Hi there,
On Tue, 1 Mar 2022, Alex via clamav-users wrote:
I have a fedora34 system with clamd-0.103.5 and amavisd/SA/postfix. I
have a newsletter from ncua.gov that keeps getting blocked because it
The providers of Fedora do some IMHO slightly odd things with ClamAV
packaging which sometimes show up here on the mailing list. More on
that later.
apparently contains links.gd in the body somewhere, although I can't
find it.
How did you look?! The string is present in the message eight times.
The line numbers are shown below:
8<----------------------------------------------------------------------
$ grep -n 'lnks\.gd' EXZ1fDpK.raw
357: margin: 0 0 15px;"><a href=3D"https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJ=
564:ca,sans-serif"><a href=3D"https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxs=
571:" alt=3D"Facebook"></a> =A0 <a href=3D"https://lnks.gd/l/eyJhbGciOiJIUzI1=
578:original.png" alt=3D"Twitter"></a> =A0 <a href=3D"https://lnks.gd/l/eyJhb=
586:tps://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDQsInVy=
600:<p><font face=3D"arial,helvetica,sans-serif"><a href=3D"https://lnks.gd/l=
606:rel=3D"noopener">Unsubscribe</a>=A0|=A0 <a href=3D"https://lnks.gd/l/eyJh=
644:op" width=3D"95"><a href=3D"https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidW=
8<----------------------------------------------------------------------
How do I exclude this email from being tagged without having to bypass
the Heuristics.Phishing.Email.SpoofedDomain rule altogether?
Given the limitation you impose (not bypassing the rule altogether)
that's probably not a ClamAV question. You can whitelist things in
several ways. Although I've never used Amavis myself I'm sure that
you can use its whitelisting features. Try searching for something
like that in the Amavis documentation, if you don't come up with an
easy way to do it drop me a private message. (It will be rejected,
but you don't need to worry about that - I'll still read it. :)
Also, I keep deleting the main.cvd database but it keeps replacing it.
How do I configure clamav so it only updates one of the main database
types?
My guess is that you somehow have two update mechanisms operating, and
that you need to stop one of them. There are probably two 'freshclam'
processes running. At a guess one of them is running 24/7 as a daemon
and the other one is running from a cron job or similar. This is what
I meant by some slightly odd things in Fedora - I think they might be
making it too easy for people to get into this position because of the
way they split up and repackage various parts of ClamAV. You might
find that it's less of an issue if you use the package from the ClamAV
Website instead of the Fedora packages, but sometimes 'management' and
'policy' and things like that intrude to make that difficult. I have
to repeat that a lot of what I've said in this paragraph is guesswork.
If it helps, great, if not please do get back to us.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
