[sanesecurity] FP: winnow.phish.pt.google.640144

  • From: Derek Chee <dchee@xxxxxxx>
  • To: sanesecurity@xxxxxxxxxxxxx
  • Date: Fri, 22 Apr 2011 17:04:13 -0700

Hi,

Just a heads up to all... I've been getting reports that there is a false 
positive with with winnow.phish.pt.google.640144.  According to the signature 
decoder, <http://sane.mxuptime.com/s.aspx?id=winnow.phish.pt.google.640144>, 
the URL will end up matching any Google Apps spreadsheet over SSL if I read the 
signature correctly.

I reported it to OITC for a re-check, but thought people might want to know.

-- Derek

Other related posts: