Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

On 6/15/2022 4:51 PM, Maarten Broekman via clamav-users wrote: https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format There are examples of the wdb format a bit lower on the page. Essentially, you would create

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format There are examples of the wdb format a bit lower on the page. Essentially, you would create a file "good_urls.wdb" in the same directory as the existing ClamAV database files and put in an appropriate line to handle the domains

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

On 6/15/2022 11:47 AM, G.W. Haywood via clamav-users wrote: Hi there, On Wed, 15 Jun 2022, joe a wrote: To semi-hijack, I was attempting to deal with my own occasional false positive by using this thread as a clue. Attempting to follow the docs, I hit a wall here: "To help you identify

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Hi there, On Wed, 15 Jun 2022, joe a wrote: To semi-hijack, I was attempting to deal with my own occasional false positive by using this thread as a clue. Attempting to follow the docs, I hit a wall here: "To help you identify what triggered a heuristic phishing alert, clamscan or clamd

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

joe a wrote: To semi-hijack, I was attempting to deal with my own occasional false positive by using this thread as a clue. Attempting to follow the docs, I hit a wall here: "To help you identify what triggered a heuristic phishing alert, clamscan or clamd will print a message indicating the

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

On 6/13/2022 7:27 PM, Mathieu Morier via clamav-users wrote: Yea for now I just created the line as peer the doc ( https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format  ) and it’s working. For 

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Yea for now I just created the line as peer the doc ( https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format ) and it’s working. For Heuristics.Phishing.Email.SpoofedDomain it’s not an « ignore list » bit an « allow list of real URL and display URL that you want to allow. echo

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Hi there, On Mon, 13 Jun 2022, Mathieu Morier via clamav-users wrote: Look like many Canadian Banks are switching their corporate email to Office 365 ( Microsoft cloud ) and all the links in their email are then automatically change ... Don't get me started. ... links to ... hit the

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

For now I have done that and it work ! echo "M:can01.safelinks.protection.outlook.com:www.desjardins.com" >> /var/lib/clamav/local.wdb systemctl restart clamd But it will be great if Desjardins rules are on the

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

Hi, Look like many Canadian Banks are switching their corporate email to Office 365 ( Microsoft cloud ) and all the links in their email are then automatically change to https://can01.safelinks.protection.outlook.com with a long string. So all the links to desjardins.com

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com

Hi there, On Mon, 30 May 2022, Mathieu Morier via clamav-users wrote: desjardins.com is a Québec Canada Coop Bank Institution and for a couple weeks, all their email to our email server as flag my CLAM for Heuristics.Phishing.Email.SpoofedDomain ... They probably did

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com

Hi, desjardins.com is a Québec Canada Coop Bank Institution and for a couple weeks, all their email to our email server as flag my CLAM for Heuristics.Phishing.Email.SpoofedDomain . It might be something in the signature of their email. But it’s starting to be

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain...

> Hi there, > > On Tue, 13 Apr 2021, Robert Kudyba wrote: > > > So I still don't know what "queue_id" is. > > Try the command > > mailq > > and look in the Sendmail docs. The queue ID is just the filename in > the mail queue directory without the first two characters. For each > message in the

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain...

Hi there, On Tue, 13 Apr 2021, Robert Kudyba wrote: So I still don't know what "queue_id" is. Try the command mailq and look in the Sendmail docs. The queue ID is just the filename in the mail queue directory without the first two characters. For each message in the queue there are two

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain...

> > > Also, with clamav-milter and sendmail. I see that the headers of > quarantined messages go to /var/spool/mqueue with root:smmsp owner/group > permissions and the header of the email starts with hf whilst the body of > the message starts with df. So the message in question looks like this: >

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain...

Robert, > From: clamav-users On Behalf Of > Robert Kudyba > Sent: Tuesday, April 13, 2021 10:40 AM > To: ClamAV users ML > Cc: G.W. Haywood > Subject: Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain... > > I'm seeing a FP from a Delta Airlines email. >

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain...

I'm seeing a FP from a Delta Airlines email. Also, with clamav-milter and sendmail. I see that the headers of quarantined messages go to /var/spool/mqueue with root:smmsp owner/group permissions and the header of the email starts with hf whilst the body of the message starts with df. So the

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain...

