Mailing List Archive

Heuristics.Phishing.Email.SpoofedDomain FP
Hi,

I have an email with an apparent false-positive spoofed domain. How
can I determine what domain it is that clamscan thinks is spoofed and
correct it?

I'm sorry if this is a FAQ. I'm familiar with how to use sigtool to
decode a false-positive, but no signature or other details are given.

Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Phishing.Email.SpoofedDomain FP [ In reply to ]
As a heuristic, the generation of this detection is a result of behavioral
detection by the ClamAV engine and not by any particular database
signature. Unfortunately, this effectively means that sigtool is unable to
decode the signature as there is no signature associated with this
detection.

Luckily, it appears you can see the domain that causes the heuristic
detection by running clamscan on the email with the "--debug" flag. The
debug flag causes clamscan to log the domain checks to stderr and most
likely terminates the scan once it detects the heuristic if
"--heuristic-scan-precedence=yes" is set as well.

Additionally, you can provide the false positive to
http://www.clamav.net/report/report-fp.html.

-Kevin

On Tue, Aug 25, 2015 at 6:36 AM, Alex <mysqlstudent@gmail.com> wrote:

> Hi,
>
> I have an email with an apparent false-positive spoofed domain. How
> can I determine what domain it is that clamscan thinks is spoofed and
> correct it?
>
> I'm sorry if this is a FAQ. I'm familiar with how to use sigtool to
> decode a false-positive, but no signature or other details are given.
>
> Thanks,
> Alex
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Phishing.Email.SpoofedDomain FP [ In reply to ]
Hi,

On Tue, Aug 25, 2015 at 11:48 AM, Kevin Lin <klin@sourcefire.com> wrote:
> As a heuristic, the generation of this detection is a result of behavioral
> detection by the ClamAV engine and not by any particular database
> signature. Unfortunately, this effectively means that sigtool is unable to
> decode the signature as there is no signature associated with this
> detection.
>
> Luckily, it appears you can see the domain that causes the heuristic
> detection by running clamscan on the email with the "--debug" flag. The
> debug flag causes clamscan to log the domain checks to stderr and most
> likely terminates the scan once it detects the heuristic if
> "--heuristic-scan-precedence=yes" is set as well.
>
> Additionally, you can provide the false positive to
> http://www.clamav.net/report/report-fp.html.

Thanks very much. I've submitted an fp, but it appears to be the result of this:

LibClamAV debug: Looking up hash
5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
urldefense.
proofpoint.com/(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
LibClamAV debug: Phishcheck:URL after cleanup:
https://urldefense.proofpoint.com->http://www.bankofamerica.com
LibClamAV debug: Phishing: looking up in whitelist:
https://urldefense.proofpoint.com:http://www.bankofamerica.co
m; host-only:0
LibClamAV debug: Phishing: looking up in whitelist:
.urldefense.proofpoint.com:.www.bankofamerica.com; host-only:1
LibClamAV debug: Looking up in regex_list:
urldefense.proofpoint.com:www.bankofamerica.com/
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted:
Heuristics.Phishing.Email.SpoofedDomain

Looks like the proofpoint "secure URL" product has mangled the URL so
badly that clamav can't decipher it?

In any case, how would I go about whitelisting either the sender
and/or the email the next time this happens, so I don't have to wait
for the sig team to perform an update?

For now, I've whitelisted the whole
Heuristics.Phishing.Email.SpoofedDomain rule with an ign2 entry, but I
obviously don't want to keep that permanently.

I'm using postfix with amavisd-new and spamassassin on fedora.

Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Phishing.Email.SpoofedDomain FP [ In reply to ]
On Aug 25, 2015, at 9:41 AM, Alex <mysqlstudent@gmail.com> wrote:
> Thanks very much. I've submitted an fp, but it appears to be the result of this:
>
> LibClamAV debug: Looking up hash
> 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
> urldefense.
> proofpoint.com/ <http://proofpoint.com/>(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
> fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
> 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
> LibClamAV debug: Phishcheck:URL after cleanup:
> https://urldefense.proofpoint.com- <https://urldefense.proofpoint.com-/>>http://www.bankofamerica.com <http://www.bankofamerica.com/>
> LibClamAV debug: Phishing: looking up in whitelist:
> https://urldefense.proofpoint.com:http://www.bankofamerica.co <https://urldefense.proofpoint.com:http://www.bankofamerica.co>
> m; host-only:0
> LibClamAV debug: Phishing: looking up in whitelist:
> .urldefense.proofpoint.com <http://urldefense.proofpoint.com/>:.www.bankofamerica.com <http://www.bankofamerica.com/>; host-only:1
> LibClamAV debug: Looking up in regex_list:
> urldefense.proofpoint.com:www.bankofamerica.com/
> LibClamAV debug: Lookup result: not in regex list
> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
> LibClamAV debug: found Possibly Unwanted:
> Heuristics.Phishing.Email.SpoofedDomain
>
> Looks like the proofpoint "secure URL" product has mangled the URL so
> badly that clamav can't decipher it?

