Discussion:
Disabling ClamAV heuristic phishing checks
Brent Gardner
2012-12-12 18:18:58 UTC
Permalink
We were getting false positives caused by a heuristic anti-phishing
check in ClamAV. We'd see log messages like:

2012-12-10 09:20:05.648516500
simscan:[18122]:VIRUS:0.2573s:Heuristics.Phishing.Email.SpoofedDomain:12.10.219.63:***@welcome.aexp.com:***@example.com


In the last month, all but one hit on this signature were for legitimate
messages coming from American Express.

Going off of info found here:
http://lurker.clamav.net/message/20101130.100352.010692f7.en.html, I
disabled phishing URL checks in ClamAV by restarting clamd after putting
this line in /etc/clamd.conf:

PhishingScanURLs no


This also disables the following ClamAV checks, which we weren't getting
any hits on:

Heuristics.Phishing.Email
Heuristics.Phishing.Email.Cloaked.Null
Heuristics.Phishing.Email.Cloaked.NumericIP
Heuristics.Phishing.Email.Cloaked.Username
Heuristics.Phishing.Email.SpoofedDomain
Heuristics.Phishing.Email.SSL-Spoof
Heuristics.Phishing.URL.Blacklisted


fyi


Brent Gardner



---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-***@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-***@qmailtoaster.com
Eric Shubert
2012-12-12 23:53:28 UTC
Permalink
Post by Brent Gardner
We were getting false positives caused by a heuristic anti-phishing
2012-12-10 09:20:05.648516500
In the last month, all but one hit on this signature were for legitimate
messages coming from American Express.
http://lurker.clamav.net/message/20101130.100352.010692f7.en.html, I
disabled phishing URL checks in ClamAV by restarting clamd after putting
PhishingScanURLs no
This also disables the following ClamAV checks, which we weren't getting
Heuristics.Phishing.Email
Heuristics.Phishing.Email.Cloaked.Null
Heuristics.Phishing.Email.Cloaked.NumericIP
Heuristics.Phishing.Email.Cloaked.Username
Heuristics.Phishing.Email.SpoofedDomain
Heuristics.Phishing.Email.SSL-Spoof
Heuristics.Phishing.URL.Blacklisted
fyi
Brent Gardner
---------------------------------------------------------------------
I had a similar problem with Chase and sane security. Instead of
defeating the checks though, I set up entries in the tcp.smtp file for
Chase's servers, which don't do scanning at all, like this:
151.151.65.96-126:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
There are 14 tcp.smtp records in all. I hope they don't change their
outbound servers around very often. ;)
--
-Eric 'shubes'

---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-***@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-***@qmailtoaster.com
Brent Gardner
2012-12-13 21:33:49 UTC
Permalink
Post by Eric Shubert
Post by Brent Gardner
We were getting false positives caused by a heuristic anti-phishing
2012-12-10 09:20:05.648516500
In the last month, all but one hit on this signature were for legitimate
messages coming from American Express.
http://lurker.clamav.net/message/20101130.100352.010692f7.en.html, I
disabled phishing URL checks in ClamAV by restarting clamd after putting
PhishingScanURLs no
This also disables the following ClamAV checks, which we weren't getting
Heuristics.Phishing.Email
Heuristics.Phishing.Email.Cloaked.Null
Heuristics.Phishing.Email.Cloaked.NumericIP
Heuristics.Phishing.Email.Cloaked.Username
Heuristics.Phishing.Email.SpoofedDomain
Heuristics.Phishing.Email.SSL-Spoof
Heuristics.Phishing.URL.Blacklisted
fyi
Brent Gardner
---------------------------------------------------------------------
I had a similar problem with Chase and sane security. Instead of
defeating the checks though, I set up entries in the tcp.smtp file for
151.151.65.96-126:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
There are 14 tcp.smtp records in all. I hope they don't change their
outbound servers around very often. ;)
Yeah, I considered doing that but I couldn't find a list of AMEX's
outbound servers. Too bad you can't put FQDNs in tcp.smtp. Plus, it
appears that the now-disabled check was producing false positives 95% of
the time.


Brent Gardner





---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-***@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-***@qmailtoaster.com
Eric Shubert
2012-12-14 17:23:27 UTC
Permalink
Post by Brent Gardner
Post by Eric Shubert
Post by Brent Gardner
We were getting false positives caused by a heuristic anti-phishing
2012-12-10 09:20:05.648516500
In the last month, all but one hit on this signature were for legitimate
messages coming from American Express.
http://lurker.clamav.net/message/20101130.100352.010692f7.en.html, I
disabled phishing URL checks in ClamAV by restarting clamd after putting
PhishingScanURLs no
This also disables the following ClamAV checks, which we weren't getting
Heuristics.Phishing.Email
Heuristics.Phishing.Email.Cloaked.Null
Heuristics.Phishing.Email.Cloaked.NumericIP
Heuristics.Phishing.Email.Cloaked.Username
Heuristics.Phishing.Email.SpoofedDomain
Heuristics.Phishing.Email.SSL-Spoof
Heuristics.Phishing.URL.Blacklisted
fyi
Brent Gardner
---------------------------------------------------------------------
I had a similar problem with Chase and sane security. Instead of
defeating the checks though, I set up entries in the tcp.smtp file for
151.151.65.96-126:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
There are 14 tcp.smtp records in all. I hope they don't change their
outbound servers around very often. ;)
Yeah, I considered doing that but I couldn't find a list of AMEX's
outbound servers. Too bad you can't put FQDNs in tcp.smtp. Plus, it
appears that the now-disabled check was producing false positives 95% of
the time.
Brent Gardner
---------------------------------------------------------------------
FWIW, I garnered Chase's IPs from their SPF record. ;)
--
-Eric 'shubes'

