I'm not very good at regex, but I'm surprised that this current X record doesn't already take care of this:
X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)? -Al- On Tue, Nov 14, 2017 at 01:19 AM, Hajo Locke wrote: > Hello List, > > i think i found an fp in incoming mail. I cant submit mail as FP on website, > because it contains private data. > I can provide debug output which leads to match: > > LibClamAV debug: Phishcheck:URL after cleanup: > https://sellercentral-europe.amazon.com- > <https://sellercentral-europe.amazon.com-/>>http://www.amazon.de > <http://www.amazon.de/> > LibClamAV debug: Phishing: looking up in whitelist: > https://sellercentral-europe.amazon.com:http://www.amazon.de > <https://sellercentral-europe.amazon.com:http://www.amazon.de>; host-only:0 > LibClamAV debug: Looking up in regex_list: > https://sellercentral-europe.amazon.com:http://www.amazon.de/ > <https://sellercentral-europe.amazon.com:http://www.amazon.de/> > LibClamAV debug: Lookup result: not in regex list > LibClamAV debug: Phishcheck:host:.www.amazon.de <http://www.amazon.de/> > LibClamAV debug: Looking up in regex_list: www.amazon.de/ > <http://www.amazon.de/> > LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de > <http://www.amazon.de/>","www.amazon.de/ <http://www.amazon.de/>" > LibClamAV debug: calc_pos_with_skip: > LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de > <http://www.amazon.de/>","www.amazon.de/ <http://www.amazon.de/>" > LibClamAV debug: calc_pos_with_skip:amazon.de <http://amazon.de/> > LibClamAV debug: Got a match: www.amazon.de/ <http://www.amazon.de/> with > /ed.nozama > LibClamAV debug: Before inserting .: .www.amazon.de <http://www.amazon.de/> > LibClamAV debug: Lookup result: in regex list > LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com > <http://sellercentral-europe.amazon.com/> > LibClamAV debug: Phishing: looking up in whitelist: > .sellercentral-europe.amazon.com > <http://sellercentral-europe.amazon.com/>:.www.amazon.de > <http://www.amazon.de/>; host-only:1 > LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com > <http://sellercentral-europe.amazon.com/>:www.amazon.de/ > <http://www.amazon.de/> > LibClamAV debug: Lookup result: not in regex list > LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different > LibClamAV debug: found Possibly Unwanted: > Heuristics.Phishing.Email.SpoofedDomain > > Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect > <https://sellercentral-europe.amazon.com/nms/redirect>..... which redirects > to http://www.amazon.de/gp/help/survey?p > <http://www.amazon.de/gp/help/survey?p>.... > These are default links from amazon to rate seller/product and should be an > allowed combination of redirects. > It is possible to do a global update of this combination within heuristics? > Otherwise i had to whitelist by wdb file: > > X:.+sellercentral-europe\.amazon\.com:.+amazon\.de > > Thanks, > Hajo
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
