INFECTED:: Phishing.Heuristics.Email.SpoofedDomain:: ....
Quentin Campbell
Q.G.Campbell at newcastle.ac.uk
Wed Oct 31 11:28:50 GMT 2007
Gareth
I have upgraded to MS BETA 4.65.1-1 one of the 2 hosts that were
generating the "INFECTED:: Phishing.Heuristics.Email.SpoofedDomain::
...." records.
In place of the
Oct 31 10:12:37 cheviot2 MailScanner[31346]: INFECTED::
Phishing.Heuristics.Email.SpoofedDomain:: ./l9VACFW4011070/
records I now get (although fewer of them so far)
Oct 31 11:01:16 cheviot2 MailScanner[18379]: ClamAV Module::INFECTED::
Phishing.Heuristics.Email.SpoofedDomain:: ./l9VB0vFK005532/
records. I assume this means that I am getting far fewer false positives
now?
Quentin
>-----Original Message-----
>From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>bounces at lists.mailscanner.info] On Behalf Of Gareth
>Sent: 31 October 2007 10:27
>To: MailScanner discussion
>Subject: RE: INFECTED:: Phishing.Heuristics.Email.SpoofedDomain:: ....
>
>The fault is equivilent to scanning mail with the
>--no-phishing-restrictedscan clamscan option. The update to mailscanner
>disabled this option as the author of the clamavmodule made an error
and
>had this option enabled as the default option.
>
>I am not 100% sure whether the mailscanner fix came out in 4.62 or 4.63
>but I believe it was the latter.
>
>On Wed, 2007-10-31 at 10:11, Quentin Campbell wrote:
>> Gareth
>>
>> If that is the problem is does not account for why I only see it on 2
>> out of 8 otherwise identical MX hosts, all running with the same
>version
>> of MS, ClamAV-Module, ndb files in /usr/local/share/clamav, etc.
>>
>> I will install the latest BETA version of MS on one of the 2 machines
>> and see what happens.
>>
>> Thanks
>>
>> Quentin
>>
>> >-----Original Message-----
>> >From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-
>> >bounces at lists.mailscanner.info] On Behalf Of Gareth
>> >Sent: 31 October 2007 09:23
>> >To: MailScanner discussion
>> >Subject: RE: INFECTED:: Phishing.Heuristics.Email.SpoofedDomain::
>....
>> >
>> >Its caused by a new feature in clamav with an incorrect default
>> setting.
>> >You need to either update MailScanner to include the new scanning
>> option
>> >or switch to clamd.
>> >
>> >On Wed, 2007-10-31 at 08:22, Quentin Campbell wrote:
>> >> I am running eight mail gateways with MailScanner-4.62.9-2 using
>> >'clamavmodule' (Mail-ClamAV-0.20 & ClamAV 0.91.2).
>> >>
>> >> However only seeing "INFECTED::
>> >Phishing.Heuristics.Email.SpoofedDomain::" on two of them and many
of
>> >these look like false positives.
>> >>
>> >> Cannot see why only two systems doing this as all eight gateways
>are
>> >equal preference MX hosts for our domains and share the same type of
>> >mail traffic.
>> >>
>> >> Any pointers to where else I might look would be appreciated.
>> >>
>> >> Thanks
>> >>
>> >> Quentin
>> >> ---
>> >> PHONE: +44 191 222 8209 Information Systems and Services (ISS),
>> >> Newcastle University,
>> >> Newcastle upon Tyne,
>> >> FAX: +44 191 222 8765 United Kingdom, NE1 7RU.
>> >>
>>
----------------------------------------------------------------------
>> >--
>> >
>> >--
>> >MailScanner mailing list
>> >mailscanner at lists.mailscanner.info
>> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >
>> >Before posting, read http://wiki.mailscanner.info/posting
>> >
>> >Support MailScanner development - buy the book off the website!
>
>--
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list