At 4:03 PM -0700 4/29/09, MrC wrote: >I submitted what I considered to be a FP on > > Phishing.Heuristics.Email.SpoofedDomain > > Submission-ID: 7705854 > Sender: Me > Submission notes: not a false positive > Added: No > >which was not considered a FP. The code below is what triggered the >detection (I hope this passes the list and shows up correctly): > ><img src=3D"http://cbimages.ed4.net/harrahs/3991_226618.gif"; >width=3D"32=" height=3D"174" alt=3D""></td> ><td><span style=3D"color:#000000; font-size:14px; font-family:Arial, >Helvetica, sans-serif">SEARS has the brand names everyone knows and >loves - from hardware to house wares to home electronics. With over >2,000 convenient locations nationwide, Sears has an incredible selection >with something for everyone! For your convenience, you can also shop >online at <A >href=3D"http://click.harrahs-marketing.com/r/1U3JI8/AMAUN/MFBMAJ/IIDO12/UAEIL/E4/h?a=3DKEY=3D_urlid__-730367%26EDID=3D_edid__"; >id=3D"link_12"><font color=3D"#000000">www.sears.com</font></a>.<br> > >and debug output: > >LibClamAV debug: Phishcheck:Checking url >http://click.harrahs-marketing.com/r/1U3JI8/AMAUN/MFBMAJ/IIDO12/UAEIL/E4/h?a=KEY=_urlid__-730367%26EDID=_edid__->www.sears.com >LibClamAV debug: Phishcheck:URL after cleanup: >http://click.harrahs-marketing.com->www.sears.com >LibClamAV debug: Phishing: looking up in whitelist: >http://click.harrahs-marketing.com:www.sears.com; host-only:0 >LibClamAV debug: Phishcheck:host:.www.sears.com >LibClamAV debug: Phishcheck:host:.click.harrahs-marketing.com >LibClamAV debug: Phishing: looking up in whitelist: >.click.harrahs-marketing.com:.www.sears.com; host-only:1 >LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too >different >LibClamAV debug: found Possibly Unwanted: >Phishing.Heuristics.Email.SpoofedDomain >virus-t3OEREsBZjFW: Phishing.Heuristics.Email.SpoofedDomain FOUND > >The redirector from harrahs-marketing.com to sears.com is not a surprise >to the reader as the preceding text clearly indicates "SEARS". While >I'm no fan of advertisements, shouldn't this be considered for >whitelisting? Does Clam seem a little simplistic and naive in its >SpoofedDomain phishing heuristic?
Mike, All I have to say, not being part of clamav team, that I hope all marketers get away from obfuscating urls. That said, there is so much of this in marketing and outsourced emails from legitamate business that I think that "heuristic" should only be used in concert with bondedsender, dnswl.org, anti-spam.org.cn, iadb.isipp.com and habeas. We score each "heuristic" differently and whitelist early thus not usually getting a FP. Tom _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
![http://cbimages.ed4.net/harrahs/3991_226618.gif"](http://cbimages.ed4.net/harrahs/3991_226618.gif"){kind=link}