On 2008-08-01 16:40, Jiri Demel wrote: > Hi. > > One of our users has subscribed to a mailing list all mails from which > are classified by ClamAV as "Phishing.Heuristics.Email.SpoofedDomain". > > After some googling and experimental changing various parts of the > mail I discovered that the problem is in html link where > href="http://tinyurl.com/626yap"; > but the visible text of the link is "Security Books at Amazon.com". > > The link is OK because tinyurl in this case redirects the user to Amazon.com > to the specific page with security books. But it is recognized as phishing > by ClamAV. > > I understand that the heuristics is based on search for html links > where the visible and real targets of the link are different. > It's a nice idea. But with tinyurl.com it is likely to produce > false positives. > > To be precise, I discovered that not all such links are classified > as phishing. For examle when Amazon.com is replaced by Amazon.cz, > it is OK. But Amazon.de is again recognized as phishing. > And Amazon.com. (with a dot after com) is OK. > Perhaps, there is a list of "sensitive" visible targets? > > I don't want to switch all the phishing heuristics off > because it catches some real phishings and I want them to be caught. > On the other hand I want the above mentioned mailing list to pass > through our server. > > Is there any possiility to have some sort of a local whitelist > for the phishing heuristics in ClamAV? > Or should I try to "solve" it in MimeDefang from which I call ClamAV? >
You can create a local.wdb file, and add an entry like: M:tinyurl.com:amazon.com But that would allow a phishing site that uses tinyurl to bypass. > I have reported one of those mails as a false positive. Also, a week ago > a problem of Phishing.Heuristics.Email.SpoofedDomain was mentioned in this > list, but the problem remains. So I am trying to find at least a local > solution. > > Finally, a suggestion for the heuristics in next version of clamav: > If the real target of the link is tinyurl.com, get the target of > the redirection from the tinyurl.com server and compare it with > the visible part of the link. If the redirected url has the same domain > as the visible link, it is not indication of phishing. That would seriously slow down clamav, because it would need to make a TCP connection for each URL encountered in the email. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
