micah anderson via clamav-users wrote:
Hi, I keep having people complaining about False Positives due to Heuristics.Phishing.Email.SpoofedDomain because of Proofpoint. I really didn't want to do this, but I added a few entries to the local.wdb to whitelist it: X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17- X:.+urldefense\.proofpoint\.com([/?].*)?:.*([/?].*)?:17- That seemed to work for a while, but people are getting hit by it again, it seems like the URLs changed, they used to be: https://urldefense.proofpoint.com/v2/url?u="; the newer ones prepend https://urldefense.com/v3/__ but that regexp should match, unless I'm misreading it. Does someone have a better solution that works for this?
I only use Heuristics.Phishing.Email.SpoofedDomain in a ClamAV instance that doesn't blindly pass/fail a message based only on the ClamAV result.
For outbound mail, I handle this by calling ClamAV from MIMEDefang, where I can do anything I like with the ClamAV result.
For inbound mail, I have a secondary clamd instance configured *without* the stock signatures, but with this option and a selection of riskier local and third-party signatures. This is called from SpamAssassin, and I can score different specific signatures or signature groups differently.
-kgd _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