Actually, ClamAV recognized and decoded the URL spoofing just fine.
So they should be able to whitelist it without any special trouble.

> In any case, how would I go about whitelisting either the sender
> and/or the email the next time this happens, so I don't have to wait
> for the sig team to perform an update?

If Bank of America was my bank, I'd contact them and ask them to send
their own emails from their own domain rather than sending emails
which rather precisely resemble email spoofing attempts.

If they declined, I'd find myself another bank who cared enough about email
and online security that they weren't outsourcing it to proofpoint.com <http://proofpoint.com/>.

Regards,
--
-Chuck

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Phishing.Email.SpoofedDomain FP [ In reply to ]
It's not necessary to whitelist the heuristic. If you choose to, you can
whitelist the domain which can be done using a .wdb signature. There is
documentation on how to write an entry in the phishsigs_howto.pdf document.

-Kevin

On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger <cswiger@mac.com> wrote:

> On Aug 25, 2015, at 9:41 AM, Alex <mysqlstudent@gmail.com> wrote:
> > Thanks very much. I've submitted an fp, but it appears to be the result
> of this:
> >
> > LibClamAV debug: Looking up hash
> > 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
> > urldefense.
> > proofpoint.com/ <http://proofpoint.com/
> >(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
> >
> fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
> >
> 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
> > LibClamAV debug: Phishcheck:URL after cleanup:
> > https://urldefense.proofpoint.com- <https://urldefense.proofpoint.com-/
> >>http://www.bankofamerica.com <http://www.bankofamerica.com/>
> > LibClamAV debug: Phishing: looking up in whitelist:
> > https://urldefense.proofpoint.com:http://www.bankofamerica.co
> <https://urldefense.proofpoint.com:http://www.bankofamerica.co>
> > m; host-only:0
> > LibClamAV debug: Phishing: looking up in whitelist:
> > .urldefense.proofpoint.com <http://urldefense.proofpoint.com/>:.
> www.bankofamerica.com <http://www.bankofamerica.com/>; host-only:1
> > LibClamAV debug: Looking up in regex_list:
> > urldefense.proofpoint.com:www.bankofamerica.com/
> > LibClamAV debug: Lookup result: not in regex list
> > LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
> different
> > LibClamAV debug: found Possibly Unwanted:
> > Heuristics.Phishing.Email.SpoofedDomain
> >
> > Looks like the proofpoint "secure URL" product has mangled the URL so
> > badly that clamav can't decipher it?
>
> Actually, ClamAV recognized and decoded the URL spoofing just fine.
> So they should be able to whitelist it without any special trouble.
>
> > In any case, how would I go about whitelisting either the sender
> > and/or the email the next time this happens, so I don't have to wait
> > for the sig team to perform an update?
>
> If Bank of America was my bank, I'd contact them and ask them to send
> their own emails from their own domain rather than sending emails
> which rather precisely resemble email spoofing attempts.
>
> If they declined, I'd find myself another bank who cared enough about email
> and online security that they weren't outsourcing it to proofpoint.com <
> http://proofpoint.com/>.
>
> Regards,
> --
> -Chuck
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Phishing.Email.SpoofedDomain FP [ In reply to ]
Hi,

