It's my experience that Heuristics.Phishing.Email.SpoofedDomain engine checks URL's to make sure the hyperlink actually takes you to a site related to what the text shows. I'm not aware of any public information on whitelisting these, but do know it can be done by adding and x- or m- entry in the database which is something that the ClamAV signature team should probably do for everybody rather than providing a local whitelist.
Or are you seeing something else in these messages that causes an FP? -Al- On Thu, Aug 16, 2018 at 07:40 PM, Tristan Goguen wrote: > Hi, > > We are looking for documentation that will help us "whitelist" a sender's > email. Thank you for any suggestions. > > Wed Aug 8 07:37:00 2018 -> Message w78BaxBt005717 from <sen...@domain.com > <mailto:sen...@domain.com>> to <<recipi...@domain.com > <mailto:recipi...@domain.com>>> with subject 'RE: ' message-id > '<8q3v8vqrv8bva5u46f6qy0mf.1533728212...@email.android.com > <mailto:8q3v8vqrv8bva5u46f6qy0mf.1533728212...@email.android.com>>' date > 'Wed, 8 Aug 2018 11:36:54 +0000' infected by > Heuristics.Phishing.Email.SpoofedDomain > > > > Tristan
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
