clamav-users August 2007 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] Subject: False Positive about P

Re: [Clamav-users] Subject: False Positive about Phishing.Heuristics.Email.SSL-Spoof

From: Jean-Marc Pigeon <jmp_at_nospam>
Date: Thu Aug 30 2007 - 14:41:46 GMT
To: Doug Andrews <doug.andrews@selfcateringhols.com>


On Thu, 2007-08-30 at 15:42 +0200, Doug Andrews wrote:
> Hi Jean-Marc,
> I am seeing the same problem - did you manage to resolve this?
> I'd appreciate any advice you can give.
> Thanks,
The only way for us to resolve the problem was to remove the CL_DB_PHISHING_URLS from the scanning "standard option" We have our own tool directly calling the clamav lib such I can't give you specific beside our own. Never got reply from the clamav team and didn't find anything in 91.2 changelog. From my standpoint the issue is still open (and it is a rather annoying one).

> Doug
> Selfcateringhols
>
> Author: Jean-Marc Pigeon
> Date: 2007-07-19 15:142007-07-19 13:14 +200UTC
> To: ClamAV users ML
> Subject: [Clamav-users] False Positive about
> Phishing.Heuristics.Email.SSL-Spoof
>
> Bonjour
>
> Got an official E-mail from network solution
> which was detected as phishing.Heuristics.Email.SSL-Spoof.
>
> I know I can set the configuration flag Off, but my concern
> is more about the Phishing SSL-Spoof detection, either
> clamav is code is "wrong" or Network solution is "Wrong"
>
> Unfortunately I can't provide the e-mail contents (mail
> was rejected), here are the local logs..
>
> 22:52:37 MENID: XXXXXXXXXXXXXX-20785dc642507
> +00 Clip: [205.178.190.228]/<mrelay2.networksolutions.com>
> +00 M-From: <nscc0+2182121140@networksolutions.com>
> +00 MRCPT: 250 XXXXXXXXXXXXXXXXXXXXXXX
> Address Accepted
> +00 E-From: nscc4+2182121140@networksolutions.com
> +00 Subject: Reset Password Request
> +00 Message-Id: XXXXXXXXXXXXXXXXXX.javamail.pfulfill@fulfill3b
> +00 VIRUS=<Phishing.Heuristics.Email.SSL-Spoof>
> +01 Spam-lvl: 0.2
> +01 MsgInf: size=5912,n_error=0
> +01 RCPT: Rejected XXXXXXXXXXXXXXXXXXXX
>
>
> Is there somebody else getting the same problem?, will
> the spoofing detection code "fixed"? (if it can?)
>
> Thanks...
> --
> A bientôt
> ==========================================================================
> Jean-Marc Pigeon Internet: jmp@safe.ca
> SAFE Inc. Phone: (514) 493-4280
> Fax: (514) 493-1946
> Clement, 'a kiss solution' to get rid of SPAM (at last)
> Clement' Home base <"http://www.clement.safe.ca">
> ==========================================================================
-- A bientôt ========================================================================== Jean-Marc Pigeon Internet: jmp@safe.ca SAFE Inc. Phone: (514) 493-4280 Fax: (514) 493-1946 Clement, 'a kiss solution' to get rid of SPAM (at last) Clement' Home base <"http://www.clement.safe.ca"> ========================================================================== _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html