Koozali.org: home of the SME Server

whitelist a sender from the antivirus checks or remove a false positive

Offline paul.b

  • 4
  • +0/-0
  • trainee admin
hi all,
i been having a back and forth thing with the sender of an email, and being blamed that it's on my side. :?
  • wrote a line in spam assassin to whitelist the entire domain still not received it
  • sender says they have no problems with other people getting emails from that particular email address
anybody know of this as being a virus or a false positive ? i did some digging around and some are saying that it is not a virus :???:
 " <<< 552 Virus found: Heuristics.Phishing.Email.SpoofedDomain
554 5.0.0 Service unavailable "
thank you in advance :D

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
I have similar issues with a Bank using an external service based on Amzws server for vault document exchange. The emails are really comparable to a phishing campaign with no or little respect for rfc.
I choosed not to do any exception because i would be more at risk using this service. 


They could easily fix that on their side in your case https://www.authsmtp.com/smtp-error-codes/250-virus-scanned-email-discarded.html



Offline paul.b

  • 4
  • +0/-0
  • trainee admin
I have similar issues with a Bank using an external service based on Amzws server for vault document exchange. The emails are really comparable to a phishing campaign with no or little respect for rfc.
I choosed not to do any exception because i would be more at risk using this service. 


They could easily fix that on their side in your case https://www.authsmtp.com/smtp-error-codes/250-virus-scanned-email-discarded.html


Oh yeah, i was actually looking at that link earlier, but at the same time I am thinking to hold back on the whitelisting / removing of the thing on our side for security reasons. I really wanted a second opinion too.
thank you for your reply Jean-Philippe :)


Offline paul.b

  • 4
  • +0/-0
  • trainee admin
Ok, I have emailed out the IT team of that sender and they have done nothing to fix the issue, can someone please let me know how can i whitelist that signature in the antivirus ?

Heuristics.Phishing.Email.SpoofedDomain

thank you in advance

Offline bunkobugsy

  • *
  • 274
  • +4/-0
https://linux.die.net/man/5/clamd.conf

PhishingScanURLs BOOL
Scan URLs found in mails for phishing attempts using heuristics. This will classify "Possibly Unwanted" phishing emails as Phishing.Heuristics.Email.*
Default: yes

Seems like you need to add "PhishingScanURLs no" line to /etc/clamd.d/scan.conf via custom template



Offline paul.b

  • 4
  • +0/-0
  • trainee admin
thank you everyone for the help, i have applied the settings to the server and waiting on an email to see if it works fine :)
again thank you all :)

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
won't work  https://portal.smartertools.com/community/a1225/how-to-disable-a-specific-clamav-scan.aspx#127463

if you see the comments in the page they all restarted the mail service but none actually had restarted clamav
so would still worth a try.