Hello, on 02/22/2008 12:23 PM Jan-Pieter Cornet said the following: >> I tracked down the issue and found that ClamAV was marking the messages >> as Phishing, specifically Phishing.Heuristics.Email.SpoofedDomain . >> >> I tested the message and isolated the HTML excerpt that seemed to >> trigger that classification. If I removed it, the message passes all >> ClamAV tests. >> >> Here follows the relevant excerpt (already decoded from the original >> quoted-printable message part). >> >> <a href="tpph:||www.phpclasses.org/reviews/order/1593271204.html"><img >> src="tpph:||images.amazon.com/images/P/1593271204.01.MZZZZZZZ.jpg" >> width="121" height="160" border="1"/></a> >> >> This is a picture of the book cover from Amazon with a link to a page in >> the site that lets the user choose from which of the several Amazon >> stores that sell the book. > > Ehm, first, It probably wasn't a very good idea to include a piece of > verbatim text that triggers a false positive. Your email was likely > rejected at those places that use the same filtering :)
Right, it did not cross my mind that possibility. Anyway, this is an HTML problem and my message was text only, so maybe the message was not filtered. > Because of this, I've mangled the HTML a bit so i likely passes the > detection now. I see. > That said... Phishing.Heuristics.* signatures are, as it says, heuristic > signatures, not triggered by any rules, but by heuristics. It can > be turned off by adding this line to your clamd.conf: > PhishingScanURLs no I see, but I do not have any control over people that is using ClamAV and is rejecting the site messages with this problem. > I don't know what exact rules this uses to trigger on. It's likely > some combination of the domain of the "visible" part, verses the domain > of the real target of the link, combined with a list of "vulnerable" > domains that are likely to cause phishing. I think that amazon.com > is on that list, and the heuristics code doesn't like you linking > to some external site based on an amazon image. I thinking a real phishing scam is really objective thing. So I think that should not be detected with heuristics. It happens when the link text points to a different domain than the link URL. The link in the message had no URL in the text. I had an image that has a source URL but that is not seen by the user as link text. That is why I think it should have never been confused with a real phishing scam. > You can probably avoid the issue by putting the image on your own > server, or on www.phpclasses.org in this case, so the image and target > point to the same domain. For now, I have removed the link from this image. It was not important. The link is now showing for text, not images. My problem is to figure all other types of newsletters that may trigger a phishing rule inadvertently. > That said, operators who leave this setting enabled on production > servers deserve what they get. Leaving the Phishing.Heuristics.* > enabled causes a staggering amount of false positives that, in my > opinion, are certainly not worth the tiny fraction of phishes that > manage to come through, combined with all other filters we have. > > Anyone who actually cares about delivering valid email to their > users, should switch this off. Maybe but from the reactions that I observed in the people, they really take phishing alerts as something as bad as a virus. Actually it seemed like they did not know that it was not really a virus. Telling for instance VirBL people that our server could not be sending virus or phishing scam messages because the server is running Linux and it is secured, etc... will not help us because they have a FAQ stating that a secure server may still be sending virus by copying messages bouncing messages sent to addresses that do not exist. They wrote that in their FAQ: http://virbl.bit.nl/faq.php > My mailserver is listed, but it is impossible that it is infected with a > virus. > Your mailserver is probably listed because of bounces. If someone sends > a virus to a nonexistant user in your domain, your mailserver will > probably bounce the message back to the (forged) sender. If your bounces > include the full body of the original message, a bounce will include the > original virus. These bounces are just as harmful as the original virus > itself. We advice mailserver administrators to configure their > mailservers not to include bodies when bouncing. This made me spend a lot of time figuring if my server could be bouncing infected messages anyhow, because the VirBL site tells if an IP is listed but does not show the evidence, which I think it is not a good policy, as it is like making a public accusation without showing the proof. -- Regards, Manuel Lemos PHP professionals looking for PHP jobs http://www.phpclasses.org/professionals/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
