Alessandro, Also, have a look at the document phishsigs_howto.pdf in the ClamAV docs/ directory. It contains some info on identifying the reason for the phish detection and on how to write whitelist signatures. You should be able to create a local whitelist, local.wdb for example, and add that to your database directory rather than modifying daily.wdb.
Hope it helps, Steve On Fri, Jul 18, 2014 at 11:09 AM, Alessandro Vesely <ves...@tana.it> wrote: > Hi, > I use libclamav for email filtering, and wonder how to handle these cases. > > Although spammy, that newsletter appears to be fully legitimate. It > originated from sella.it, and contains several links to that bank's > site, as well as links to facebook, twitter, google+, and youtube. > > The message has both Heuristics.Phishing.Email.SpoofedDomain and > Heuristics.Phishing.Email. Upon social links removal, the message is > clean. > > I could disable loading phishing urls. (They were enabled in 0.98.4, > weren't they? Debian issued that upgrade quite recently.) Or I can > also enable SafeBrowsing in freshmail.conf. Or are they two totally > unrelated things? > > To work around false positives, I can pass (rather than drop) email > messages having only that kind of "virus", and add a suitable field to > their message header; Bounce-Unless-Auth, say. A downstream filter > would then recognize that header and reject messages unless it finds > an acceptable authentication (SPF, DKIM, or such). Doing so has to > rely on virus names. Am I safe using "Heuristics.*" as a wildcard? > Is there any other method to distinguish phishing from traditional, > low-fp viruses? > > Any other suggestion? > > TIA > Ale > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
