On Thu, Feb 21, 2008 at 07:49:27PM -0300, Manuel Lemos wrote:
> I have site that once in a while sends e-mail alerts about new book
> reviews published in the site.
>
> Recently I noticed that some Dutch e-mail servers were rejecting the
> review alert messages because the site IP address was listed in VirBL .
That's pretty bad. VirBL shouldn't add phishing sites to their DB. I'll
try to contact the VirBL maintainers about this.
> I tracked down the issue and found that ClamAV was marking the messages
> as Phishing, specifically Phishing.Heuristics.Email.SpoofedDomain .
>
> I tested the message and isolated the HTML excerpt that seemed to
> trigger that classification. If I removed it, the message passes all
> ClamAV tests.
>
> Here follows the relevant excerpt (already decoded from the original
> quoted-printable message part).
>
> <a href="tpph:||www.phpclasses.org/reviews/order/1593271204.html"><img
> src="tpph:||images.amazon.com/images/P/1593271204.01.MZZZZZZZ.jpg"
> width="121" height="160" border="1"/></a>
>
> This is a picture of the book cover from Amazon with a link to a page in
> the site that lets the user choose from which of the several Amazon
> stores that sell the book.
Ehm, first, It probably wasn't a very good idea to include a piece of
verbatim text that triggers a false positive. Your email was likely
rejected at those places that use the same filtering :)
Because of this, I've mangled the HTML a bit so i likely passes the
detection now.
That said... Phishing.Heuristics.* signatures are, as it says, heuristic
signatures, not triggered by any rules, but by heuristics. It can
be turned off by adding this line to your clamd.conf:
PhishingScanURLs no
I don't know what exact rules this uses to trigger on. It's likely
some combination of the domain of the "visible" part, verses the domain
of the real target of the link, combined with a list of "vulnerable"
domains that are likely to cause phishing. I think that amazon.com
is on that list, and the heuristics code doesn't like you linking
to some external site based on an amazon image.
You can probably avoid the issue by putting the image on your own
server, or on www.phpclasses.org in this case, so the image and target
point to the same domain.
That said, operators who leave this setting enabled on production
servers deserve what they get. Leaving the Phishing.Heuristics.*
enabled causes a staggering amount of false positives that, in my
opinion, are certainly not worth the tiny fraction of phishes that
manage to come through, combined with all other filters we have.
Anyone who actually cares about delivering valid email to their
users, should switch this off.
> What I would like to know is why is this considered Phishing?
>
> What characterizes Phishing.Heuristics.Email.SpoofedDomain classification?
>
> What can I do to avoid such classification?
--
Jan-Pieter Cornet <[EMAIL PROTECTED]>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs. !!
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
