Hello, I have site that once in a while sends e-mail alerts about new book reviews published in the site.
Recently I noticed that some Dutch e-mail servers were rejecting the review alert messages because the site IP address was listed in VirBL . I tracked down the issue and found that ClamAV was marking the messages as Phishing, specifically Phishing.Heuristics.Email.SpoofedDomain . I tested the message and isolated the HTML excerpt that seemed to trigger that classification. If I removed it, the message passes all ClamAV tests. Here follows the relevant excerpt (already decoded from the original quoted-printable message part). <a href="http://www.phpclasses.org/reviews/order/1593271204.html";><img src="http://images.amazon.com/images/P/1593271204.01.MZZZZZZZ.jpg"; width="121" height="160" border="1"/></a> This is a picture of the book cover from Amazon with a link to a page in the site that lets the user choose from which of the several Amazon stores that sell the book. What I would like to know is why is this considered Phishing? What characterizes Phishing.Heuristics.Email.SpoofedDomain classification? What can I do to avoid such classification? -- Regards, Manuel Lemos PHP professionals looking for PHP jobs http://www.phpclasses.org/professionals/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
![http://images.amazon.com/images/P/1593271204.01.MZZZZZZZ.jpg"](http://images.amazon.com/images/P/1593271204.01.MZZZZZZZ.jpg"){kind=link}