[clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

Tue, 14 Nov 2017 01:20:53 -0800 

Hello List,
i think i found an fp in incoming mail.  I cant submit mail as FP on website, because it contains private data. 
I can provide debug output which leads to match:
LibClamAV debug: Phishcheck:URL after cleanup: https://sellercentral-europe.amazon.com->http://www.amazon.de LibClamAV debug: Phishing: looking up in whitelist: https://sellercentral-europe.amazon.com:http://www.amazon.de; host-only:0 LibClamAV debug: Looking up in regex_list: https://sellercentral-europe.amazon.com:http://www.amazon.de/ 
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck:host:.www.amazon.de
LibClamAV debug: Looking up in regex_list: www.amazon.de/
LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de","www.amazon.de/"; 
LibClamAV debug: calc_pos_with_skip:
LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de","www.amazon.de/"; 
LibClamAV debug: calc_pos_with_skip:amazon.de
LibClamAV debug: Got a match: www.amazon.de/ with /ed.nozama
LibClamAV debug: Before inserting .: .www.amazon.de
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com
LibClamAV debug: Phishing: looking up in whitelist: .sellercentral-europe.amazon.com:.www.amazon.de; host-only:1 LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com:www.amazon.de/ 
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different LibClamAV debug: found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain
Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect..... which redirects to http://www.amazon.de/gp/help/survey?p.... These are default links from amazon to rate seller/product and should be an allowed combination of redirects. 
It is possible to do a global update of this combination within heuristics?
Otherwise i had to whitelist by wdb file:

X:.+sellercentral-europe\.amazon\.com:.+amazon\.de

Thanks,
Hajo


_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to