[Clamav-users] False positive Phishing.Heuristics.Email.SpoofedDomain

Fri, 01 Aug 2008 07:00:58 -0700 

Hi.

One of our users has subscribed to a mailing list all mails from which
are classified  by ClamAV as "Phishing.Heuristics.Email.SpoofedDomain".

After some googling and experimental changing various parts of the
mail I discovered that the problem is in html link where
    href="http://tinyurl.com/626yap";
but the visible text of the link is "Security Books at Amazon.com".

The link is OK because tinyurl in this case redirects the user to Amazon.com
to the specific page with security books. But it is recognized as phishing
by ClamAV.

I understand that the heuristics is based on search for html links
where the visible and real targets of the link are different.
It's a nice idea. But with tinyurl.com it is likely to produce
false positives.

To be precise, I discovered that not all such links are classified
as phishing. For examle when Amazon.com is replaced by Amazon.cz,
it is OK. But Amazon.de is again recognized as phishing.
And Amazon.com. (with a dot after com) is OK.
Perhaps, there is a list of "sensitive" visible targets?

I don't want to switch all the phishing heuristics off
because it catches some real phishings and I want them to be caught.
On the other hand I want the above mentioned mailing list to pass
through our server.

Is there any possiility to have some sort of a local whitelist
for the phishing heuristics in ClamAV?
Or should I try to "solve" it in MimeDefang from which I call ClamAV?

I have reported one of those mails as a false positive. Also, a week ago
a problem of Phishing.Heuristics.Email.SpoofedDomain was mentioned in this
list, but the problem remains. So I am trying to find at least a local 
solution.

Finally, a suggestion for the heuristics in next version of clamav:
If the real target of the link is tinyurl.com, get the target of
the redirection from the tinyurl.com server and compare it with
the visible part of the link. If the redirected url has the same domain
as the visible link, it is not indication of phishing.

Have a nice day
Jiri Demel


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to