On 03/09/2010 06:52 PM, Kris Deugau wrote: > I just received a report from a customer about a legitimate Amazon.ca > order confirmation that tripped the > Phishing.Heuristics.Email.SpoofedDomain code in Clamav (0.95.3 from > Debian lenny volatile). > > I'm not sure what this heuristic test looks for, but after inspecting > the message source I'm pretty sure it triggered on amazon.ca in a URL > associated with an image retrieved from amazon.com. > > I don't want to just add Amazon's sender address and name to the > customer's whitelist due to the spoof emails floating around. I'm > contacting him to see if I can release the message for analysis. > > Are there any finer-grained controls on how this test works other than > PhishingScanURLs? > > Any suggestions on how to allow Amazon.ca order email through without > blowing big holes in our filtering?
It should already be whitelisted: X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?:17- X:.+:.+images\.amazon\.com([/?].*)?:17- What is the domain of the image, and the domain of the href target? Can you craft a simple example html mail with just a url, the img url, with just the domains? (without the actualy path and query params). Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