On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger <cswiger@mac.com> wrote:
> On Aug 25, 2015, at 9:41 AM, Alex <mysqlstudent@gmail.com> wrote:
>> Thanks very much. I've submitted an fp, but it appears to be the result of this:
>>
>> LibClamAV debug: Looking up hash
>> 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
>> urldefense.
>> proofpoint.com/ <http://proofpoint.com/>(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
>> fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
>> 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
>> LibClamAV debug: Phishcheck:URL after cleanup:
>> https://urldefense.proofpoint.com- <https://urldefense.proofpoint.com-/>>http://www.bankofamerica.com <http://www.bankofamerica.com/>
>> LibClamAV debug: Phishing: looking up in whitelist:
>> https://urldefense.proofpoint.com:http://www.bankofamerica.co <https://urldefense.proofpoint.com:http://www.bankofamerica.co>
>> m; host-only:0
>> LibClamAV debug: Phishing: looking up in whitelist:
>> .urldefense.proofpoint.com <http://urldefense.proofpoint.com/>:.www.bankofamerica.com <http://www.bankofamerica.com/>; host-only:1
>> LibClamAV debug: Looking up in regex_list:
>> urldefense.proofpoint.com:www.bankofamerica.com/
>> LibClamAV debug: Lookup result: not in regex list
>> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
>> LibClamAV debug: found Possibly Unwanted:
>> Heuristics.Phishing.Email.SpoofedDomain
>>
>> Looks like the proofpoint "secure URL" product has mangled the URL so
>> badly that clamav can't decipher it?
>
> Actually, ClamAV recognized and decoded the URL spoofing just fine.
> So they should be able to whitelist it without any special trouble.

So then where did it become a fp then?

>> In any case, how would I go about whitelisting either the sender
>> and/or the email the next time this happens, so I don't have to wait
>> for the sig team to perform an update?
>
> If Bank of America was my bank, I'd contact them and ask them to send
> their own emails from their own domain rather than sending emails
> which rather precisely resemble email spoofing attempts.

It's actually not bankofamerica.com that's doing it. It apparently was
the sender that mangled every domain in the email to precede it with
this urldefense crap.

Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Phishing.Email.SpoofedDomain FP [ In reply to ]
Hi,

> It's not necessary to whitelist the heuristic. If you choose to, you can
> whitelist the domain which can be done using a .wdb signature. There is
> documentation on how to write an entry in the phishsigs_howto.pdf document.

Whitelist the sending domain? Or the offending domain? Or which?

Are you talking about this URL or a component of it?

>> > urldefense.
>> > proofpoint.com/ <http://proofpoint.com/
>> >(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB

Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Phishing.Email.SpoofedDomain FP [ In reply to ]
Hi,

On Tue, Aug 25, 2015 at 1:19 PM, Kevin Lin <klin@sourcefire.com> wrote:
> It's not necessary to whitelist the heuristic. If you choose to, you can
> whitelist the domain which can be done using a .wdb signature. There is
> documentation on how to write an entry in the phishsigs_howto.pdf document.

I think I managed to get it working. Much easier than I expected.

Given this debug output:

LibClamAV debug: Looking up hash 56C3...E7C44D36F0FB9028E16FE for urldefense.
proofpoint.com/(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
....

Then there's this:

LibClamAV debug: Phishing: looking up in whitelist:
https://urldefense.proofpoint.com:http://www.bankofamerica.com;
host-only:0
LibClamAV debug: Looking up in regex_list:
https://urldefense.proofpoint.com:http://www.bankofamerica.com/

I've created a wdb rule that looks like this:

X:.+proofpoint\.com:.+bankofamerica\.com:17-

That appears to have solved the problem. I suppose I could be more
specific with my regex, but I think it's okay for now.