Hi there, On Thu, 1 Apr 2021, eric-l...@truenet.com wrote: Just a heads up. I noticed a bunch of American Express Statements in our quarantine. My guess is because they are using m.amex and go.amex links in the emails. DKIM and SPF pass so these definitely seem to be legit AMEX emails. From

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain...

Just a heads up. I noticed a bunch of American Express Statements in our quarantine. My guess is because they are using m.amex and go.amex links in the emails. DKIM and SPF pass so these definitely seem to be legit AMEX emails. >From address is "American Express" Sincerely, Eric Tykwinski

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain False Positive

Hi You cannot whitelist a sender in ClamAV. Whitelisting happens in the software that calls ClamAV. The alternative is to disable spoofing checks in ClamAV configuration. They're not enabled by default, so if your ClamAV checks spoofing, then someone enabled it on purpose. As Al already

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain False Positive

It's my experience that Heuristics.Phishing.Email.SpoofedDomain engine checks URL's to make sure the hyperlink actually takes you to a site related to what the text shows. I'm not aware of any public information on whitelisting these, but do know it can be done by adding and x- or m- entry in

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain False Positive

Hi, We are looking for documentation that will help us "whitelist" a sender's email. Thank you for any suggestions. Wed Aug 8 07:37:00 2018 -> Message w78BaxBt005717 from to <> with subject 'RE: ' message-id '<8q3v8vqrv8bva5u46f6qy0mf.1533728212...@email.android.com>' date 'Wed, 8 Aug 2018

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain

micah anderson writes: > X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17 > > but people are still complaining. Did I do this wrong? Looking again at > the documentation, it appears that it should be '17-' instead of '17', > but I'm not sure that matters. Anyone

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain

micah anderson wrote: I keep having people complaining about False Positives due to Heuristics.Phishing.Email.SpoofedDomain - my research has shown me that the reason this is happening is because of Outlook's "advanced threat protection" which wraps urls in a "safelink" url, I really didn't

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain

Hi, I keep having people complaining about False Positives due to Heuristics.Phishing.Email.SpoofedDomain - my research has shown me that the reason this is happening is because of Outlook's "advanced threat protection" which wraps urls in a "safelink" url, all the details of this monstrosity

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positives

On Jun 9, 2017, at 1:40 PM, Alex wrote: > Hi, > > I've noticed a large amount of phishing signature false-positives, and > just want to make sure I understand correctly how they work. > > I have HeuristicScanPrecedence disabled and all the phishing settings > left as default. > > I'm assuming

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positives

Hi, I've noticed a large amount of phishing signature false-positives, and just want to make sure I understand correctly how they work. I have HeuristicScanPrecedence disabled and all the phishing settings left as default. I'm assuming this rule is known to produce a large amount of

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Alex wrote: > Hi, > > I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain > for capitaloneemail.com, but can't figure out how to use sigtool to > determine which actual domain it thinks was spoofed. > > # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain | > sigtool

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

On Tue, Aug 16, 2016 at 12:35 PM, Steve basford wrote: > Try clamscan --debug 2>debug.log and I think that should show you a domain. Ah yes, thanks. It appears it's marked it because the URLs were too different: LibClamAV debug: Phishing: looking up in whitelist:

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Try clamscan --debug 2>debug.log and I think that should show you a domain. Cheers, Steve Web: sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity On 16 August 2016 17:32:31 Alex wrote: Hi, I have a false-positive with

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Am 16.08.2016 um 18:31 schrieb Alex: I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain for capitaloneemail.com, but can't figure out how to use sigtool to determine which actual domain it thinks was spoofed. # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Hi, I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain for capitaloneemail.com, but can't figure out how to use sigtool to determine which actual domain it thinks was spoofed. # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain | sigtool --decode-sigs # Why doesn't

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Hi, On Tue, Aug 25, 2015 at 1:19 PM, Kevin Lin k...@sourcefire.com wrote: It's not necessary to whitelist the heuristic. If you choose to, you can whitelist the domain which can be done using a .wdb signature. There is documentation on how to write an entry in the phishsigs_howto.pdf document.

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

As a heuristic, the generation of this detection is a result of behavioral detection by the ClamAV engine and not by any particular database signature. Unfortunately, this effectively means that sigtool is unable to decode the signature as there is no signature associated with this detection.

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

On Aug 25, 2015, at 9:41 AM, Alex mysqlstud...@gmail.com wrote: Thanks very much. I've submitted an fp, but it appears to be the result of this: LibClamAV debug: Looking up hash 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for urldefense. proofpoint.com/

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Hi, On Tue, Aug 25, 2015 at 11:48 AM, Kevin Lin k...@sourcefire.com wrote: As a heuristic, the generation of this detection is a result of behavioral detection by the ClamAV engine and not by any particular database signature. Unfortunately, this effectively means that sigtool is unable to

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Hi, I have an email with an apparent false-positive spoofed domain. How can I determine what domain it is that clamscan thinks is spoofed and correct it? I'm sorry if this is a FAQ. I'm familiar with how to use sigtool to decode a false-positive, but no signature or other details are given.

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Hi, It's not necessary to whitelist the heuristic. If you choose to, you can whitelist the domain which can be done using a .wdb signature. There is documentation on how to write an entry in the phishsigs_howto.pdf document. Whitelist the sending domain? Or the offending domain? Or which?

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Hi, On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger cswi...@mac.com wrote: On Aug 25, 2015, at 9:41 AM, Alex mysqlstud...@gmail.com wrote: Thanks very much. I've submitted an fp, but it appears to be the result of this: LibClamAV debug: Looking up hash

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain again

How do I whitelist all combinations of TLD 1 and TLD 2 with/without subdomains in one entry? I've just had a series of FP reports, all appear to be triggered by a Scotiabank internal mail system URL that shows scotiabank.com (with a host/subdomain in some messages, without in others) and a real

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP fixed upstream?

I just came across a FP report for a hit from Heuristics.Phishing.Email.SpoofedDomain. On checking the message by hand, it no longer triggers this test, either on my desktop test/dev system running 0.98.4, or on the production servers running 0.97.6. Examining the message by hand, the best guess

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP fixed upstream?

You have certainly found the correct pair as your message is still showing up immediately as infected here. Heuristics detections are accomplished by the engine, not a specific signature. The line you found in daily.hdb identifies this as one of several hundred mostly financial institutions

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP fixed upstream?

Al Varnell wrote: You have certainly found the correct pair as your message is still showing up immediately as infected here. ... and here, too; I wondered why my message hadn't shown up in my clamav mail folder... Heuristics detections are accomplished by the engine, not a specific

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP fixed upstream?

OK, I guess that will work, but I don’t think it’s formatted exactly right and as I said before I think an “M:” whitelist record is more appropriate here. At any rate, I suggest you upload it to http://www.clamav.net/sendvirus/ using the Send a false positive report” form so that other users

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Comment about this feature, which I've never turned on before. I flipped it on, for a single mail router in a pool of 9. Over the course of a day and MANY messages, it tripped for only 4 messages, all of which seem legit. So I'm turning it back off.

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, The heuristics engine is only used for selected financial institution domains (currently 263) listed in daily.pdb as H:domain It looks like I only have daily.cld. Can you explain what you mean here? cd /tmp sigtool --unpack-current=daily there you find what you have Or you can

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, running clamscan --debug against the file. http://www.tdcanadatrust.com/tdvisa/agreements appears several times in the body of the message but links to http://ems1.aeroplan.com/a/l.x?t=icholbpbeophbeocnlmimpbc; M=1L=2v=4. Ah, thanks. I should have known that. In this case it

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On 2014-02-02 18:43, Alex wrote: The heuristics engine is only used for selected financial institution domains (currently 263) listed in daily.pdb as H:domain It looks like I only have daily.cld. Can you explain what you mean here? cd /tmp sigtool --unpack-current=daily there you find what

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On Sun, Feb 02, 2014 at 10:41 AM, Benny Pedersen wrote: On 2014-02-02 18:43, Alex wrote: The heuristics engine is only used for selected financial institution domains (currently 263) listed in daily.pdb as H:domain It looks like I only have daily.cld. Can you explain what you mean here?

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On Jan 31, 2014, at 5:26 PM, Alex mysqlstud...@gmail.com wrote: Hi, I found another false-positive, this time with Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring out what domain within the email it thinks is spoofed. I've pasted the email here:

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, On Sat, Feb 1, 2014 at 5:32 AM, Al Varnell alvarn...@mac.com wrote: On Jan 31, 2014, at 5:26 PM, Alex mysqlstud...@gmail.com wrote: Hi, I found another false-positive, this time with Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring out what domain within the email

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On Feb 1, 2014, at 1:44 PM, Alex mysqlstud...@gmail.com wrote: Hi, On Sat, Feb 1, 2014 at 5:32 AM, Al Varnell alvarn...@mac.com wrote: On Jan 31, 2014, at 5:26 PM, Alex mysqlstud...@gmail.com wrote: Hi, I found another false-positive, this time with

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, I found another false-positive, this time with Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring out what domain within the email it thinks is spoofed. I've pasted the email here: http://pastebin.com/S7XkCg9a Any ideas greatly appreciated. LibClamAV debug:

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

On Feb 1, 2014, at 3:01 PM, Alex mysqlstud...@gmail.com wrote: Hi, I found another false-positive, this time with Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring out what domain within the email it thinks is spoofed. I've pasted the email here:

[clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

Hi, I found another false-positive, this time with Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring out what domain within the email it thinks is spoofed. I've pasted the email here: http://pastebin.com/S7XkCg9a Any ideas greatly appreciated. Thanks, Alex

[clamav-users] [Clamav-users] Heuristics.Phishing.Email.SpoofedDomain

Hi I am new to the forum / newbie with linux/perl etc!! And dont know where else to turn ? Ive emailed my webserver host and they are unless saying check the STMP im using ? WTF! ANyways my problem is that everytime someone emails me they are getting sent an error message (will paste below)

Re: [clamav-users] [Clamav-users] Heuristics.Phishing.Email.SpoofedDomain

On Jul 28, 2011, at 2:10 PM, ExodusNZ wrote: This is the top of the email they are getting Sorry, we were unable to deliver your message to the following address. xxx@xxx: Remote host said: 550 (Heuristics.Phishing.Email.SpoofedDomain) [BODY] Without having a sample message or

Re: [clamav-users] [Clamav-users] Heuristics.Phishing.Email.SpoofedDomain

Hi It appears that when im sending from pradipda...@xtra.co.nz to pra...@unlock.net.nz it comes up with the error. (Have both of these accounts linked to a yahoo webmail) Ive just had a little break through. I think it has to do with my signature - I removed some of the signature and the email

Re: [clamav-users] [Clamav-users] Heuristics.Phishing.Email.SpoofedDomain

Facebook dot com is one of the protected web sites when checking for phishing attempts. I learned here the other day that the clamav engine checks a list of currently 236 url's that are often used for phishing attempts and runs through something like 15 steps to see if it should be flagged. I'll

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain

On 7/26/11 2:06 PM, Török Edwin ed...@clamav.net wrote: On 07/26/2011 11:59 PM, Al Varnell wrote: Is there something going on with subject infections? I see that it's listed on the clamav home page as a Current Threat. We got several users asking about this in the ClamXav Forum (including a

Re: [clamav-users] [Clamav-users] Heuristics.Phishing.Email.SpoofedDomain FPs on Google Alerts mail

Someone just emailed me offlist to see if I found a solution - I haven't seen anything, although for the one customer who reported the problem I just whitelisted the Google Alerts email further upstream in the filtering process. Any suggestions for a solution within ClamAV beyond disabling

[Clamav-users] Heuristics.Phishing.Email.SpoofedDomain FPs on Google Alerts mail

I'd whitelist the specific URLs in question, but they vary from message to message, since they're in the form: http://www.google.com/url?sa=Xq=http://othersite (the full URL runs about 500 characters in total - so far as I understand the SpoofedDomain heuristic, it's only that first pair