Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

On 6/15/2022 4:51 PM, Maarten Broekman via clamav-users wrote: https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format There are examples of the wdb format a bit lower on the page. Essentially, you would create

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format There are examples of the wdb format a bit lower on the page. Essentially, you would create a file "good_urls.wdb" in the same directory as the existing ClamAV database files and put in an appropriate line to handle the domains

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

On 6/15/2022 11:47 AM, G.W. Haywood via clamav-users wrote: Hi there, On Wed, 15 Jun 2022, joe a wrote: To semi-hijack, I was attempting to deal with my own occasional false positive by using this thread as a clue. Attempting to follow the docs, I hit a wall here: "To help you identify

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Hi there, On Wed, 15 Jun 2022, joe a wrote: To semi-hijack, I was attempting to deal with my own occasional false positive by using this thread as a clue. Attempting to follow the docs, I hit a wall here: "To help you identify what triggered a heuristic phishing alert, clamscan or clamd

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

joe a wrote: To semi-hijack, I was attempting to deal with my own occasional false positive by using this thread as a clue. Attempting to follow the docs, I hit a wall here: "To help you identify what triggered a heuristic phishing alert, clamscan or clamd will print a message indicating the

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

On 6/13/2022 7:27 PM, Mathieu Morier via clamav-users wrote: Yea for now I just created the line as peer the doc ( https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format  ) and it’s working. For 

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Yea for now I just created the line as peer the doc ( https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format ) and it’s working. For Heuristics.Phishing.Email.SpoofedDomain it’s not an « ignore list » bit an « allow list of real URL and display URL that you want to allow. echo

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Hi there, On Mon, 13 Jun 2022, Mathieu Morier via clamav-users wrote: Look like many Canadian Banks are switching their corporate email to Office 365 ( Microsoft cloud ) and all the links in their email are then automatically change ... Don't get me started. ... links to ... hit the

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

For now I have done that and it work ! echo "M:can01.safelinks.protection.outlook.com:www.desjardins.com" >> /var/lib/clamav/local.wdb systemctl restart clamd But it will be great if Desjardins rules are on the

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Hi, Look like many Canadian Banks are switching their corporate email to Office 365 ( Microsoft cloud ) and all the links in their email are then automatically change to https://can01.safelinks.protection.outlook.com with a long string. So all the links to desjardins.com

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com

Hi there, On Mon, 30 May 2022, Mathieu Morier via clamav-users wrote: desjardins.com is a Québec Canada Coop Bank Institution and for a couple weeks, all their email to our email server as flag my CLAM for Heuristics.Phishing.Email.SpoofedDomain ... They probably did

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com

Hi, desjardins.com is a Québec Canada Coop Bank Institution and for a couple weeks, all their email to our email server as flag my CLAM for Heuristics.Phishing.Email.SpoofedDomain . It might be something in the signature of their email. But it’s starting to be

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain False Positive

Hi You cannot whitelist a sender in ClamAV. Whitelisting happens in the software that calls ClamAV. The alternative is to disable spoofing checks in ClamAV configuration. They're not enabled by default, so if your ClamAV checks spoofing, then someone enabled it on purpose. As Al already

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain False Positive

It's my experience that Heuristics.Phishing.Email.SpoofedDomain engine checks URL's to make sure the hyperlink actually takes you to a site related to what the text shows. I'm not aware of any public information on whitelisting these, but do know it can be done by adding and x- or m- entry in

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain False Positive

Hi, We are looking for documentation that will help us "whitelist" a sender's email. Thank you for any suggestions. Wed Aug 8 07:37:00 2018 -> Message w78BaxBt005717 from to <> with subject 'RE: ' message-id '<8q3v8vqrv8bva5u46f6qy0mf.1533728212...@email.android.com>' date 'Wed, 8 Aug 2018

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Comment about this feature, which I've never turned on before. I flipped it on, for a single mail router in a pool of 9. Over the course of a day and MANY messages, it tripped for only 4 messages, all of which seem legit. So I'm turning it back off.

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, The heuristics engine is only used for selected financial institution domains (currently 263) listed in daily.pdb as H:domain It looks like I only have daily.cld. Can you explain what you mean here? cd /tmp sigtool --unpack-current=daily there you find what you have Or you can

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, running clamscan --debug against the file. http://www.tdcanadatrust.com/tdvisa/agreements appears several times in the body of the message but links to http://ems1.aeroplan.com/a/l.x?t=icholbpbeophbeocnlmimpbc; M=1L=2v=4. Ah, thanks. I should have known that. In this case it

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On 2014-02-02 18:43, Alex wrote: The heuristics engine is only used for selected financial institution domains (currently 263) listed in daily.pdb as H:domain It looks like I only have daily.cld. Can you explain what you mean here? cd /tmp sigtool --unpack-current=daily there you find what

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On Sun, Feb 02, 2014 at 10:41 AM, Benny Pedersen wrote: On 2014-02-02 18:43, Alex wrote: The heuristics engine is only used for selected financial institution domains (currently 263) listed in daily.pdb as H:domain It looks like I only have daily.cld. Can you explain what you mean here?

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On Jan 31, 2014, at 5:26 PM, Alex mysqlstud...@gmail.com wrote: Hi, I found another false-positive, this time with Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring out what domain within the email it thinks is spoofed. I've pasted the email here:

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, On Sat, Feb 1, 2014 at 5:32 AM, Al Varnell alvarn...@mac.com wrote: On Jan 31, 2014, at 5:26 PM, Alex mysqlstud...@gmail.com wrote: Hi, I found another false-positive, this time with Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring out what domain within the email

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On Feb 1, 2014, at 1:44 PM, Alex mysqlstud...@gmail.com wrote: Hi, On Sat, Feb 1, 2014 at 5:32 AM, Al Varnell alvarn...@mac.com wrote: On Jan 31, 2014, at 5:26 PM, Alex mysqlstud...@gmail.com wrote: Hi, I found another false-positive, this time with

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, I found another false-positive, this time with Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring out what domain within the email it thinks is spoofed. I've pasted the email here: http://pastebin.com/S7XkCg9a Any ideas greatly appreciated. LibClamAV debug:

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On Feb 1, 2014, at 3:01 PM, Alex mysqlstud...@gmail.com wrote: Hi, I found another false-positive, this time with Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring out what domain within the email it thinks is spoofed. I've pasted the email here:

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, I found another false-positive, this time with Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring out what domain within the email it thinks is spoofed. I've pasted the email here: http://pastebin.com/S7XkCg9a Any ideas greatly appreciated. Thanks, Alex