[Clamav-users] Question about Phish heuristic

Wed, 29 Apr 2009 16:14:18 -0700 

I submitted what I considered to be a FP on

   Phishing.Heuristics.Email.SpoofedDomain

   Submission-ID: 7705854
   Sender: Me
   Submission notes: not a false positive
   Added: No

which was not considered a FP.  The code below is what triggered the 
detection (I hope this passes the list and shows up correctly):

<img src=3D"http://cbimages.ed4.net/harrahs/3991_226618.gif"; 
width=3D"32=" height=3D"174" alt=3D""></td>
<td><span style=3D"color:#000000; font-size:14px; font-family:Arial, 
Helvetica, sans-serif">SEARS has the brand names everyone knows and 
loves - from hardware to house wares to home electronics.  With over 
2,000 convenient locations nationwide, Sears has an incredible selection 
with something for everyone!  For your convenience, you can also shop 
online at <A 
href=3D"http://click.harrahs-marketing.com/r/1U3JI8/AMAUN/MFBMAJ/IIDO12/UAEIL/E4/h?a=3DKEY=3D_urlid__-730367%26EDID=3D_edid__";
 
id=3D"link_12"><font color=3D"#000000">www.sears.com</font></a>.<br>

and debug output:

LibClamAV debug: Phishcheck:Checking url 
http://click.harrahs-marketing.com/r/1U3JI8/AMAUN/MFBMAJ/IIDO12/UAEIL/E4/h?a=KEY=_urlid__-730367%26EDID=_edid__->www.sears.com
LibClamAV debug: Phishcheck:URL after cleanup: 
http://click.harrahs-marketing.com->www.sears.com
LibClamAV debug: Phishing: looking up in whitelist: 
http://click.harrahs-marketing.com:www.sears.com; host-only:0
LibClamAV debug: Phishcheck:host:.www.sears.com
LibClamAV debug: Phishcheck:host:.click.harrahs-marketing.com
LibClamAV debug: Phishing: looking up in whitelist: 
.click.harrahs-marketing.com:.www.sears.com; host-only:1
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too 
different
LibClamAV debug: found Possibly Unwanted: 
Phishing.Heuristics.Email.SpoofedDomain
virus-t3OEREsBZjFW: Phishing.Heuristics.Email.SpoofedDomain FOUND

The redirector from harrahs-marketing.com to sears.com is not a surprise 
to the reader as the preceding text clearly indicates "SEARS".  While 
I'm no fan of advertisements, shouldn't this be considered for 
whitelisting?  Does Clam seem a little simplistic and naive in its 
SpoofedDomain phishing heuristic?

Mike
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to