On 4/30/2009 12:28 AM, Török Edwin wrote: > That submission id is another sample you submitted on April 17th that > matches Email.Phishing.DblDom-59, > and it doesn't have anything about sears or harrahs-marketing inside it. >
Thanks for the response. Oh, OK. I can't tell from the mailing list archive submission list exactly which submission it was, and I incorrectly assumed the submission would have been processed in a day or two. I have not been receiving the "Notify Me" email notifications, and see nothing in my logs indicating they were blocked. So I've stopped relying on the notifications (which are not as useful as they could be in any event). Although I'm probably the only one ever confused about which content matches which submission, wouldn't it be outstanding if, say, like SpamCop, we could see the content of our submissions? On 4/30/2009 12:28 AM, Török Edwin wrote: > > which was not considered a FP. > It is in fact a message from this mailing list that discusses > signatures, and shows what a particular signature decodes to, no > wonder it gets matched by the signature it is discussing, thus it is > not a false positive. Thanks. I do not recall the content, but I'll make sure to watch this. ... > We usually whitelist these. Ok, that's what I was curious about. Thanks again. On 4/30/2009 5:56 AM, Tom Shaw wrote: > Mike, > > All I have to say, not being part of clamav team, that I hope all > marketers get away from obfuscating urls. > Entirely agree. And I'll continue to breath. > That said, there is so much of this in marketing and outsourced > emails from legitamate business that I think that "heuristic" should > only be used in concert with bondedsender, dnswl.org, > anti-spam.org.cn, iadb.isipp.com and habeas. Right, the heuristic now is too simplistic, requires a fair amount of management, and perhaps only the simplest examples are reliable. > > We score each "heuristic" differently and whitelist early thus not > usually getting a FP. I likewise score/whitelist. For those that trigger quarantine, I just whitelist and submit for redelivery. Thanks all again, Mike _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
