On 2009-08-14 19:25, Len Conrad wrote: > ---------- Original Message ---------------------------------- > From: "Len Conrad" <lcon...@go2france.com> > Reply-To: ClamAV users ML <clamav-users@lists.clamav.net> > Date: Fri, 14 Aug 2009 15:53:44 +0200 > > >> All my users' headline alerts from NYTIMES.com got blocked for: >> >> status=VIRUS:Phishing.Heuristics.Email.SpoofedDomain >> >> ... this filter also catching true positives, so we'd like to keep it. >> >> In the man pages for clamd and clamsmtpd, I can't find any doc on >> whitelisting, although clamsmtpd console logs "empty" for 3 lists at start >> up. >> >> thanks >> Len >> > > I found Ralph's blog page for moving sig's to local.ign, but grep can't find > the sig that's giving us FPs: > > Phishing.Heuristics.Email.SpoofedDomain
Whitelisting heuristic phishing signatures is done using a .wdb file. Or you can submit the raw email as a false positive so we can whitelist it. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
