subject:"\[clamav\-users\] FP Heuristics.Phishing.Email.SpoofedDomain with amazon"

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

2018-08-27 Thread Reindl Harald




Am 23.08.2018 um 20:08 schrieb Marcus Schopen:
> Hi,
> 
> Am Dienstag, den 14.11.2017, 11:20 +0100 schrieb Hajo Locke:
>> Hello,
>>
>> based on my working whitelist regex i would say the 2nd part should
>> not 
>> look only for amazon\.com
>>
>>
>> If i understood it the correct way it should be something like:
>>
>> X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.(c
>> om|de)([/?].*)?
>>
>> Using this regex shows a clean mail. May be more extensions are
>> needed 
>> on right side, dependent on amazon changes/uses on different domains.
> 
> Anything new on this? Is above rule still working? Some of my amazon
> mails are blocked by "Phishing.Email.SpoofedDomain" too, e.g.:
> 
> http://www.adobe.com/de/products/acrobat/readstep2.html
> -> https://sellercentral-europe.amazon.com/...

that BULLSHIT never worked and makes more problems than it solves for
years now, either run two instances where the one with
"PhishingScanURLs" don't make hard-rejects (in my example it#s part of
spamassassin scroing) or disable that option


[root@mail-gw:~]$ cat /etc/clamd.d/scan.conf | grep PhishingScanURLs
PhishingScanURLs no

[root@mail-gw:~]$ cat /etc/clamd.d/scan-sa.conf | grep PhishingScanURLs
PhishingScanURLs yes
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

2018-08-23 Thread Marcus Schopen

Hi,

Am Dienstag, den 14.11.2017, 11:20 +0100 schrieb Hajo Locke:
> Hello,
> 
> based on my working whitelist regex i would say the 2nd part should
> not 
> look only for amazon\.com
> 
> 
> If i understood it the correct way it should be something like:
> 
> X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.(c
> om|de)([/?].*)?
> 
> Using this regex shows a clean mail. May be more extensions are
> needed 
> on right side, dependent on amazon changes/uses on different domains.

Anything new on this? Is above rule still working? Some of my amazon
mails are blocked by "Phishing.Email.SpoofedDomain" too, e.g.:

http://www.adobe.com/de/products/acrobat/readstep2.html
-> https://sellercentral-europe.amazon.com/...

or

Amazon.de 
-> https://sellercentral-europe.amazon.com/...

Cheers
m

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

2017-11-14 Thread Hajo Locke


Hello,

based on my working whitelist regex i would say the 2nd part should not 
look only for amazon\.com



If i understood it the correct way it should be something like:

X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.(com|de)([/?].*)?

Using this regex shows a clean mail. May be more extensions are needed 
on right side, dependent on amazon changes/uses on different domains.


Thanks,
Hajo

Am 14.11.2017 um 10:50 schrieb Al Varnell:

On Tue, Nov 14, 2017 at 01:48 AM, Hajo Locke wrote:

Hello,


Am 14.11.2017 um 10:44 schrieb Al Varnell:

I'm not very good at regex, but I'm surprised that this current X record 
doesn't already take care of this:

X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?

me too. in which file is this regex located?

daily.cld / .cvd

-Al-


-Al-

On Tue, Nov 14, 2017 at 01:19 AM, Hajo Locke wrote:

Hello List,

i think i found an fp in incoming mail.  I cant submit mail as FP on website, 
because it contains private data.
I can provide debug output which leads to match:

LibClamAV debug: Phishcheck:URL after cleanup: https://sellercentral-europe.amazon.com- 
 >>http://www.amazon.de  
>
LibClamAV debug: Phishing: looking up in whitelist: 
https://sellercentral-europe.amazon.com:http://www.amazon.de 
 
>; host-only:0
LibClamAV debug: Looking up in regex_list: 
https://sellercentral-europe.amazon.com:http://www.amazon.de/ 
 
>
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck:host:.www.amazon.de  
>
LibClamAV debug: Looking up in regex_list: www.amazon.de/  
>
LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de  >","www.amazon.de/  >"
LibClamAV debug: calc_pos_with_skip:
LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de  >","www.amazon.de/  >"
LibClamAV debug: calc_pos_with_skip:amazon.de  >
LibClamAV debug: Got a match: www.amazon.de/  
> with /ed.nozama
LibClamAV debug: Before inserting .: .www.amazon.de  
>
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com 
 >
LibClamAV debug: Phishing: looking up in whitelist: .sellercentral-europe.amazon.com 
 >:.www.amazon.de  
>; host-only:1
LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com 
 >:www.amazon.de/  
>
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted: 
Heuristics.Phishing.Email.SpoofedDomain

Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect 
 
>. which redirects to 
http://www.amazon.de/gp/help/survey?p  
>
These are default links from amazon to rate seller/product and should be an 
allowed combination of redirects.
It is possible to do a global update of this combination within heuristics?
Otherwise i had to whitelist by wdb file:

