[prev in list] [next in list] [prev in thread] [next in thread]
List: clamav-users
Subject: Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positives
From: Al Varnell <alvarnell () mac ! com>
Date: 2017-06-12 8:38:44
Message-ID: AE8DDBD6-641F-4128-A62D-16D1A77FDFE8 () mac ! com
[Download RAW message or body]
On Jun 9, 2017, at 1:40 PM, Alex wrote:
> Hi,
>
> I've noticed a large amount of phishing signature false-positives, and
> just want to make sure I understand correctly how they work.
>
> I have HeuristicScanPrecedence disabled and all the phishing settings
> left as default.
>
> I'm assuming this rule is known to produce a large amount of false-positives?
>
> It catches legitimate mail from priceline, delta, citibank, homedepot,
> and wellsfargo. At the least, I would expect some kind of note in the
> config file indicating this?
>
> I've successfully whitelisted quite a few of them, but is this the
> best approach? Maybe I'm missing more of the main purpose of this rule
> because it does seem so prone to false-positives.
>
> Could I also ask someone to review my whitelist entries? Perhaps they
> can be optimized or done more succinctly? The manual refers to a
> version number (17-). Is this necessary?
>
> X:http\://e\.delta\.com:www\.americanexpress\.com
> X:http\://l\.info4\.citi\.com:citibank\.com
> X:http\://l\.info4\.citi\.com:citi\.com
> X:http\://l\.info4\.citi\.com:http\://i\..+\.citi\.com
> X:http\://l\.info4\.citi\.com:http\://namwpm\.eccmp\.com
> X:http\://l\.info4\.citi\.com:http\://snamwpm\.eccmp\.com
> X:http\://l\.info4\.citi\.com:http\://www\.movable-ink-.+\.com
> X:http\://l\.info4\.citi\.com:thankyou\.com
> X:http\://l\.info6\.accountonline\.com:bestbuy\.accountonline\.com
> X:http\://l\.info6\.accountonline\.com:citibank\.com
> X:http\://l\.info6\.accountonline\.com:homedepot\.com
> X:http\://l\.info6\.accountonline\.com:http\://namwpm\.eccmp\.com
> X:http\://links\.e\.mycustomemail\.com:wellsfargo\.com
> X:http\://links\.mkt3772\.com:https\://cdn2\.bondbrandloyalty\.com
> X:http\://links\.mkt3772\.com:https\://equitybar\.scene\.ca
> X:http\://links\.mkt3772\.com:scene\.ca
> X:http\://links\.mkt3772\.com:scotiabank\.com
> X:\.links\.mkt3772\.com:\.scotiabank\.com
> X:http\://mercedes-benz\.r\.delivery\.net:amextravel\.com
> X:http\://mercedes-benz\.r\.delivery\.net:http\://sarankco-preview\.com
> X:http\://mercedes-benz\.r\.delivery\.net:membershiprewards\.com
> X:http\://mercedes-benz\.r\.delivery\.net:www\.americanexpress\.com
> X:http\://mercedes-benz\.r\.delivery\.net:www\.membershiprewards\.com
> X:https\://epl\.paypal-communication\.com:https\://pp\.images\.harmony\.epsilon\.com
> X:https\://epl\.paypal-communication\.com:www\.paypal\.com
> X:https\://t\.co:amazon\.de
> X:https\://twitter\.com:https\://ea\.twimg\.com
> X:https\://twitter\.com:https\://pbs\.twimg\.com
> X:https\://usa\.visa\.com:http\://images\.globalclient\.visa\.com
> X:.+arizonafederal\.org:arizonafederal\.org
> X:.+\.facebook\.com:https\://www\.arizonafederal\.org
> X:http\://www\.wiredbusinessconference\.com:http\://images\.globalclient\.visa\.com
> X:\.l\.info4\.citi\.com:\.citibank\.com
> X:\.l\.info6\.accountonline\.com:\.citibank\.com
> X:\.links\.e\.mycustomemail\.com:\.wellsfargo\.com
> X:\.mercedes-benz\.r\.delivery\.net:\.www\.americanexpress\.com
> X:\.t\.co:\.amazon\.de
I was hoping that somebody more knowledgable than I would respond here.
I can confirm that allowing Heuristic Phishing detections is quite likely to result \
in quite a few False Positives these days, but I'm not sure what else you want to \
know about it. I've been told that if you disable PhishingScanURLs and use the \
safebrowsing database, it will also disable that.
The primary reason is that these institutions are using formats that are exactly the \
same ones used by phishers, and shouldn't be doing so. I guess they think it's less \
confusing to show users that they can click a link that will take them to a Wells \
Fargo site when it actually takes you to one of their contractor sites. It would be \
much smarter to have it first go to Wells Fargo and then be told that they are be \
redirected to a trusted partner site.
I certainly don't have time or perfect knowledge with regard to your Regex whitelist \
entries, but it does seem to me that it would be more appropriate to use "M:" records \
for these since you are using a separate record for each pairing.
-Al-
--
Al Varnell
Mountain View, CA
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic