Re: [Clamav-users] Unknown phishing email virus?
Jonas Jacobsson schrieb: I got the following in my log running amavis and clamav. The virusdb was up to date when it happened (by freshclam). The receiver is an email address at my domain and the mail is directly forwarded to the hotmail address after the scan. The receiving server telling me it contains a virus is my ISP's smarthost which I must send via. When the ISP finds this virus mail, they will block my internet connection until I call their abuse department. I suggest you look for another ISP. Everybody knows heuristic checks can and will produce false positives. Blocking a customer's internet connection based on such a check is inacceptable. HTH T. -- Tilman Schmidt Abteilungsleiter Technik Phoenix Software GmbH Tel. +49 228 97199 0 Adolf-Hombitzer-Str. 12Fax +49 228 97199 99 53227 Bonn, Germany www.phoenixsoftware.de Geschäftsführer: W. Grießl Amtsgericht Bonn HRB 2934 signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Unknown phishing email virus?
Hi, System: debian, clamav 0.93.3.dfsg-1, amavisd-new 1:2.6.1.dfsg-1. I got the following in my log running amavis and clamav. The virusdb was up to date when it happened (by freshclam). The receiver is an email address at my domain and the mail is directly forwarded to the hotmail address after the scan. The receiving server telling me it contains a virus is my ISP's smarthost which I must send via. When the ISP finds this virus mail, they will block my internet connection until I call their abuse department. I searched for Phishing.Heuristics.Email.SpoofedDomain in the clamav- virusdb archive, and it seems that it does not exist? Unfortunately I don't have the infected mail saved... The same thing happens with Email.Trojan-2 (which does exist in the db), they are scanned and reported as CLEAN, but the ISP's smarthost blocks it due to the detected virus. Any ideas? Aug 24 20:26:08 moria postfix/smtpd[31338]: connect from localhost[127.0.0.1] Aug 24 20:26:08 moria postfix/smtpd[31338]: E9FA38AC12E: client=localhost[127.0.0.1] Aug 24 20:26:08 moria postfix/cleanup[31322]: E9FA38AC12E: message-id=[EMAIL PROTECTED] Aug 24 20:26:08 moria postfix/smtpd[31338]: disconnect from localhost[127.0.0.1] Aug 24 20:26:08 moria postfix/qmgr[6748]: E9FA38AC12E: from=[EMAIL PROTECTED] , size=3331, nrcpt=1 (queue active) Aug 24 20:26:08 moria postfix/cleanup[31322]: F15EC8AC158: message-id=[EMAIL PROTECTED] Aug 24 20:26:08 moria postfix/qmgr[6748]: F15EC8AC158: from=[EMAIL PROTECTED] , size=3460, nrcpt=1 (queue active) Aug 24 20:26:08 moria postfix/local[31340]: E9FA38AC12E: to=[EMAIL PROTECTED] , relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=2.0.0, status=sent (forwarded as F15EC8AC158) Aug 24 20:26:08 moria postfix/qmgr[6748]: E9FA38AC12E: removed Aug 24 20:26:09 moria amavis[30702]: (30702-10) Passed CLEAN, [87.170.100.175] [87.170.100.175] [EMAIL PROTECTED] - [EMAIL PROTECTED] , Message-ID: [EMAIL PROTECTED], mail_id: CwcGFkEZbg5G, Hits: 5.271, size: 2645, queued_as: E9FA38AC12E, 11194 ms Aug 24 20:26:09 moria postfix/smtp[31323]: A6AD68AC125: to=[EMAIL PROTECTED] , relay=127.0.0.1[127.0.0.1]:10024, delay=12, delays=1.1/0.01/0.01/11, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=30702-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as E9FA38AC12E) Aug 24 20:26:09 moria postfix/qmgr[6748]: A6AD68AC125: removed Aug 24 20:26:10 moria postfix/smtp[31311]: F15EC8AC158: to=[EMAIL PROTECTED] , orig_to=[EMAIL PROTECTED], relay=ch- smtp02.sth.basefarm.net[80.76.149.213]:25, delay=1.4, delays=0.01/0/0.17/1.2, dsn=4.0.0, status=SOFTBOUNCE (host ch- smtp02.sth.basefarm.net[80.76.149.213] said: 550 This message contains a virus (Phishing.Heuristics.Email.SpoofedDomain) (in reply to end of DATA command)) /jonas ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Unknown phishing email virus?
Jonas Jacobsson wrote: Hi, System: debian, clamav 0.93.3.dfsg-1, amavisd-new 1:2.6.1.dfsg-1. I got the following in my log running amavis and clamav. The virusdb was up to date when it happened (by freshclam). The receiver is an email address at my domain and the mail is directly forwarded to the hotmail address after the scan. The receiving server telling me it contains a virus is my ISP's smarthost which I must send via. When the ISP finds this virus mail, they will block my internet connection until I call their abuse department. I searched for Phishing.Heuristics.Email.SpoofedDomain in the clamav- virusdb archive, and it seems that it does not exist? Unfortunately I don't have the infected mail saved... This is a heuristics based signature. It attempts to detect malicious links to financial sites. Phishing is controlled in clamd.conf with: # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes #PhishingSignatures yes # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes #PhishingScanURLs yes As you can see, both options are enabled by default. Some people (and possibly some package maintainers) think phish detection should not be part of an antivirus package, so they set PhishingSignatures no In the past, the heuristics based scanning was a major source of false positives, but that's much improved now (although this still accounts for the majority of FPs here, the number of FPs has reduced significantly). Some people or package maintainers may disable heuristic scanning with PhishingScanURS no Maybe you're not scanning for phish. The same thing happens with Email.Trojan-2 (which does exist in the db), they are scanned and reported as CLEAN, but the ISP's smarthost blocks it due to the detected virus. No insight on this one. Maybe the ISP received an update faster than you did. Maybe the mail didn't pass through your clam for some reason. Maybe you've set your amavisd-new to tag pass viruses rather than discard them. Aug 24 20:26:10 moria postfix/smtp[31311]: F15EC8AC158: to=[EMAIL PROTECTED] , orig_to=[EMAIL PROTECTED], relay=ch- smtp02.sth.basefarm.net[80.76.149.213]:25, delay=1.4, delays=0.01/0/0.17/1.2, dsn=4.0.0, status=SOFTBOUNCE (host ch- smtp02.sth.basefarm.net[80.76.149.213] said: 550 This message contains a virus (Phishing.Heuristics.Email.SpoofedDomain) (in reply to end of DATA command)) It appears the mail stayed in your queue, note status=SOFTBOUNCE. If your postfix maximal_queue_lifetime hasn't been reached yet, you can view the message with # postcat -q F15EC8AC158 -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml