AW: Heuristics.Phishing.Email.SpoofedDomain detected but not quarantined

Linus Haake linus at haake-it.net
Thu Mar 7 21:36:05 CET 2013 

-----Ursprüngliche Nachricht-----
Von: amavis-users [mailto:amavis-users-bounces+linus=haake-it.net at amavis.org] Im Auftrag von Noel Jones
Gesendet: Donnerstag, 7. März 2013 13:16
An: amavis-users at amavis.org
Betreff: Re: Heuristics.Phishing.Email.SpoofedDomain detected but not quarantined

On 3/7/2013 2:07 AM, Linus Haake wrote:
> Dear List,
> 
>  
> 
> We're running two very identical servers (Centos 5 / 6) as inbound 
> MTA. Both have
> 
>  
> 
> -          The same clamd.conf and Clamav release
> 
> -          The same signature files
> 
> -          Same version of amavisd-new conf
> 
>  
> 
> installed.
> 
>  
> 
> Since some weaks ago, I've recognized that Phishing detection works on 
> both servers, but only one puts the detected file into Quarantine.
> 
>  
> 
> I was searching for hours comparing the config files, reloading fresh 
> signature db's but cannot find the reason for it.
> 
> Clamd.log shows
> 
>  
> 
> /Mon Mar  4 20:17:30 2013 ->
> /var/spool/amavis/tmp/amavis-20130304T201610-01721/parts/p003:
> Heuristics.Phishing.Email.SpoofedDomain FOUND/
> 
>  
> 
> but the message just passes as SPAM.
> 
>  
> 
> Does anybody has a idea what the reason for this behavior could be?
> 
>  
> 
> Thanks!
> 
>  
> 



The usual suspect is different setting of @virus_name_to_spam_score_maps


  -- Noel Jones


Thanks Noel,

Good hint - there wasn't anything mentioned at all on any server. I've added

@virus_name_to_spam_score_maps =
 (new_RE(  # the order matters!
   [ qr'^Phishing\.'                                             => 4.1 ],
   [ qr'^(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.'i 
=> 4.1 ],
   [ qr'^Sanesecurity\.(Malware|Trojan)\.'             => undef ],
   [ qr'^Sanesecurity\.(Test|Rogue|Casino)'            => undef ],
   [ qr'^Sanesecurity\.(Hdr|Img|ImgO|Junk|Doc)\.'x     => 6.1 ],
   [ qr'^Sanesecurity\.(Lott|Fake|SpamImg|Job|Stk)\.'x => 6.1 ],
   [ qr'^Sanesecurity\.(Loan|Porn|Bou|Dipl|Cred)\.'x   => 6.1 ],
   [ qr'^(MSRBL-Images/)'                              => 2.1 ],
   [ qr'^(MSRBL-SPAM\.)'                               => 5.1 ],
   [ qr'^MBL_'                             => undef ],  # keep as infected
 ));

as an example config on both relay. The related paypal fake message is now being reported as a virus from the server.

None the less, from the pasted config I don't understand why it is recognized as a virus - since Phishing is not mentioned as "undef" and the report says

   p006: Heuristics.Phishing.Email.SpoofedDomain FOUND
   p003: Heuristics.Phishing.Email.SpoofedDomain FOUND

More information about the amavis-users mailing list