I just came across a FP report for a hit from Heuristics.Phishing.Email.SpoofedDomain.
On checking the message by hand, it no longer triggers this test, either on my desktop test/dev system running 0.98.4, or on the production servers running 0.97.6. Examining the message by hand, the best guess I can make about the triggering URL is: <a href="http://ems1.aeroplan.com/a/l.x?redacted"; style="text-decoration:underline; color:#FF5C00;"><font color="#FF5C00">tdcanadatrust.com/preauthorizedpayments</font></a> All of the other links point to the same subdomain/host; most with non-URI visible text, and the few that show a domain in the visible text are all aeroplan.com. I dug into the upstream signature files to see if I could identify the whitelist/skip entry that is now allowing this legitimate message through - the only remotely relevant entry seems to be this: daily.cld:H:tdcanadatrust.com (Which I can't quite match to the signature-creating docs - H: entries seem to require an additional field.) I also noticed that --debug output from clamscan doesn't even seem to show *any* checking of URIs in the message. Rescanning an older FP whitelisted locally showed quite a few URIs checked, so I don't have this accidentally disabled. It's good that this FP is no longer happening but I'd like to know for sure what it fired on in the first place, and what change from upstream fixed the FP. -kgd _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
