Jonas Jacobsson wrote: > Hi, > > System: debian, clamav 0.93.3.dfsg-1, amavisd-new 1:2.6.1.dfsg-1. > > I got the following in my log running amavis and clamav. The virusdb > was up to date when it happened (by freshclam). The receiver is an > email address at my domain and the mail is directly forwarded to the > hotmail address after the scan. The receiving server telling me it > contains a virus is my ISP's smarthost which I must send via. When the > ISP finds this virus mail, they will block my internet connection > until I call their abuse department. > > I searched for Phishing.Heuristics.Email.SpoofedDomain in the clamav- > virusdb archive, and it seems that it does not exist? Unfortunately I > don't have the infected mail saved...
This is a heuristics based signature. It attempts to detect malicious links to financial sites. Phishing is controlled in clamd.conf with: # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes #PhishingSignatures yes # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes #PhishingScanURLs yes As you can see, both options are enabled by default. Some people (and possibly some package maintainers) think phish detection should not be part of an antivirus package, so they set "PhishingSignatures no" In the past, the heuristics based scanning was a major source of false positives, but that's much improved now (although this still accounts for the majority of FPs here, the number of FPs has reduced significantly). Some people or package maintainers may disable heuristic scanning with "PhishingScanURS no" Maybe you're not scanning for phish. > > The same thing happens with Email.Trojan-2 (which does exist in the > db), they are scanned and reported as CLEAN, but the ISP's smarthost > blocks it due to the detected virus. No insight on this one. Maybe the ISP received an update faster than you did. Maybe the mail didn't pass through your clam for some reason. Maybe you've set your amavisd-new to tag & pass viruses rather than discard them. > Aug 24 20:26:10 moria postfix/smtp[31311]: F15EC8AC158: to=<[EMAIL PROTECTED] > >, orig_to=<[EMAIL PROTECTED]>, relay=ch- > smtp02.sth.basefarm.net[80.76.149.213]:25, delay=1.4, > delays=0.01/0/0.17/1.2, dsn=4.0.0, status=SOFTBOUNCE (host ch- > smtp02.sth.basefarm.net[80.76.149.213] said: 550 This message contains > a virus (Phishing.Heuristics.Email.SpoofedDomain) (in reply to end of > DATA command)) It appears the mail stayed in your queue, note "status=SOFTBOUNCE". If your postfix maximal_queue_lifetime hasn't been reached yet, you can view the message with # postcat -q F15EC8AC158 -- Noel Jones _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
