Phishing.Heuristics.Email.SpoofedDomain false positives

Gareth list-mailscanner at linguaphone.com
Mon Aug 6 15:11:39 IST 2007 

Fixed it and mailed the patch to the list earlier.

Personally I think it is a bug with clamavmodule as it has enforced a
default action which is not so safe and different to clamscan/clamd but
it has been there for a while no so I suppose it is not something which
can be changed without introducing more problems.

On Mon, 2007-08-06 at 15:07, Julian Field wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> Gareth wrote:
> > I have just upgraded MailScanner and enabled full message scanning but I
> > am getting a few false positives on
> > Phishing.Heuristics.Email.SpoofedDomain against some genuine Amazon
> > emails and a couple of others.
> >
> > Strangely when I use clamscan and scan the message file the message is
> > reported as being clean.
> >
> > Quarantine Modified Body = no
> > Quarantine Whole Message = yes
> > Quarantine Whole Messages As Queue Files = no
> >
> > How does Mailscanner save the raw mail file for clamavmodule to scan?
> > Could there be a slight difference which is causing the heuristics to
> > misbehave?
> >   
> Not as far as I am aware, no. Though the full message is reconstructed 
> from the message entity structure, so it's always possible that 
> something might be in a different order.
> 
> Have you got a sample message you can give me that demonstrates this 
> problem in action?
> If so, please put it on a www server somewhere, don't mail it to me.
> 
> Jules
> 
> - -- 
> Julian Field MEng CITP
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> 
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.6.2 (Build 2014)
> Comment: (pgp-secured)
> Charset: ISO-8859-1
> 
> wj8DBQFGtysNEfZZRxQVtlQRAkRJAJ40d+zlCMsGtHNmBnnuSfkRiJWuugCg/kAj
> oHoGZCIdZ2w8GlL/1Kk+FUo=
> =v+1p
> -----END PGP SIGNATURE-----
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> For all your IT requirements visit www.transtec.co.uk

More information about the MailScanner mailing list