Hi, I use libclamav for email filtering, and wonder how to handle these cases.
Although spammy, that newsletter appears to be fully legitimate. It originated from sella.it, and contains several links to that bank's site, as well as links to facebook, twitter, google+, and youtube. The message has both Heuristics.Phishing.Email.SpoofedDomain and Heuristics.Phishing.Email. Upon social links removal, the message is clean. I could disable loading phishing urls. (They were enabled in 0.98.4, weren't they? Debian issued that upgrade quite recently.) Or I can also enable SafeBrowsing in freshmail.conf. Or are they two totally unrelated things? To work around false positives, I can pass (rather than drop) email messages having only that kind of "virus", and add a suitable field to their message header; Bounce-Unless-Auth, say. A downstream filter would then recognize that header and reject messages unless it finds an acceptable authentication (SPF, DKIM, or such). Doing so has to rely on virus names. Am I safe using "Heuristics.*" as a wildcard? Is there any other method to distinguish phishing from traditional, low-fp viruses? Any other suggestion? TIA Ale _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
