Re: [qmailtoaster] Re: Disabling ClamAV heuristic phishing checks

[Brent Gardner]

On 12/14/2012 10:23 AM, Eric Shubert wrote:

On 12/13/2012 02:33 PM, Brent Gardner wrote:

On 12/12/2012 04:53 PM, Eric Shubert wrote:

On 12/12/2012 11:18 AM, Brent Gardner wrote:

We were getting false positives caused by a heuristic anti-phishing
check in ClamAV.  We'd see log messages like:

2012-12-10 09:20:05.648516500

simscan:[18122]:VIRUS:0.2573s:Heuristics.Phishing.Email.SpoofedDomain:12.10.219.63:healt030201212100700560763005840.amex.m...@welcome.aexp.com:u...@example.com

In the last month, all but one hit on this signature were for legitimate

messages coming from American Express.

Going off of info found here:
http://lurker.clamav.net/message/20101130.100352.010692f7.en.html,  I

disabled phishing URL checks in ClamAV by restarting clamd after putting

this line in /etc/clamd.conf:

     PhishingScanURLs no

This also disables the following ClamAV checks, which we weren't getting

any hits on:

     Heuristics.Phishing.Email
     Heuristics.Phishing.Email.Cloaked.Null
     Heuristics.Phishing.Email.Cloaked.NumericIP
     Heuristics.Phishing.Email.Cloaked.Username
     Heuristics.Phishing.Email.SpoofedDomain
     Heuristics.Phishing.Email.SSL-Spoof
     Heuristics.Phishing.URL.Blacklisted


fyi


Brent Gardner



---------------------------------------------------------------------

I had a similar problem with Chase and sane security. Instead of
defeating the checks though, I set up entries in the tcp.smtp file for
Chase's servers, which don't do scanning at all, like this:

151.151.65.96-126:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"

There are 14 tcp.smtp records in all. I hope they don't change their
outbound servers around very often. ;)

Yeah, I considered doing that but I couldn't find a list of AMEX's
outbound servers.  Too bad you can't put FQDNs in tcp.smtp.  Plus, it
appears that the now-disabled check was producing false positives 95% of
the time.


Brent Gardner





---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

FWIW, I garnered Chase's IPs from their SPF record. ;)

Clever ;)



---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com