Török Edwin wrote:
Are you sure it was a Heuristics.Phishing.*, or Phishing.Heuristics.*
detection?
It doesn't look at the subject line at all.
Pretty certain; I don't recall the username so it's a bit hard to check
back in the mail logs.
What does the "17-" at the end indicate?
It indicates that the signature should only be loaded on ClamAV with
functionality level >=17 (0.91+). Older versions crashed when loading
that sig. This is probably redundant now that we don't support those
versions anymore.
Ah, OK.
You mentioned that you can't get the samples due to privacy concerns.
Partially; I've had a few FPs over the past four or five years that I
would have liked to submit, but never got authorization from the
customer (legitimate PayPal emails were hitting non-heuristic sigs for a
while a couple of years ago).
More recently, I've had the same problem for some messages, and for the
others the customer hasn't sent a copy anywhere I can inspect it (a
spam-reporting account that bypasses our outgoing filtering can let me
examine otherwise blocked mail).
Both are social problems, not technical. :/
What if I'd write a script (in python or perl, or something) that takes
an email and outputs the .wdb rules?
It would chop off the query and path part of the URLs, and the output is
human readable, so the customer can see exactly what they're sending to you.
*nod* I could whip up such a script myself pretty easily, although if
the FP rate hits more than one or two a week I'll likely just disable
PhishingScanURLs. :/
(It's not all that *bad*; one inbound incident out of ~400K
messages/day, two outbound incidents out of ~75K messages/day
Now I can't expect your users to have ClamAV installed, right?
Maybe its possible to write something in python/perl only for the wdb
generation, but before doing that: would your users have python/perl
installed in the first place?
*snort* ISP end-users running *nix? Well, maybe one or two out of
~50K... <g>
Keep in mind that with 0.96 it is called Heuristics.Phishing.*.
This was done to have a uniform naming for all engine detections (they
all begin with Heuristics.* now).
Thanks, doubly! Consistent names are always good, and it's good to know
about that naming change for the specific messages I'd like to do
additional processing on.
-kgd
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
