AW: Heuristics.Phishing.Email.SpoofedDomain detected but not quarantined

Noel Jones njones at megan.vbhcs.org
Thu Mar 7 21:58:40 CET 2013 

On 3/7/2013 2:36 PM, Linus Haake wrote:
> -----Ursprüngliche Nachricht-----
> Von: amavis-users [mailto:amavis-users-bounces+linus=haake-it.net at amavis.org] Im Auftrag von Noel Jones
> Gesendet: Donnerstag, 7. März 2013 13:16
> An: amavis-users at amavis.org
> Betreff: Re: Heuristics.Phishing.Email.SpoofedDomain detected but not quarantined
> 
> On 3/7/2013 2:07 AM, Linus Haake wrote:
>> Dear List,
>>
>>  
>>
>> We're running two very identical servers (Centos 5 / 6) as inbound 
>> MTA. Both have
>>
>>  
>>
>> -          The same clamd.conf and Clamav release
>>
>> -          The same signature files
>>
>> -          Same version of amavisd-new conf
>>
>>  
>>
>> installed.
>>
>>  
>>
>> Since some weaks ago, I've recognized that Phishing detection works on 
>> both servers, but only one puts the detected file into Quarantine.
>>
>>  
>>
>> I was searching for hours comparing the config files, reloading fresh 
>> signature db's but cannot find the reason for it.
>>
>> Clamd.log shows
>>
>>  
>>
>> /Mon Mar  4 20:17:30 2013 ->
>> /var/spool/amavis/tmp/amavis-20130304T201610-01721/parts/p003:
>> Heuristics.Phishing.Email.SpoofedDomain FOUND/
>>
>>  
>>
>> but the message just passes as SPAM.
>>
>>  
>>
>> Does anybody has a idea what the reason for this behavior could be?
>>
>>  
>>
>> Thanks!
>>
>>  
>>
> 
> 
> 
> The usual suspect is different setting of @virus_name_to_spam_score_maps
> 
> 
>   -- Noel Jones
> 
> 
> Thanks Noel,
> 
> Good hint - there wasn't anything mentioned at all on any server. I've added
> 
> @virus_name_to_spam_score_maps =
>  (new_RE(  # the order matters!
>    [ qr'^Phishing\.'                                             => 4.1 ],
>    [ qr'^(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.'i 
> => 4.1 ],
>    [ qr'^Sanesecurity\.(Malware|Trojan)\.'             => undef ],
>    [ qr'^Sanesecurity\.(Test|Rogue|Casino)'            => undef ],
>    [ qr'^Sanesecurity\.(Hdr|Img|ImgO|Junk|Doc)\.'x     => 6.1 ],
>    [ qr'^Sanesecurity\.(Lott|Fake|SpamImg|Job|Stk)\.'x => 6.1 ],
>    [ qr'^Sanesecurity\.(Loan|Porn|Bou|Dipl|Cred)\.'x   => 6.1 ],
>    [ qr'^(MSRBL-Images/)'                              => 2.1 ],
>    [ qr'^(MSRBL-SPAM\.)'                               => 5.1 ],
>    [ qr'^MBL_'                             => undef ],  # keep as infected
>  ));
> 
> as an example config on both relay. The related paypal fake message is now being reported as a virus from the server.
> 
> None the less, from the pasted config I don't understand why it is recognized as a virus - since Phishing is not mentioned as "undef" and the report says
> 
>    p006: Heuristics.Phishing.Email.SpoofedDomain FOUND
>    p003: Heuristics.Phishing.Email.SpoofedDomain FOUND
> 
> 
> 


Anything not matched by the list is considered a virus.  The sample
'undef' entries are either to protect names from being
unintentionally matched by later (further down the list) entries, or
are placeholders/examples for the user to replace with a score.



  -- Noel Jones

More information about the amavis-users mailing list