Phishing.Heuristics.Email.SpoofedDomain false positives
MailScanner at ecs.soton.ac.uk
Mon Aug 6 15:07:08 IST 2007
-----BEGIN PGP SIGNED MESSAGE-----
> I have just upgraded MailScanner and enabled full message scanning but I
> am getting a few false positives on
> Phishing.Heuristics.Email.SpoofedDomain against some genuine Amazon
> emails and a couple of others.
> Strangely when I use clamscan and scan the message file the message is
> reported as being clean.
> Quarantine Modified Body = no
> Quarantine Whole Message = yes
> Quarantine Whole Messages As Queue Files = no
> How does Mailscanner save the raw mail file for clamavmodule to scan?
> Could there be a slight difference which is causing the heuristics to
Not as far as I am aware, no. Though the full message is reconstructed
from the message entity structure, so it's always possible that
something might be in a different order.
Have you got a sample message you can give me that demonstrates this
problem in action?
If so, please put it on a www server somewhere, don't mail it to me.
Julian Field MEng CITP
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Need help fixing or optimising your systems?
Need help getting you started solving new requirements from your boss?
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
-----END PGP SIGNATURE-----
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk
More information about the MailScanner