koffiejunkie wrote: > Hi guys, > > Pretty much what the subject says. Amavisd-new (through ClamAV) is > identifying legitimate mails from eBay as HTML.Phishing.Auction-113. > The notification I get looks like this (Subject and e-mail address > changed for privacy, of course): > > > A virus was found: HTML.Phishing.Auction-113 > > Scanner detecting a virus: ClamAV-clamd
This is a ClamAV (not amavis) issue. The false positive is due to the anti-phishing signatures in ClamAV. This is currently a hot topic on the clamav list. You can disable the phishing heuristics in your /etc/clamd.conf file, which default to: # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes #PhishingSignatures yes # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes #PhishingScanURLs yes You can also soft-whitelist senders (if you are able to determine them) via @score_sender_maps in amavisd, and also have amavis map phishing pseudo-viruses into spam scores instead of treating them like viruses: @virus_name_to_spam_score_maps = (new_RE( [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 6.0 ], )); This will treat clamav's phishing hits as spam hits, boosting the score by 6.00 (set the values as you see fit). See the amavisd.conf file and documentation. MrC > > Content type: Virus (9,0) > Internal reference code for the message is 29147-19/PLfqqUg3n0u6 > ... > > Virus scanner output: > p002: HTML.Phishing.Auction-113 FOUND > > > What is triggering this? Any way to prevent it? > > Thanks > ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