Thanks,
Alex










>
> -Kevin
>
> On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger <cswiger@mac.com> wrote:
>
>> On Aug 25, 2015, at 9:41 AM, Alex <mysqlstudent@gmail.com> wrote:
>> > Thanks very much. I've submitted an fp, but it appears to be the result
>> of this:
>> >
>> > LibClamAV debug: Looking up hash
>> > 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for
>> > urldefense.
>> > proofpoint.com/ <http://proofpoint.com/
>> >(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB
>> >
>> fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane
>> >
>> 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293)
>> > LibClamAV debug: Phishcheck:URL after cleanup:
>> > https://urldefense.proofpoint.com- <https://urldefense.proofpoint.com-/
>> >>http://www.bankofamerica.com <http://www.bankofamerica.com/>
>> > LibClamAV debug: Phishing: looking up in whitelist:
>> > https://urldefense.proofpoint.com:http://www.bankofamerica.co
>> <https://urldefense.proofpoint.com:http://www.bankofamerica.co>
>> > m; host-only:0
>> > LibClamAV debug: Phishing: looking up in whitelist:
>> > .urldefense.proofpoint.com <http://urldefense.proofpoint.com/>:.
>> www.bankofamerica.com <http://www.bankofamerica.com/>; host-only:1
>> > LibClamAV debug: Looking up in regex_list:
>> > urldefense.proofpoint.com:www.bankofamerica.com/
>> > LibClamAV debug: Lookup result: not in regex list
>> > LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
>> different
>> > LibClamAV debug: found Possibly Unwanted:
>> > Heuristics.Phishing.Email.SpoofedDomain
>> >
>> > Looks like the proofpoint "secure URL" product has mangled the URL so
>> > badly that clamav can't decipher it?
>>
>> Actually, ClamAV recognized and decoded the URL spoofing just fine.
>> So they should be able to whitelist it without any special trouble.
>>
>> > In any case, how would I go about whitelisting either the sender
>> > and/or the email the next time this happens, so I don't have to wait
>> > for the sig team to perform an update?
>>
>> If Bank of America was my bank, I'd contact them and ask them to send
>> their own emails from their own domain rather than sending emails
>> which rather precisely resemble email spoofing attempts.
>>
>> If they declined, I'd find myself another bank who cared enough about email
>> and online security that they weren't outsourcing it to proofpoint.com <
>> http://proofpoint.com/>.
>>
>> Regards,
>> --
>> -Chuck
>>
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Phishing.Email.SpoofedDomain FP [ In reply to ]
Am 16.08.2016 um 18:31 schrieb Alex:
> I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
> for capitaloneemail.com, but can't figure out how to use sigtool to
> determine which actual domain it thinks was spoofed.
>
> # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
> sigtool --decode-sigs
> #
>
> Why doesn't it display the signature with the above command?
>
> How do I scan the quarantined message to find out exactly what
> triggered this false positive?

i disabled them entirely because i still need to face anything else than
false positives from that rules....
Re: Heuristics.Phishing.Email.SpoofedDomain FP [ In reply to ]
Try clamscan --debug 2>debug.log and I think that should show you a domain.

Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity



On 16 August 2016 17:32:31 Alex <mysqlstudent@gmail.com> wrote:

> Hi,
>
> I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
> for capitaloneemail.com, but can't figure out how to use sigtool to
> determine which actual domain it thinks was spoofed.
>
> # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
> sigtool --decode-sigs
> #
>
> Why doesn't it display the signature with the above command?
>
> How do I scan the quarantined message to find out exactly what
> triggered this false positive?
>
> Thanks,
> Alex
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Phishing.Email.SpoofedDomain FP [ In reply to ]
On Tue, Aug 16, 2016 at 12:35 PM, Steve basford
<steveb_clamav@sanesecurity.com> wrote:
> Try clamscan --debug 2>debug.log and I think that should show you a domain.

Ah yes, thanks. It appears it's marked it because the URLs were too different:

LibClamAV debug: Phishing: looking up in whitelist:
.click.capitaloneemail.com:.mi.capitalone.com; host-only:1
LibClamAV debug: Looking up in regex_list:
click.capitaloneemail.com:mi.capitalone.com/
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different

I'm not sure I'm ready to whitelist the rule just yet, however.

Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Phishing.Email.SpoofedDomain FP [ In reply to ]
Alex wrote:
> Hi,
>
> I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
> for capitaloneemail.com, but can't figure out how to use sigtool to
> determine which actual domain it thinks was spoofed.
>
> # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
> sigtool --decode-sigs
> #
>
> Why doesn't it display the signature with the above command?
>
> How do I scan the quarantined message to find out exactly what
> triggered this false positive?

The Heuristics* "signatures" aren't fixed signatures in the signature
files. This particular one represents link where the visible and
link-target domain are "too different", but only for high-risk domains
(eg banks). I'm not sure where the list of domains to consider is kept.

To whitelist a specific match hit by this signature chase down the
mismatched domains as per Steve's message, and add a line to local.wdb, eg:

X:\.rbc\.com:www\.rbcroyalbank\.com

or

M:trk.cp20.com:bmo.com

I have yet to figure out why I have to use an X: line for some matches,
and an M: line for others; I use one or the other depending on which
one I can get to actually work on a case-by-base basis.

-kgd
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml