Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Kris Deugau]

Alex wrote:
> Hi,
> 
> I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
> for capitaloneemail.com, but can't figure out how to use sigtool to
> determine which actual domain it thinks was spoofed.
> 
> # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
> sigtool --decode-sigs
> #
> 
> Why doesn't it display the signature with the above command?
> 
> How do I scan the quarantined message to find out exactly what
> triggered this false positive?

The Heuristics* "signatures" aren't fixed signatures in the signature
files.  This particular one represents link where the visible and
link-target domain are "too different", but only for high-risk domains
(eg banks).  I'm not sure where the list of domains to consider is kept.

To whitelist a specific match hit by this signature chase down the
mismatched domains as per Steve's message, and add a line to local.wdb, eg:

X:\.rbc\.com:www\.rbcroyalbank\.com

or

M:trk.cp20.com:bmo.com

I have yet to figure out why I have to use an X: line for some matches,
and an M: line for others;  I use one or the other depending on which
one I can get to actually work on a case-by-base basis.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Alex]

On Tue, Aug 16, 2016 at 12:35 PM, Steve basford
 wrote:
> Try clamscan --debug 2>debug.log and I think that should show you a domain.

Ah yes, thanks. It appears it's marked it because the URLs were too different:

LibClamAV debug: Phishing: looking up in whitelist:
.click.capitaloneemail.com:.mi.capitalone.com; host-only:1
LibClamAV debug: Looking up in regex_list:
click.capitaloneemail.com:mi.capitalone.com/
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different

I'm not sure I'm ready to whitelist the rule just yet, however.

Thanks,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Steve basford]

Try clamscan --debug 2>debug.log and I think that should show you a domain.

Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity



On 16 August 2016 17:32:31 Alex  wrote:


Hi,

I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
for capitaloneemail.com, but can't figure out how to use sigtool to
determine which actual domain it thinks was spoofed.

# sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
sigtool --decode-sigs
#

Why doesn't it display the signature with the above command?

How do I scan the quarantined message to find out exactly what
triggered this false positive?

Thanks,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Reindl Harald]

Am 16.08.2016 um 18:31 schrieb Alex:

I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
for capitaloneemail.com, but can't figure out how to use sigtool to
determine which actual domain it thinks was spoofed.

# sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
sigtool --decode-sigs
#

Why doesn't it display the signature with the above command?

How do I scan the quarantined message to find out exactly what
triggered this false positive?


i disabled them entirely because i still need to face anything else than 
false positives from that rules




signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Alex]

Hi,

I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
for capitaloneemail.com, but can't figure out how to use sigtool to
determine which actual domain it thinks was spoofed.

# sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
sigtool --decode-sigs
#

Why doesn't it display the signature with the above command?

How do I scan the quarantined message to find out exactly what
triggered this false positive?

Thanks,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Alex]

Hi,

On Tue, Aug 25, 2015 at 1:19 PM, Kevin Lin  wrote:
> It's not necessary to whitelist the heuristic. If you choose to, you can
> whitelist the domain which can be done using a .wdb signature. There is
> documentation on how to write an entry in the phishsigs_howto.pdf document.

I think I managed to get it working. Much easier than I expected.

Given this debug output:

LibClamAV debug: Looking up hash 56C3...E7C44D36F0FB9028E16FE for urldefense.
proofpoint.com/(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB


Then there's this:

LibClamAV debug: Phishing: looking up in whitelist:
https://urldefense.proofpoint.com:http://www.bankofamerica.com;
host-only:0
LibClamAV debug: Looking up in regex_list:
https://urldefense.proofpoint.com:http://www.bankofamerica.com/

I've created a wdb rule that looks like this:

X:.+proofpoint\.com:.+bankofamerica\.com:17-

That appears to have solved the problem. I suppose I could be more
specific with my regex, but I think it's okay for now.

Thanks,
Alex










>
> -Kevin
>
> On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger  wrote:
>
>> On Aug 25, 2015, at 9:41 AM, Alex  wrote:
>> > Thanks very much. I've submitted an fp, but it appears to be the result
>> of this:
>> >
>> > LibClamAV debug: Looking up hash
>> > 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
>> > urldefense.
>> > proofpoint.com/ > >(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
>> >
>> fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
>> >
>> 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
>> > LibClamAV debug: Phishcheck:URL after cleanup:
>> > https://urldefense.proofpoint.com- > >>http://www.bankofamerica.com 
>> > LibClamAV debug: Phishing: looking up in whitelist:
>> > https://urldefense.proofpoint.com:http://www.bankofamerica.co
>> 
>> > m; host-only:0
>> > LibClamAV debug: Phishing: looking up in whitelist:
>> > .urldefense.proofpoint.com :.
>> www.bankofamerica.com ; host-only:1
>> > LibClamAV debug: Looking up in regex_list:
>> > urldefense.proofpoint.com:www.bankofamerica.com/
>> > LibClamAV debug: Lookup result: not in regex list
>> > LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
>> different
>> > LibClamAV debug: found Possibly Unwanted:
>> > Heuristics.Phishing.Email.SpoofedDomain
>> >
>> > Looks like the proofpoint "secure URL" product has mangled the URL so
>> > badly that clamav can't decipher it?
>>
>> Actually, ClamAV recognized and decoded the URL spoofing just fine.
>> So they should be able to whitelist it without any special trouble.
>>
>> > In any case, how would I go about whitelisting either the sender
>> > and/or the email the next time this happens, so I don't have to wait
>> > for the sig team to perform an update?
>>
>> If Bank of America was my bank, I'd contact them and ask them to send
>> their own emails from their own domain rather than sending emails
>> which rather precisely resemble email spoofing attempts.
>>
>> If they declined, I'd find myself another bank who cared enough about email
>> and online security that they weren't outsourcing it to proofpoint.com <
>> http://proofpoint.com/>.
>>
>> Regards,
>> --
>> -Chuck
>>
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Alex]

Hi,

> It's not necessary to whitelist the heuristic. If you choose to, you can
> whitelist the domain which can be done using a .wdb signature. There is
> documentation on how to write an entry in the phishsigs_howto.pdf document.

Whitelist the sending domain? Or the offending domain? Or which?

Are you talking about this URL or a component of it?

>> > urldefense.
>> > proofpoint.com/ > >(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB

Thanks,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Alex]

Hi,

On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger  wrote:
> On Aug 25, 2015, at 9:41 AM, Alex  wrote:
>> Thanks very much. I've submitted an fp, but it appears to be the result of 
>> this:
>>
>> LibClamAV debug: Looking up hash
>> 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
>> urldefense.
>> proofpoint.com/ 
>> (26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
>> fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
>> 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
>> LibClamAV debug: Phishcheck:URL after cleanup:
>> https://urldefense.proofpoint.com- 
>> >http://www.bankofamerica.com 
>> 
>> LibClamAV debug: Phishing: looking up in whitelist:
>> https://urldefense.proofpoint.com:http://www.bankofamerica.co 
>> 
>> m; host-only:0
>> LibClamAV debug: Phishing: looking up in whitelist:
>> .urldefense.proofpoint.com 
>> :.www.bankofamerica.com 
>> ; host-only:1
>> LibClamAV debug: Looking up in regex_list:
>> urldefense.proofpoint.com:www.bankofamerica.com/
>> LibClamAV debug: Lookup result: not in regex list
>> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
>> LibClamAV debug: found Possibly Unwanted:
>> Heuristics.Phishing.Email.SpoofedDomain
>>
>> Looks like the proofpoint "secure URL" product has mangled the URL so
>> badly that clamav can't decipher it?
>
> Actually, ClamAV recognized and decoded the URL spoofing just fine.
> So they should be able to whitelist it without any special trouble.

So then where did it become a fp then?

>> In any case, how would I go about whitelisting either the sender
>> and/or the email the next time this happens, so I don't have to wait
>> for the sig team to perform an update?
>
> If Bank of America was my bank, I'd contact them and ask them to send
> their own emails from their own domain rather than sending emails
> which rather precisely resemble email spoofing attempts.

It's actually not bankofamerica.com that's doing it. It apparently was
the sender that mangled every domain in the email to precede it with
this urldefense crap.

Thanks,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Kevin Lin]

It's not necessary to whitelist the heuristic. If you choose to, you can
whitelist the domain which can be done using a .wdb signature. There is
documentation on how to write an entry in the phishsigs_howto.pdf document.

-Kevin

On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger  wrote:

> On Aug 25, 2015, at 9:41 AM, Alex  wrote:
> > Thanks very much. I've submitted an fp, but it appears to be the result
> of this:
> >
> > LibClamAV debug: Looking up hash
> > 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
> > urldefense.
> > proofpoint.com/  >(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
> >
> fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
> >
> 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
> > LibClamAV debug: Phishcheck:URL after cleanup:
> > https://urldefense.proofpoint.com-  >>http://www.bankofamerica.com 
> > LibClamAV debug: Phishing: looking up in whitelist:
> > https://urldefense.proofpoint.com:http://www.bankofamerica.co
> 
> > m; host-only:0
> > LibClamAV debug: Phishing: looking up in whitelist:
> > .urldefense.proofpoint.com :.
> www.bankofamerica.com ; host-only:1
> > LibClamAV debug: Looking up in regex_list:
> > urldefense.proofpoint.com:www.bankofamerica.com/
> > LibClamAV debug: Lookup result: not in regex list
> > LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
> different
> > LibClamAV debug: found Possibly Unwanted:
> > Heuristics.Phishing.Email.SpoofedDomain
> >
> > Looks like the proofpoint "secure URL" product has mangled the URL so
> > badly that clamav can't decipher it?
>
> Actually, ClamAV recognized and decoded the URL spoofing just fine.
> So they should be able to whitelist it without any special trouble.
>
> > In any case, how would I go about whitelisting either the sender
> > and/or the email the next time this happens, so I don't have to wait
> > for the sig team to perform an update?
>
> If Bank of America was my bank, I'd contact them and ask them to send
> their own emails from their own domain rather than sending emails
> which rather precisely resemble email spoofing attempts.
>
> If they declined, I'd find myself another bank who cared enough about email
> and online security that they weren't outsourcing it to proofpoint.com <
> http://proofpoint.com/>.
>
> Regards,
> --
> -Chuck
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Charles Swiger]

On Aug 25, 2015, at 9:41 AM, Alex  wrote:
> Thanks very much. I've submitted an fp, but it appears to be the result of 
> this:
> 
> LibClamAV debug: Looking up hash
> 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
> urldefense.
> proofpoint.com/ 
> (26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
> fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
> 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
> LibClamAV debug: Phishcheck:URL after cleanup:
> https://urldefense.proofpoint.com- 
> >http://www.bankofamerica.com 
> 
> LibClamAV debug: Phishing: looking up in whitelist:
> https://urldefense.proofpoint.com:http://www.bankofamerica.co 
> 
> m; host-only:0
> LibClamAV debug: Phishing: looking up in whitelist:
> .urldefense.proofpoint.com 
> :.www.bankofamerica.com 
> ; host-only:1
> LibClamAV debug: Looking up in regex_list:
> urldefense.proofpoint.com:www.bankofamerica.com/
> LibClamAV debug: Lookup result: not in regex list
> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
> LibClamAV debug: found Possibly Unwanted:
> Heuristics.Phishing.Email.SpoofedDomain
> 
> Looks like the proofpoint "secure URL" product has mangled the URL so
> badly that clamav can't decipher it?

Actually, ClamAV recognized and decoded the URL spoofing just fine.
So they should be able to whitelist it without any special trouble.

> In any case, how would I go about whitelisting either the sender
> and/or the email the next time this happens, so I don't have to wait
> for the sig team to perform an update?

If Bank of America was my bank, I'd contact them and ask them to send
their own emails from their own domain rather than sending emails
which rather precisely resemble email spoofing attempts.

If they declined, I'd find myself another bank who cared enough about email
and online security that they weren't outsourcing it to proofpoint.com 
.

Regards,
-- 
-Chuck

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Alex]

Hi,

On Tue, Aug 25, 2015 at 11:48 AM, Kevin Lin  wrote:
> As a heuristic, the generation of this detection is a result of behavioral
> detection by the ClamAV engine and not by any particular database
> signature. Unfortunately, this effectively means that sigtool is unable to
> decode the signature as there is no signature associated with this
> detection.
>
> Luckily, it appears you can see the domain that causes the heuristic
> detection by running clamscan on the email with the "--debug" flag. The
> debug flag causes clamscan to log the domain checks to stderr and most
> likely terminates the scan once it detects the heuristic if
> "--heuristic-scan-precedence=yes" is set as well.
>
> Additionally, you can provide the false positive to
> http://www.clamav.net/report/report-fp.html.

