Mailing List Archive: ClamAV: users

Finding false positives

Index | Next | Previous | View Threaded

mysqlstudent at gmail

Dec 11, 2011, 9:24 PM

Post #1 of 4 (373 views)
Permalink

Finding false positives

Hi,

I have an email that was blocked by amavisd because clamav tagged it
because it was received from securesites.net. I checked a few
blacklists, and don't see that it was listed, so I was trying to
figure out what the issue was with this domain.

Another domain it was sent through, northstate.net, is currently
blacklisted, but that wasn't tagged.

I've pasted the email here:

http://pastebin.com/raw.php?i=bWVn19ff

Can someone help me understand why the issue with securesites.net is,
and why this email was blocked because of it?

Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

list at fajar

Dec 11, 2011, 9:34 PM

Post #2 of 4 (357 views)
Permalink

Re: Finding false positives [In reply to]

On Mon, Dec 12, 2011 at 12:24 PM, Alex <mysqlstudent [at] gmail> wrote:
> Hi,
>
> I have an email that was blocked by amavisd because clamav tagged it
> because it was received from securesites.net. I checked a few
> blacklists, and don't see that it was listed, so I was trying to
> figure out what the issue was with this domain.
>
> Another domain it was sent through, northstate.net, is currently
> blacklisted, but that wasn't tagged.
>
> I've pasted the email here:
>
> http://pastebin.com/raw.php?i=bWVn19ff
>
> Can someone help me understand why the issue with securesites.net is,
> and why this email was blocked because of it?

Looking at the line

INetMsg.SpamDomain-2w.securesites_net.UNOFFICIAL

Are you using third-party signature? If yes, you should ask its maintainer.

--
Fajar
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

steveb_clamav at sanesecurity

Dec 12, 2011, 1:41 AM

Post #3 of 4 (347 views)
Permalink

Re: Finding false positives [In reply to]

> Can someone help me understand why the issue with securesites.net is,
> and why this email was blocked because of it?

Hi Alex,

The domain was blocked by a Third Party ClamAV database produced by InetMsg.

I've removed the signature for them and it will be removed from the
mirrors in the next 15 mins.

Thanks for reporting...

In case this help in the future:

http://www.sanesecurity.com/clamav/fps.htm

Cheers,

Steve
Sanesecurity

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

mysqlstudent at gmail

Dec 12, 2011, 9:19 AM

Post #4 of 4 (341 views)
Permalink

Re: Finding false positives [In reply to]

Hi,

>> Can someone help me understand why the issue with securesites.net is,
>> and why this email was blocked because of it?
>
> Hi Alex,
>
> The domain was blocked by a Third Party ClamAV database produced by InetMsg.
>
> I've removed the signature for them and it will be removed from the
> mirrors in the next 15 mins.
>
> Thanks for reporting...

Great, thanks for following up. I knew it was the InetMsg rules, but I
didn't realize there was an external place to report false positives.

Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads