At 04:12 PM 8/24/2007, John W. Baxter wrote: >Daily sigs: 4054; main 44. ClamAv 0.91.2-1 > >Installed on CentOS-4.5 from Dag's packages. Freshly updated via the >packages from the ancient 0.90-2 (also Dag's). > >Called via pyclamav (rebuilt to matching libclamav) in our own code. > >One sample: what looks like a proper Netflix shipping notice, which reached >us from an IP that Netflix claims in their SPF record. Reported as >Phishing.Heuristics.Email.SpoofedDomain
Note that Phishing.Heuristics.Email.SpoofedDomain is not signature-based, so this likely doesn't have anything (directly) to do with the daily database version, but rather clam has detected an intentionally spoofed link in a legit mail. But if you submit the false-positive message, it can be fixed in a future exceptions entry. I've found Phishing.Heuristics.Email.* to have a significant false-positive rate. For me this seems to happen most often in legit marketing mail, apparently marketing guys like to use a link labeled one thing that really points somewhere else. But it also catches real phish here, so I keep using it. If you use this option you need to have some sort of quarantine and the ability to release the false-positive mail, or use something like amavisd-new that can change defined virus names into a couple of points for Spamassassin rather than outright blocking. Also note that these false positives are not true false positives, in the sense that there really is a spoofed domain in the email. and yes, you found the right clamd.conf knob to disable this if you want to go that route. # turn off heuristic phishing detection PhishingScanURLs no -- Noel Jones _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