Thanks very much. I've submitted an fp, but it appears to be the result of this:

LibClamAV debug: Looking up hash
5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
urldefense.
proofpoint.com/(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
LibClamAV debug: Phishcheck:URL after cleanup:
https://urldefense.proofpoint.com->http://www.bankofamerica.com
LibClamAV debug: Phishing: looking up in whitelist:
https://urldefense.proofpoint.com:http://www.bankofamerica.co
m; host-only:0
LibClamAV debug: Phishing: looking up in whitelist:
.urldefense.proofpoint.com:.www.bankofamerica.com; host-only:1
LibClamAV debug: Looking up in regex_list:
urldefense.proofpoint.com:www.bankofamerica.com/
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted:
Heuristics.Phishing.Email.SpoofedDomain

Looks like the proofpoint "secure URL" product has mangled the URL so
badly that clamav can't decipher it?

In any case, how would I go about whitelisting either the sender
and/or the email the next time this happens, so I don't have to wait
for the sig team to perform an update?

For now, I've whitelisted the whole
Heuristics.Phishing.Email.SpoofedDomain rule with an ign2 entry, but I
obviously don't want to keep that permanently.

I'm using postfix with amavisd-new and spamassassin on fedora.

Thanks,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Kevin Lin]

As a heuristic, the generation of this detection is a result of behavioral
detection by the ClamAV engine and not by any particular database
signature. Unfortunately, this effectively means that sigtool is unable to
decode the signature as there is no signature associated with this
detection.

Luckily, it appears you can see the domain that causes the heuristic
detection by running clamscan on the email with the "--debug" flag. The
debug flag causes clamscan to log the domain checks to stderr and most
likely terminates the scan once it detects the heuristic if
"--heuristic-scan-precedence=yes" is set as well.

Additionally, you can provide the false positive to
http://www.clamav.net/report/report-fp.html.

-Kevin

On Tue, Aug 25, 2015 at 6:36 AM, Alex  wrote:

> Hi,
>
> I have an email with an apparent false-positive spoofed domain. How
> can I determine what domain it is that clamscan thinks is spoofed and
> correct it?
>
> I'm sorry if this is a FAQ. I'm familiar with how to use sigtool to
> decode a false-positive, but no signature or other details are given.
>
> Thanks,
> Alex
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Alex]

Hi,

I have an email with an apparent false-positive spoofed domain. How
can I determine what domain it is that clamscan thinks is spoofed and
correct it?

I'm sorry if this is a FAQ. I'm familiar with how to use sigtool to
decode a false-positive, but no signature or other details are given.

Thanks,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP fixed upstream?

[Al Varnell]

OK, I guess that will work, but I don’t think it’s formatted exactly right and 
as I said before I think an “M:” whitelist record is more appropriate here.

At any rate, I suggest you upload it to  
using the "Send a false positive report” form so that other users can benefit 
from this finding.

-Al-

On Mon, Jul 14, 2014 at 11:37 AM, Kris Deugau wrote:
> 
> Al Varnell wrote:
>> You have certainly found the correct pair as your message is still showing 
>> up immediately as infected here.
> 
> ... and here, too;  I wondered why my message hadn't shown up in my
> clamav mail folder...
> 
>> Heuristics detections are accomplished by the engine, not a specific 
>> signature.
> 
> *nod*
> 
>> The line you found in daily.hdb identifies this as one of several hundred 
>> mostly financial institutions that are analyzed by the heuristics engine for 
>> hyperlinks that do not route the user to a web site the same or a 
>> specifically associated URL.
> 
> Ah, OK.
> 
>> I’m not sure why a --debug run didn’t show this.  You should see the words 
>> "Phishcheck:" and/or "cli_magic_scandesc:” somewhere around those domains, 
>> as I always do when I run across such FP’s.
> 
> *nod* On re-re-rechecking several times (clamscan --debug  |grep -i phish), I noticed this:
> 
> Phishcheck:Checking url http://www.w3.org/TR/html4/DTD/strict.dtd";>->
> 
> (which I'm pretty sure wasn't showing the first five or six times I
> tried) but no entry for the tdcanadatrust.com link.  Checking again now,
> that link is found too.  I'm not sure what changed, other than the fact
> that the message file is now in a subdirectory.  O_o
> 
> In any case, I've confirmed the FP link and added a daily.wdb:
> 
> X:http\://ems1.aeroplan.com:tdcanadatrust.com

-Al-
-- 
Al Varnell
Mountain View, CA




___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP fixed upstream?

[Kris Deugau]

Al Varnell wrote:
> You have certainly found the correct pair as your message is still showing up 
> immediately as infected here.

