I just received a report from a customer about a legitimate Amazon.ca
order confirmation that tripped the
Phishing.Heuristics.Email.SpoofedDomain code in Clamav (0.95.3 from
Debian lenny volatile).
I'm not sure what this heuristic test looks for, but after inspecting
the message source I'm pretty sure it triggered on amazon.ca in a URL
associated with an image retrieved from amazon.com.
I don't want to just add Amazon's sender address and name to the
customer's whitelist due to the spoof emails floating around. I'm
contacting him to see if I can release the message for analysis.
Are there any finer-grained controls on how this test works other than
PhishingScanURLs?
Any suggestions on how to allow Amazon.ca order email through without
blowing big holes in our filtering?
-kgd
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
