Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. users
Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com
clamav-users at lists
May 30, 2022, 7:23 AM
Post #1 of 2 (388 views)
Permalink
Hi,

desjardins.com<http://desjardins.com> is a Québec Canada Coop Bank Institution and for a couple weeks, all their email to our email server as flag my CLAM for Heuristics.Phishing.Email.SpoofedDomain .

It might be something in the signature of their email.

But it’s starting to be problematic to exclude so many Desjardins.com<http://Desjardins.com> email from Clam.

Any Idea ?

Thanks,
Math
Re: Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com [ In reply to ]
clamav-users at lists
May 30, 2022, 8:25 AM
Post #2 of 2 (388 views)
Permalink
Hi there,

On Mon, 30 May 2022, Mathieu Morier via clamav-users wrote:

> desjardins.com<http://desjardins.com> is a Québec Canada Coop Bank
> Institution and for a couple weeks, all their email to our email
> server as flag my CLAM for Heuristics.Phishing.Email.SpoofedDomain ...

They probably did something stupid.

> But it’s starting to be problematic to exclude so many
> Desjardins.com<http://Desjardins.com> email from Clam.
>
> Any Idea ?

Well you could ask them to think about what they're sending. But good
luck with that, if it's a bank... :)

How is ClamAV seeing the mail? Is it through a milter? Most will
offer the facility to whitelist a domain, or something like that, see
for example "EXCLUSIONS" in

man clamav-milter.conf

but beware that it's possible (and very common) to spoof domain names,
so listing IP addresses might be safer. I wouldn't recommend relying
on SPF for this domain. I don't think allowing a couple of /48 CIDRs
(not to mention three each of IPv4 /16 and /17, a /15, a /14 and some
dozens of ranges from /19 to /24) is likely to offer much protection
to anyone from forgeries from IP addresses not controlled by them. It
looks like instead of thinking about forgery they tried to include as
many IP ranges as they could possibly think of in their SPF record on
the off-chance that some random Outlook user would want to send mail
on their behalf (or more likely they don't care about forgery, just
about not getting their mail rejected).

If it's difficult to do using whatever feeds the mail to ClamAV, then
you could do some post-processing after the ClamAV verdict is given,
or even ignore the signature completely. See for example

https://docs.clamav.net/faq/faq-ignore.html?highlight=ignore#how-do-i-ignore-a-clamav-signature

but then the signature won't catch spoofing attempts from other sources.

Ideally you'd have fine-grained control in your maili system over what
ClamAV sees, so that you can deal with issues like this easily as they
arise - because they're very common.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal