On 12/12/2012 11:18 AM, Brent Gardner wrote:
We were getting false positives caused by a heuristic anti-phishing
check in ClamAV. We'd see log messages like:
2012-12-10 09:20:05.648516500
simscan:[18122]:VIRUS:0.2573s:Heuristics.Phishing.Email.SpoofedDomain:12.10.219.63:[email protected]:[email protected]
In the last month, all but one hit on this signature were for legitimate
messages coming from American Express.
Going off of info found here:
http://lurker.clamav.net/message/20101130.100352.010692f7.en.html, I
disabled phishing URL checks in ClamAV by restarting clamd after putting
this line in /etc/clamd.conf:
PhishingScanURLs no
This also disables the following ClamAV checks, which we weren't getting
any hits on:
Heuristics.Phishing.Email
Heuristics.Phishing.Email.Cloaked.Null
Heuristics.Phishing.Email.Cloaked.NumericIP
Heuristics.Phishing.Email.Cloaked.Username
Heuristics.Phishing.Email.SpoofedDomain
Heuristics.Phishing.Email.SSL-Spoof
Heuristics.Phishing.URL.Blacklisted
fyi
Brent Gardner
---------------------------------------------------------------------
I had a similar problem with Chase and sane security. Instead of
defeating the checks though, I set up entries in the tcp.smtp file for
Chase's servers, which don't do scanning at all, like this:
151.151.65.96-126:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
There are 14 tcp.smtp records in all. I hope they don't change their
outbound servers around very often. ;)
--
-Eric 'shubes'
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
