On 2009-04-30 02:03, MrC wrote: > I submitted what I considered to be a FP on > > Phishing.Heuristics.Email.SpoofedDomain > > Submission-ID: 7705854 >
That submission id is another sample you submitted on April 17th that matches Email.Phishing.DblDom-59, and it doesn't have anything about sears or harrahs-marketing inside it. > Sender: Me > Submission notes: not a false positive > Added: No > > which was not considered a FP. It is in fact a message from this mailing list that discusses signatures, and shows what a particular signature decodes to, no wonder it gets matched by the signature it is discussing, thus it is not a false positive. > The code below is what triggered the > detection (I hope this passes the list and shows up correctly): > > <img src=3D"http://cbimages.ed4.net/harrahs/3991_226618.gif"; > width=3D"32=" height=3D"174" alt=3D""></td> > <td><span style=3D"color:#000000; font-size:14px; font-family:Arial, > Helvetica, sans-serif">SEARS has the brand names everyone knows and > loves - from hardware to house wares to home electronics. With over > 2,000 convenient locations nationwide, Sears has an incredible selection > with something for everyone! For your convenience, you can also shop > online at <A > href=3D"http://click.harrahs-marketing.com/r/1U3JI8/AMAUN/MFBMAJ/IIDO12/UAEIL/E4/h?a=3DKEY=3D_urlid__-730367%26EDID=3D_edid__"; > > id=3D"link_12"><font color=3D"#000000">www.sears.com</font></a>.<br> > This looks like submission ID 7884339, that wasn't processed yet. > and debug output: > > LibClamAV debug: Phishcheck:Checking url > http://click.harrahs-marketing.com/r/1U3JI8/AMAUN/MFBMAJ/IIDO12/UAEIL/E4/h?a=KEY=_urlid__-730367%26EDID=_edid__->www.sears.com > LibClamAV debug: Phishcheck:URL after cleanup: > http://click.harrahs-marketing.com->www.sears.com > LibClamAV debug: Phishing: looking up in whitelist: > http://click.harrahs-marketing.com:www.sears.com; host-only:0 > LibClamAV debug: Phishcheck:host:.www.sears.com > LibClamAV debug: Phishcheck:host:.click.harrahs-marketing.com > LibClamAV debug: Phishing: looking up in whitelist: > .click.harrahs-marketing.com:.www.sears.com; host-only:1 > LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too > different > LibClamAV debug: found Possibly Unwanted: > Phishing.Heuristics.Email.SpoofedDomain > virus-t3OEREsBZjFW: Phishing.Heuristics.Email.SpoofedDomain FOUND > > The redirector from harrahs-marketing.com to sears.com is not a surprise > to the reader as the preceding text clearly indicates "SEARS". While > I'm no fan of advertisements, shouldn't this be considered for > whitelisting? Does Clam seem a little simplistic and naive in its > SpoofedDomain phishing heuristic? > We usually whitelist these. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
![http://cbimages.ed4.net/harrahs/3991_226618.gif"](http://cbimages.ed4.net/harrahs/3991_226618.gif"){kind=link}