At 09:26 AM 9/19/2007, Jan-Pieter Cornet wrote: >Since we're treating clamav's detected phishes as spam, instead of >rejecting them (what we do with regular malware), we noticed that >the heuristic detection causes lots of false positives: in only a >few samples I detected legitimate paypal mails (and I know it's >legit because it's DomainKeys signed), and mails to the lockergnome >mailinglist. > >I have now disabled the heuristic by setting "PhishingScanURLs no". > >Is anyone actually using this to reject mails on a large production >environment, without getting serious complaints about false positives? >(we're doing 5-10 million mails a day, could be that we're seeing >more false positives due to the high volume) > >-- >Jan-Pieter Cornet <[EMAIL PROTECTED]>
I think it would be insane to reject or discard mail based on "PhishingScanURLs yes" on anything bigger than a home/hobby server because of the high false positive rate. A significant percentage (I'm guessing 10% or more) of the "Phishing.Heuristics.*" detections here are false, which I then release from quarantine and submit to the signature team as a false positive. This is in contrast to the rest of the clamav detections which have a FP rate approaching zero percent. It's probably important to note that these aren't strictly "false positives" as the messages invariably contain some sort of funky URL redirect that triggers the detection. Most of the false positives I see are "marketing" type messages from various legit companies. Apparently being on a sales team causes one to like using questionable URL redirects. I've thought about turning this feature off several times, but the volume here isn't so big that it's a burden (yet), and I like to think I'm helping others by submitting the FPs. -- Noel Jones _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
