Skip to content

August 8, 2013

ClamAV, American Express, and Heuristics.Phishing.Email.SpoofedDomain

by Jeff

ClamAV was doing it’s job scanning email via amavis-new.  It was catching all the nasties that folks tend to foist on their fellow net citizens.  Unfortunately, when your spam and virus filters are doing their job, they occasionally catch folks who aren’t malicious, but also aren’t using best practices.  This was the case with American Express.  Emails to my clients from @welcome.aexp.com were being classified as “Heuristics.Phishing.Email.SpoofedDomain”.  Searching around the net brought me to several sites where admins had ended up doing crazy things like disabling the heuristic scanning on email in ClamAV, or creating elaborate policy banks in amavis.  Well, I was having none of that.  I like the most correct, simplest solution.  Hopefully, this methodology will help others solve similar issues.

One post I read referenced this document that relates how to create whitelists for Clam’s phishing filters.  That’s a good start.  That same document mentions a utility script called “why.py” that will help isolate why an email is getting picked up by a rule.  Unfortunately, my install didn’t have that script.  A little searching brought me to a copy on GitHub.   Running that led to a laundry list of python specific issues, mostly due to my environment.  But, using the script as a guide, I just did it manually. The following command gave me a goldmine of information.

clamscan -d /var/lib/clamav/ --debug --max-filesize=0 --max-scansize=0 /root/scratch/amex_mail.eml 2>&1 | less

A few items to note about the command:

  • The path after the -d is the location of my AV signatures.
  • The amex_mail.eml is the raw text of the email (headers and all) that I pulled out of our quarantine database.

In that giant slew of output from the clamscan debug, the important part was this:

LibClamAV debug: Phishcheck:host:.www.youtube.com
LibClamAV debug: Phishing: looking up in whitelist: .www.youtube.com:.www208.americanexpress.com; host-only:1
LibClamAV debug: Looking up in regex_list: www.youtube.com:www208.americanexpress.com/
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain

The issue is that there are links that display one URL, but link to a different URL altogether. I added the first pair to a file called daily.wdb in the same directory as my other ClamAV signatures. (/var/lib/clamav/ in my case.)  With each pair that I added, I would re-run the debug command and discover a new pair.  I ended up with three pairs in there before the emails checked out clean.  Below is the contents of the daily.wdb file.

M:www.facebook.com:www208.americanexpress.com
M:www.twitter.com:www208.americanexpress.com
M:www.youtube.com:www208.americanexpress.com

Here is a more advanced example of a daily.wdb file.

Once I restarted clamd, the AmEx emails started to pass as expected. Hope this helps someone.

Read more from Linux, Software

Leave a Reply