---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-***@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-***@qmailtoaster.com
Brent Gardner
2012-12-14 18:19:41 UTC
Permalink
Post by Eric Shubert
Post by Brent Gardner
Post by Eric Shubert
Post by Brent Gardner
We were getting false positives caused by a heuristic anti-phishing
2012-12-10 09:20:05.648516500
In the last month, all but one hit on this signature were for legitimate
messages coming from American Express.
http://lurker.clamav.net/message/20101130.100352.010692f7.en.html, I
disabled phishing URL checks in ClamAV by restarting clamd after putting
PhishingScanURLs no
This also disables the following ClamAV checks, which we weren't getting
Heuristics.Phishing.Email
Heuristics.Phishing.Email.Cloaked.Null
Heuristics.Phishing.Email.Cloaked.NumericIP
Heuristics.Phishing.Email.Cloaked.Username
Heuristics.Phishing.Email.SpoofedDomain
Heuristics.Phishing.Email.SSL-Spoof
Heuristics.Phishing.URL.Blacklisted
fyi
Brent Gardner
---------------------------------------------------------------------
I had a similar problem with Chase and sane security. Instead of
defeating the checks though, I set up entries in the tcp.smtp file for
151.151.65.96-126:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
There are 14 tcp.smtp records in all. I hope they don't change their
outbound servers around very often. ;)
Yeah, I considered doing that but I couldn't find a list of AMEX's
outbound servers. Too bad you can't put FQDNs in tcp.smtp. Plus, it
appears that the now-disabled check was producing false positives 95% of
the time.
Brent Gardner
---------------------------------------------------------------------
FWIW, I garnered Chase's IPs from their SPF record. ;)
Clever ;)



---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-***@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-***@qmailtoaster.com
Eric Shubert
2012-12-15 02:33:43 UTC
Permalink
Post by Brent Gardner
Post by Eric Shubert
Post by Brent Gardner
Post by Eric Shubert
Post by Brent Gardner
We were getting false positives caused by a heuristic anti-phishing
2012-12-10 09:20:05.648516500
In the last month, all but one hit on this signature were for legitimate
messages coming from American Express.
http://lurker.clamav.net/message/20101130.100352.010692f7.en.html, I
disabled phishing URL checks in ClamAV by restarting clamd after putting
PhishingScanURLs no
This also disables the following ClamAV checks, which we weren't getting
Heuristics.Phishing.Email
Heuristics.Phishing.Email.Cloaked.Null
Heuristics.Phishing.Email.Cloaked.NumericIP
Heuristics.Phishing.Email.Cloaked.Username
Heuristics.Phishing.Email.SpoofedDomain
Heuristics.Phishing.Email.SSL-Spoof
Heuristics.Phishing.URL.Blacklisted
fyi
Brent Gardner
---------------------------------------------------------------------
I had a similar problem with Chase and sane security. Instead of
defeating the checks though, I set up entries in the tcp.smtp file for
151.151.65.96-126:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
There are 14 tcp.smtp records in all. I hope they don't change their
outbound servers around very often. ;)
Yeah, I considered doing that but I couldn't find a list of AMEX's
outbound servers. Too bad you can't put FQDNs in tcp.smtp. Plus, it
appears that the now-disabled check was producing false positives 95% of
the time.
Brent Gardner
---------------------------------------------------------------------
FWIW, I garnered Chase's IPs from their SPF record. ;)
Clever ;)
---------------------------------------------------------------------
Yeah, I thought so.

So today my wife informs me that our latest AMEX statement was rejected.
(Sounds familiar, I think to myself).

I just checked the AMEX SPF record, and here's what I came up with for
addition to my tcp.smtp file:
# these are American Express email senders
12.10.219.:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
203.19.215.67:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
192.102.253.34-36:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
193.32.34.9:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
193.32.34.30:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
193.32.34.73-74:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
# end of aexp.com senders

These entries effectively bypass scanning (both SA and clamav), but
don't allow relaying to external domains.

You might be able to get all of them with a single rule such as:
=>.aexp.com:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
It's not terribly difficult to forge an rDNS name though, so I'm a
little leery about using the hostname format in the tcp.smtpfile. In
fact, the man tcprules page suggests using the -p option for tcpserver
when using TCPHOSTNAME rules, but I don't think that's practical.

If anyone is interested in the senders for jpmchase.com, I can post what
I have for them too.

Thanks Brent.
--
-Eric 'shubes'

---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-***@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-***@qmailtoaster.com
Loading...