X:.+sellercentral-europe\.amazon\.com:.+amazon\.de

Thanks,
Hajo

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

2017-11-14 Thread Al Varnell

On Tue, Nov 14, 2017 at 01:48 AM, Hajo Locke wrote:
> Hello,
> 
> 
> Am 14.11.2017 um 10:44 schrieb Al Varnell:
>> I'm not very good at regex, but I'm surprised that this current X record 
>> doesn't already take care of this:
>> 
>> X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?
> me too. in which file is this regex located?

daily.cld / .cvd

-Al-

>> 
>> -Al-
>> 
>> On Tue, Nov 14, 2017 at 01:19 AM, Hajo Locke wrote:
>>> Hello List,
>>> 
>>> i think i found an fp in incoming mail.  I cant submit mail as FP on 
>>> website, because it contains private data.
>>> I can provide debug output which leads to match:
>>> 
>>> LibClamAV debug: Phishcheck:URL after cleanup: 
>>> https://sellercentral-europe.amazon.com- 
>>>  
>>> >> >>http://www.amazon.de 
>>>  >
>>> LibClamAV debug: Phishing: looking up in whitelist: 
>>> https://sellercentral-europe.amazon.com:http://www.amazon.de 
>>>  
>>> >> >; host-only:0
>>> LibClamAV debug: Looking up in regex_list: 
>>> https://sellercentral-europe.amazon.com:http://www.amazon.de/ 
>>>  
>>> >> >
>>> LibClamAV debug: Lookup result: not in regex list
>>> LibClamAV debug: Phishcheck:host:.www.amazon.de  
>>> >
>>> LibClamAV debug: Looking up in regex_list: www.amazon.de/ 
>>>  >
>>> LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de 
>>>  >> >","www.amazon.de/  
>>> >"
>>> LibClamAV debug: calc_pos_with_skip:
>>> LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de 
>>>  >> >","www.amazon.de/  
>>> >"
>>> LibClamAV debug: calc_pos_with_skip:amazon.de  
>>> >
>>> LibClamAV debug: Got a match: www.amazon.de/  
>>> > with /ed.nozama
>>> LibClamAV debug: Before inserting .: .www.amazon.de  
>>> >
>>> LibClamAV debug: Lookup result: in regex list
>>> LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com 
>>>  
>>> >> >
>>> LibClamAV debug: Phishing: looking up in whitelist: 
>>> .sellercentral-europe.amazon.com  
>>> >> >:.www.amazon.de 
>>>  >; 
>>> host-only:1
>>> LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com 
>>>  
>>> >> >:www.amazon.de/ 
>>>  >
>>> LibClamAV debug: Lookup result: not in regex list
>>> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too 
>>> different
>>> LibClamAV debug: found Possibly Unwanted: 
>>> Heuristics.Phishing.Email.SpoofedDomain
>>> 
>>> Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect 
>>>  
>>> >> >. which 
>>> redirects to http://www.amazon.de/gp/help/survey?p 
>>>  
>>> >> >
>>> These are default links from amazon to rate seller/product and should be an 
>>> allowed combination of redirects.
>>> It is possible to do a global update of this combination within heuristics?
>>> Otherwise i had to whitelist by wdb file:
>>> 
>>> X:.+sellercentral-europe\.amazon\.com:.+amazon\.de
>>> 
>>> Thanks,
>>> Hajo
>>> 
>>> 
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

2017-11-14 Thread Hajo Locke


Hello,


Am 14.11.2017 um 10:44 schrieb Al Varnell:

I'm not very good at regex, but I'm surprised that this current X record 
doesn't already take care of this:

X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?

me too. in which file is this regex located?


-Al-

On Tue, Nov 14, 2017 at 01:19 AM, Hajo Locke wrote:

Hello List,

i think i found an fp in incoming mail.  I cant submit mail as FP on website, 
because it contains private data.
I can provide debug output which leads to match:

LibClamAV debug: Phishcheck:URL after cleanup: https://sellercentral-europe.amazon.com- 
>http://www.amazon.de 

LibClamAV debug: Phishing: looking up in whitelist: 
https://sellercentral-europe.amazon.com:http://www.amazon.de 
; host-only:0
LibClamAV debug: Looking up in regex_list: 
https://sellercentral-europe.amazon.com:http://www.amazon.de/ 

LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck:host:.www.amazon.de 
LibClamAV debug: Looking up in regex_list: www.amazon.de/ 

LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de 
","www.amazon.de/ "
LibClamAV debug: calc_pos_with_skip:
LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de 
","www.amazon.de/ "
LibClamAV debug: calc_pos_with_skip:amazon.de 
LibClamAV debug: Got a match: www.amazon.de/  with 
/ed.nozama
LibClamAV debug: Before inserting .: .www.amazon.de 
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com 

LibClamAV debug: Phishing: looking up in whitelist: .sellercentral-europe.amazon.com 
:.www.amazon.de 
; host-only:1
LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com 
:www.amazon.de/ 
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted: 
Heuristics.Phishing.Email.SpoofedDomain

Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect 
. which redirects to 
http://www.amazon.de/gp/help/survey?p 
These are default links from amazon to rate seller/product and should be an 
allowed combination of redirects.
It is possible to do a global update of this combination within heuristics?
Otherwise i had to whitelist by wdb file:

X:.+sellercentral-europe\.amazon\.com:.+amazon\.de

Thanks,
Hajo


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

2017-11-14 Thread Al Varnell

I'm not very good at regex, but I'm surprised that this current X record 
doesn't already take care of this:

X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?

