On 2009-04-29 11:43, Greg McCarthy wrote: > I've upgraded to 0.95.1 and have a few mails that are getting > quarantined as Phishing.Heuristics.Email.SpoofedDomain > > How do I go about checking for spoofed domains in the email headers? > Its quite possible that the domain has been spoofed but I would like > to just double check?
You should look at the body of the mail, not the headers (headers in an email can be easily forged, so they're usually not to be trusted anyway). You can use clamscan --debug to find out why ClamAV considers the email phishing, the output should be similar to the following: $ clamscan --debug /path/to/emailfile.eml 2>&1|grep -i phish LibClamAV debug: Initializing phishcheck module LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$ LibClamAV debug: Phishcheck module initialized LibClamAV debug: Skipping signature Email.Phishing.DblDom-72 @ main.ndb:54219 LibClamAV debug: Module PHISHING On LibClamAV debug: Phishcheck:Checking url http://fake.example.com->banksite-example.com LibClamAV debug: Phishcheck:URL after cleanup: http://fake.example.com->banksite-example.com LibClamAV debug: Phishing: looking up in whitelist: http://fake.example.com:banksite-example.com; host-only:0 LibClamAV debug: Phishcheck:host:.banksite-example.com LibClamAV debug: Phishcheck:host:.fake.example.com LibClamAV debug: Phishing: looking up in whitelist: .fake.example.com:.banksite-example.com; host-only:1 LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different LibClamAV debug: found Possibly Unwanted: Phishing.Heuristics.Email.SpoofedDomain /path/to/emailfile.eml: Phishing.Heuristics.Email.SpoofedDomain FOUND In this case the reason is that the 2 domains are different (the former is the URL real target of the hyperlink, the latter is the URL as shown to the user). Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml