Brent Gardner
2012-12-12 18:18:58 UTC
We were getting false positives caused by a heuristic anti-phishing
check in ClamAV. We'd see log messages like:
2012-12-10 09:20:05.648516500
simscan:[18122]:VIRUS:0.2573s:Heuristics.Phishing.Email.SpoofedDomain:12.10.219.63:***@welcome.aexp.com:***@example.com
In the last month, all but one hit on this signature were for legitimate
messages coming from American Express.
Going off of info found here:
http://lurker.clamav.net/message/20101130.100352.010692f7.en.html, I
disabled phishing URL checks in ClamAV by restarting clamd after putting
this line in /etc/clamd.conf:
PhishingScanURLs no
This also disables the following ClamAV checks, which we weren't getting
any hits on:
Heuristics.Phishing.Email
Heuristics.Phishing.Email.Cloaked.Null
Heuristics.Phishing.Email.Cloaked.NumericIP
Heuristics.Phishing.Email.Cloaked.Username
Heuristics.Phishing.Email.SpoofedDomain
Heuristics.Phishing.Email.SSL-Spoof
Heuristics.Phishing.URL.Blacklisted
fyi
Brent Gardner
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-***@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-***@qmailtoaster.com
check in ClamAV. We'd see log messages like:
2012-12-10 09:20:05.648516500
simscan:[18122]:VIRUS:0.2573s:Heuristics.Phishing.Email.SpoofedDomain:12.10.219.63:***@welcome.aexp.com:***@example.com
In the last month, all but one hit on this signature were for legitimate
messages coming from American Express.
Going off of info found here:
http://lurker.clamav.net/message/20101130.100352.010692f7.en.html, I
disabled phishing URL checks in ClamAV by restarting clamd after putting
this line in /etc/clamd.conf:
PhishingScanURLs no
This also disables the following ClamAV checks, which we weren't getting
any hits on:
Heuristics.Phishing.Email
Heuristics.Phishing.Email.Cloaked.Null
Heuristics.Phishing.Email.Cloaked.NumericIP
Heuristics.Phishing.Email.Cloaked.Username
Heuristics.Phishing.Email.SpoofedDomain
Heuristics.Phishing.Email.SSL-Spoof
Heuristics.Phishing.URL.Blacklisted
fyi
Brent Gardner
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-***@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-***@qmailtoaster.com