions in mailing lists *g there are so many therories of how to post like people in the world if you find grammer mistakes keep it *g -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ClamAV filling up /usr/local/share/clamav
On 2009-04-29 13:54, Velda Midanovic wrote: I am having a problem with ClamAV. It is working great in combination with MailScanner, so no problem there. It is on RH4U5 server. BUT It is filling up /usr/local/share/clamav folder with subfolders like this : drwxr-xr-x 2 clamav clamav 4096 Apr 13 20:14 clamav-ff1b8054ca4da18830a21a1d1926faea drwxr-xr-x 2 clamav clamav 4096 Apr 13 02:33 clamav-ff308f1b0172692d11d8fcfc10acfbff drwxr-xr-x 2 clamav clamav 4096 Apr 4 06:18 clamav-ff6e299d847b7d8c0431e2171761f588 drwxr-xr-x 2 clamav clamav 4096 Apr 23 07:01 clamav-ff97ffcfe89c09096003ac3934f2418a drwxr-xr-x 2 clamav clamav 4096 Mar 6 02:54 clamav-fffa3aecbc960a3e99a66058a18e6c3d Also in the same folder are files : -rw-r--r-- 1 clamav clamav 974848 Feb 26 14:42 daily.cld -rw-r--r-- 1 clamav clamav 44391424 Feb 18 12:22 main.cld -rw--- 1 clamav clamav 104 Apr 29 10:55 mirrors.dat You should keep these, although removing them causes no harm, freshclam will just need to download the entire database next time it is run (it cna take a while if you're on a slow connection). In each of the subfolders is something like this : -rw-r--r-- 1 clamav clamav 17992 Feb 5 23:27 COPYING -rw-r--r-- 1 clamav clamav 214 Feb 5 23:27 daily.cfg -rw-r--r-- 1 clamav clamav 25954 Feb 5 23:27 daily.db -rw-r--r-- 1 clamav clamav5554 Feb 5 23:27 daily.fp -rw-r--r-- 1 clamav clamav5904 Feb 5 23:27 daily.ftm -rw-r--r-- 1 clamav clamav 14296 Feb 5 23:27 daily.hdb -rw-r--r-- 1 clamav clamav1098 Feb 5 23:27 daily.hdu -rw-r--r-- 1 clamav clamav 762 Feb 5 23:27 daily.ign -rw-r--r-- 1 clamav clamav 713 Feb 5 23:27 daily.info -rw-r--r-- 1 clamav clamav 320 Feb 5 23:27 daily.ldb -rw-r--r-- 1 clamav clamav 4188187 Feb 5 23:27 daily.mdb -rw-r--r-- 1 clamav clamav 26056 Feb 5 23:27 daily.mdu -rw-r--r-- 1 clamav clamav 272178 Feb 5 23:27 daily.ndb -rw-r--r-- 1 clamav clamav5179 Feb 5 23:27 daily.ndu -rw-r--r-- 1 clamav clamav3372 Feb 5 23:27 daily.pdb -rw-r--r-- 1 clamav clamav2088 Feb 5 23:27 daily.wdb -rw-r--r-- 1 clamav clamav3450 Feb 5 23:27 daily.zmd Those look like temporary files left behind by freshclam? Are you using latest ClamAV? (0.95.1) If not try upgrading, it should fix the problem. The problem is that my /usr partition is 90% full, and this folder is taking up 4,8Gb of space. So my question is : can I delete some of it (there are over 1000 subfolders), or should I move it to another place? Does ClamAV need this to operate as it should? WHAT are thise things? My guess is some sort of updates to AV database (so can I remove old ones?). You can safely delete the clamav- subfolders in /usr/local/share/clamav. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus Infected Message for recipient
Am 2009-04-29 09:45:44, schrieb Dan Metcalf: I also came across the same issue. Of course I Reject the messages, but for my own personal domain I like to have the notices of infected email go through to the intended local recipient just to keep track of things. James Kosin mentioned the backscatter with faked sender addresses, but we aren't looking to return the email notice to the sender. I just want to send a notice to the local recipient that the message was not accepted due to a virus. I would never do this because I do not want to be informed about 150-2000 viriis per day. Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ Michelle Konzack http://www.can4linux.org/ Apt. 917 http://www.flexray4linux.org/ 50, rue de Soultz Jabber linux4miche...@jabber.ccc.de 67100 Strasbourg/France IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ #328449886Tel. FR: +33 6 61925193 signature.pgp Description: Digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus Infected Message for recipient
- Original Message - From: Michelle Konzack linux4miche...@tamay-dogan.net To: clamav-users@lists.clamav.net Sent: Wednesday, April 29, 2009 2:48 PM Subject: Re: [Clamav-users] Virus Infected Message for recipient I also came across the same issue. Of course I Reject the messages, but for my own personal domain I like to have the notices of infected email go through to the intended local recipient just to keep track of things. James Kosin mentioned the backscatter with faked sender addresses, but we aren't looking to return the email notice to the sender. I just want to send a notice to the local recipient that the message was not accepted due to a virus. I would never do this because I do not want to be informed about 150-2000 viriis per day. Thanks, Greetings and nice Day/Evening Michelle Konzack That's nice, but we weren't asking for an opinion poll. My domain doesn't get very many viruses at all through email, so it's a nice ticker to see when virus activity is on the rise out there. I could have all of the postmaster virus notifications routed to myself, but that's overkill for my monitoring needs. Dan Metcalf ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Question about Phish heuristic
I submitted what I considered to be a FP on Phishing.Heuristics.Email.SpoofedDomain Submission-ID: 7705854 Sender: Me Submission notes: not a false positive Added: No which was not considered a FP. The code below is what triggered the detection (I hope this passes the list and shows up correctly): img src=3Dhttp://cbimages.ed4.net/harrahs/3991_226618.gif; width=3D32= height=3D174 alt=3D/td tdspan style=3Dcolor:#00; font-size:14px; font-family:Arial, Helvetica, sans-serifSEARS has the brand names everyone knows and loves - from hardware to house wares to home electronics. With over 2,000 convenient locations nationwide, Sears has an incredible selection with something for everyone! For your convenience, you can also shop online at A href=3Dhttp://click.harrahs-marketing.com/r/1U3JI8/AMAUN/MFBMAJ/IIDO12/UAEIL/E4/h?a=3DKEY=3D_urlid__-730367%26EDID=3D_edid__; id=3Dlink_12font color=3D#00www.sears.com/font/a.br and debug output: LibClamAV debug: Phishcheck:Checking url http://click.harrahs-marketing.com/r/1U3JI8/AMAUN/MFBMAJ/IIDO12/UAEIL/E4/h?a=KEY=_urlid__-730367%26EDID=_edid__-www.sears.com LibClamAV debug: Phishcheck:URL after cleanup: http://click.harrahs-marketing.com-www.sears.com LibClamAV debug: Phishing: looking up in whitelist: http://click.harrahs-marketing.com:www.sears.com; host-only:0 LibClamAV debug: Phishcheck:host:.www.sears.com LibClamAV debug: Phishcheck:host:.click.harrahs-marketing.com LibClamAV debug: Phishing: looking up in whitelist: .click.harrahs-marketing.com:.www.sears.com; host-only:1 LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different LibClamAV debug: found Possibly Unwanted: Phishing.Heuristics.Email.SpoofedDomain virus-t3OEREsBZjFW: Phishing.Heuristics.Email.SpoofedDomain FOUND The redirector from harrahs-marketing.com to sears.com is not a surprise to the reader as the preceding text clearly indicates SEARS. While I'm no fan of advertisements, shouldn't this be considered for whitelisting? Does Clam seem a little simplistic and naive in its SpoofedDomain phishing heuristic? Mike ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml