clamav-users August 2007 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] Possible problem with Phishing.

Re: [Clamav-users] Possible problem with Phishing.Heuristics.Email.SpoofedDomain daily sigs 4054

From: Noel Jones <njones_at_nospam>
Date: Mon Aug 27 2007 - 20:26:17 GMT
To: ClamAV users ML <>

At 02:49 PM 8/27/2007, John W. Baxter wrote:
>We're seeing
> 1. Mail from Yahoo groups (or some mail from Yahoo groups) being marked
>as Phishing (for URL reasons)
> 2. Same for a Seattle Times mailing list.
> 3. Same for a Democracy in Action mailing.
> 4. Customer (unwise, usually) forwarding of messages with URLs being
>marked as Phishing although they came in unscathed.

Please submit samples to the clamav team so the FPs can be resolved.

>We're about to install emergency code which will initially ignore all
>Phishing "hits", but is written so we can be more selective. (It can ignore
>any particular hit--tested with EICAR.)

That sounds as if it may be generally useful.

>Should the following settings have the effect of disabling any detection
>regarding Phishing? (Actually, I don't think the signature-based phishing
>detection is causing our problems.)
># Scan urls found in mails for phishing attempts.
># (available in experimental builds only)
># Default: yes
>#PhishingScanURLs yes
>PhishingScanURLs no

Setting "PhishingScanURLs no" definitely works on my FreeBSD system. Note if you are using clamscan you need to use the "--no-phishing-scan-urls" command line option.

does the command
# clamconf | grep Phish
show the expected settings?

Does the command
# clamconf | grep conf
show the expected path names?

When you test some file manually with clamscan and/or clamdscan does it work as expected?

Unfortunately, clamd doesn't seem to log (all) options on startup, so the log isn't terribly useful this time. -- Noel Jones _______________________________________________ Help us build a comprehensive ClamAV guide: visit