Phishing.Heuristics.Email.SpoofedDomain false positives

Julian Field MailScanner at ecs.soton.ac.uk
Mon Aug 6 15:07:08 IST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Gareth wrote:
> I have just upgraded MailScanner and enabled full message scanning but I
> am getting a few false positives on
> Phishing.Heuristics.Email.SpoofedDomain against some genuine Amazon
> emails and a couple of others.
>
> Strangely when I use clamscan and scan the message file the message is
> reported as being clean.
>
> Quarantine Modified Body = no
> Quarantine Whole Message = yes
> Quarantine Whole Messages As Queue Files = no
>
> How does Mailscanner save the raw mail file for clamavmodule to scan?
> Could there be a slight difference which is causing the heuristics to
> misbehave?
>   
Not as far as I am aware, no. Though the full message is reconstructed 
from the message entity structure, so it's always possible that 
something might be in a different order.

Have you got a sample message you can give me that demonstrates this 
problem in action?
If so, please put it on a www server somewhere, don't mail it to me.

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Comment: (pgp-secured)
Charset: ISO-8859-1

wj8DBQFGtysNEfZZRxQVtlQRAkRJAJ40d+zlCMsGtHNmBnnuSfkRiJWuugCg/kAj
oHoGZCIdZ2w8GlL/1Kk+FUo=
=v+1p
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk



More information about the MailScanner mailing list