-Al-

On Tue, Nov 14, 2017 at 01:19 AM, Hajo Locke wrote:
> Hello List,
> 
> i think i found an fp in incoming mail.  I cant submit mail as FP on website, 
> because it contains private data.
> I can provide debug output which leads to match:
> 
> LibClamAV debug: Phishcheck:URL after cleanup: 
> https://sellercentral-europe.amazon.com- 
> >http://www.amazon.de 
> 
> LibClamAV debug: Phishing: looking up in whitelist: 
> https://sellercentral-europe.amazon.com:http://www.amazon.de 
> ; host-only:0
> LibClamAV debug: Looking up in regex_list: 
> https://sellercentral-europe.amazon.com:http://www.amazon.de/ 
> 
> LibClamAV debug: Lookup result: not in regex list
> LibClamAV debug: Phishcheck:host:.www.amazon.de 
> LibClamAV debug: Looking up in regex_list: www.amazon.de/ 
> 
> LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de 
> ","www.amazon.de/ "
> LibClamAV debug: calc_pos_with_skip:
> LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de 
> ","www.amazon.de/ "
> LibClamAV debug: calc_pos_with_skip:amazon.de 
> LibClamAV debug: Got a match: www.amazon.de/  with 
> /ed.nozama
> LibClamAV debug: Before inserting .: .www.amazon.de 
> LibClamAV debug: Lookup result: in regex list
> LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com 
> 
> LibClamAV debug: Phishing: looking up in whitelist: 
> .sellercentral-europe.amazon.com 
> :.www.amazon.de 
> ; host-only:1
> LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com 
> :www.amazon.de/ 
> 
> LibClamAV debug: Lookup result: not in regex list
> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
> LibClamAV debug: found Possibly Unwanted: 
> Heuristics.Phishing.Email.SpoofedDomain
> 
> Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect 
> . which redirects 
> to http://www.amazon.de/gp/help/survey?p 
> 
> These are default links from amazon to rate seller/product and should be an 
> allowed combination of redirects.
> It is possible to do a global update of this combination within heuristics?
> Otherwise i had to whitelist by wdb file:
> 
> X:.+sellercentral-europe\.amazon\.com:.+amazon\.de
> 
> Thanks,
> Hajo


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

2017-11-14 Thread Hajo Locke


Hello List,

i think i found an fp in incoming mail.  I cant submit mail as FP on 
website, because it contains private data.

I can provide debug output which leads to match:

LibClamAV debug: Phishcheck:URL after cleanup: 
https://sellercentral-europe.amazon.com->http://www.amazon.de
LibClamAV debug: Phishing: looking up in whitelist: 
https://sellercentral-europe.amazon.com:http://www.amazon.de; host-only:0
LibClamAV debug: Looking up in regex_list: 
https://sellercentral-europe.amazon.com:http://www.amazon.de/

LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck:host:.www.amazon.de
LibClamAV debug: Looking up in regex_list: www.amazon.de/
LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 
"http://www.amazon.de","www.amazon.de/;

LibClamAV debug: calc_pos_with_skip:
LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 
"http://www.amazon.de","www.amazon.de/;

LibClamAV debug: calc_pos_with_skip:amazon.de
LibClamAV debug: Got a match: www.amazon.de/ with /ed.nozama
LibClamAV debug: Before inserting .: .www.amazon.de
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com
LibClamAV debug: Phishing: looking up in whitelist: 
.sellercentral-europe.amazon.com:.www.amazon.de; host-only:1
LibClamAV debug: Looking up in regex_list: 
sellercentral-europe.amazon.com:www.amazon.de/

LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too 
different
LibClamAV debug: found Possibly Unwanted: 
Heuristics.Phishing.Email.SpoofedDomain


Mail contains a link 
https://sellercentral-europe.amazon.com/nms/redirect. which 
redirects to http://www.amazon.de/gp/help/survey?p
These are default links from amazon to rate seller/product and should be 
an allowed combination of redirects.

It is possible to do a global update of this combination within heuristics?
Otherwise i had to whitelist by wdb file:

X:.+sellercentral-europe\.amazon\.com:.+amazon\.de

Thanks,
Hajo


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

[clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

7 matches

Site Navigation

Mail list logo

Footer information