On Tue, Nov 14, 2017 at 01:48 AM, Hajo Locke wrote: > Hello, > > > Am 14.11.2017 um 10:44 schrieb Al Varnell: >> I'm not very good at regex, but I'm surprised that this current X record >> doesn't already take care of this: >> >> X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)? > me too. in which file is this regex located?
daily.cld / .cvd -Al- >> >> -Al- >> >> On Tue, Nov 14, 2017 at 01:19 AM, Hajo Locke wrote: >>> Hello List, >>> >>> i think i found an fp in incoming mail. I cant submit mail as FP on >>> website, because it contains private data. >>> I can provide debug output which leads to match: >>> >>> LibClamAV debug: Phishcheck:URL after cleanup: >>> https://sellercentral-europe.amazon.com- >>> <https://sellercentral-europe.amazon.com-/> >>> <https://sellercentral-europe.amazon.com-/ >>> <https://sellercentral-europe.amazon.com-/>>>http://www.amazon.de >>> <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>> >>> LibClamAV debug: Phishing: looking up in whitelist: >>> https://sellercentral-europe.amazon.com:http://www.amazon.de >>> <https://sellercentral-europe.amazon.com:http://www.amazon.de> >>> <https://sellercentral-europe.amazon.com:http://www.amazon.de >>> <https://sellercentral-europe.amazon.com:http://www.amazon.de>>; host-only:0 >>> LibClamAV debug: Looking up in regex_list: >>> https://sellercentral-europe.amazon.com:http://www.amazon.de/ >>> <https://sellercentral-europe.amazon.com:http://www.amazon.de/> >>> <https://sellercentral-europe.amazon.com:http://www.amazon.de/ >>> <https://sellercentral-europe.amazon.com:http://www.amazon.de/>> >>> LibClamAV debug: Lookup result: not in regex list >>> LibClamAV debug: Phishcheck:host:.www.amazon.de <http://www.amazon.de/> >>> <http://www.amazon.de/ <http://www.amazon.de/>> >>> LibClamAV debug: Looking up in regex_list: www.amazon.de/ >>> <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>> >>> LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de >>> <http://www.amazon.de/> <http://www.amazon.de/ >>> <http://www.amazon.de/>>","www.amazon.de/ <http://www.amazon.de/> >>> <http://www.amazon.de/ <http://www.amazon.de/>>" >>> LibClamAV debug: calc_pos_with_skip: >>> LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de >>> <http://www.amazon.de/> <http://www.amazon.de/ >>> <http://www.amazon.de/>>","www.amazon.de/ <http://www.amazon.de/> >>> <http://www.amazon.de/ <http://www.amazon.de/>>" >>> LibClamAV debug: calc_pos_with_skip:amazon.de <http://amazon.de/> >>> <http://amazon.de/ <http://amazon.de/>> >>> LibClamAV debug: Got a match: www.amazon.de/ <http://www.amazon.de/> >>> <http://www.amazon.de/ <http://www.amazon.de/>> with /ed.nozama >>> LibClamAV debug: Before inserting .: .www.amazon.de <http://www.amazon.de/> >>> <http://www.amazon.de/ <http://www.amazon.de/>> >>> LibClamAV debug: Lookup result: in regex list >>> LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com >>> <http://sellercentral-europe.amazon.com/> >>> <http://sellercentral-europe.amazon.com/ >>> <http://sellercentral-europe.amazon.com/>> >>> LibClamAV debug: Phishing: looking up in whitelist: >>> .sellercentral-europe.amazon.com <http://sellercentral-europe.amazon.com/> >>> <http://sellercentral-europe.amazon.com/ >>> <http://sellercentral-europe.amazon.com/>>:.www.amazon.de >>> <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>>; >>> host-only:1 >>> LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com >>> <http://sellercentral-europe.amazon.com/> >>> <http://sellercentral-europe.amazon.com/ >>> <http://sellercentral-europe.amazon.com/>>:www.amazon.de/ >>> <http://www.amazon.de/> <http://www.amazon.de/ <http://www.amazon.de/>> >>> LibClamAV debug: Lookup result: not in regex list >>> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too >>> different >>> LibClamAV debug: found Possibly Unwanted: >>> Heuristics.Phishing.Email.SpoofedDomain >>> >>> Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect >>> <https://sellercentral-europe.amazon.com/nms/redirect> >>> <https://sellercentral-europe.amazon.com/nms/redirect >>> <https://sellercentral-europe.amazon.com/nms/redirect>>..... which >>> redirects to http://www.amazon.de/gp/help/survey?p >>> <http://www.amazon.de/gp/help/survey?p> >>> <http://www.amazon.de/gp/help/survey?p >>> <http://www.amazon.de/gp/help/survey?p>>.... >>> These are default links from amazon to rate seller/product and should be an >>> allowed combination of redirects. >>> It is possible to do a global update of this combination within heuristics? >>> Otherwise i had to whitelist by wdb file: >>> >>> X:.+sellercentral-europe\.amazon\.com:.+amazon\.de >>> >>> Thanks, >>> Hajo >>> >>> >>> _______________________________________________ >>> clamav-users mailing list >>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