... and here, too;  I wondered why my message hadn't shown up in my
clamav mail folder...

> Heuristics detections are accomplished by the engine, not a specific 
> signature.

*nod*

>  The line you found in daily.hdb identifies this as one of several hundred 
> mostly financial institutions that are analyzed by the heuristics engine for 
> hyperlinks that do not route the user to a web site the same or a 
> specifically associated URL.

Ah, OK.

> I’m not sure why a --debug run didn’t show this.  You should see the words 
> "Phishcheck:" and/or "cli_magic_scandesc:” somewhere around those domains, as 
> I always do when I run across such FP’s.

*nod* On re-re-rechecking several times (clamscan --debug http://www.w3.org/TR/html4/DTD/strict.dtd";>->

(which I'm pretty sure wasn't showing the first five or six times I
tried) but no entry for the tdcanadatrust.com link.  Checking again now,
that link is found too.  I'm not sure what changed, other than the fact
that the message file is now in a subdirectory.  O_o

In any case, I've confirmed the FP link and added a daily.wdb:

X:http\://ems1.aeroplan.com:tdcanadatrust.com


-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP fixed upstream?

[Al Varnell]

You have certainly found the correct pair as your message is still showing up 
immediately as infected here.

Heuristics detections are accomplished by the engine, not a specific signature. 
 The line you found in daily.hdb identifies this as one of several hundred 
mostly financial institutions that are analyzed by the heuristics engine for 
hyperlinks that do not route the user to a web site the same or a specifically 
associated URL.  In this case tdcanadatrust.com has not been associated with 
aeroplan.com by using an “M:” whitelist database record.

I’m not sure why a --debug run didn’t show this.  You should see the words 
"Phishcheck:" and/or "cli_magic_scandesc:” somewhere around those domains, as I 
always do when I run across such FP’s.


-Al-
-- 
Al Varnell
Mountain View, CA

On Mon, Jul 14, 2014 at 08:55 AM, Kris Deugau wrote:
> 
> I just came across a FP report for a hit from
> Heuristics.Phishing.Email.SpoofedDomain.
> 
> On checking the message by hand, it no longer triggers this test, either
> on my desktop test/dev system running 0.98.4, or on the production
> servers running 0.97.6.
> 
> Examining the message by hand, the best guess I can make about the
> triggering URL is:



> All of the other links point to the same subdomain/host;  most with
> non-URI visible text, and the few that show a domain in the visible text
> are all aeroplan.com.
> 
> I dug into the upstream signature files to see if I could identify the
> whitelist/skip entry that is now allowing this legitimate message
> through - the only remotely relevant entry seems to be this:
> 
> daily.cld:H:tdcanadatrust.com
> 
> (Which I can't quite match to the signature-creating docs - H: entries
> seem to require an additional field.)
> 
> I also noticed that --debug output from clamscan doesn't even seem to
> show *any* checking of URIs in the message.  Rescanning an older FP
> whitelisted locally showed quite a few URIs checked, so I don't have
> this accidentally disabled.
> 
> It's good that this FP is no longer happening but I'd like to know for
> sure what it fired on in the first place, and what change from upstream
> fixed the FP.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP fixed upstream?

[Kris Deugau]

I just came across a FP report for a hit from
Heuristics.Phishing.Email.SpoofedDomain.

On checking the message by hand, it no longer triggers this test, either
on my desktop test/dev system running 0.98.4, or on the production
servers running 0.97.6.

Examining the message by hand, the best guess I can make about the
triggering URL is:

http://ems1.aeroplan.com/a/l.x?redacted";
style="text-decoration:underline; color:#FF5C00;">tdcanadatrust.com/preauthorizedpayments

All of the other links point to the same subdomain/host;  most with
non-URI visible text, and the few that show a domain in the visible text
are all aeroplan.com.

I dug into the upstream signature files to see if I could identify the
whitelist/skip entry that is now allowing this legitimate message
through - the only remotely relevant entry seems to be this:

daily.cld:H:tdcanadatrust.com

(Which I can't quite match to the signature-creating docs - H: entries
seem to require an additional field.)

I also noticed that --debug output from clamscan doesn't even seem to
show *any* checking of URIs in the message.  Rescanning an older FP
whitelisted locally showed quite a few URIs checked, so I don't have
this accidentally disabled.

It's good that this FP is no longer happening but I'd like to know for
sure what it fired on in the first place, and what change from upstream
fixed the FP.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml