On 2009-04-29 11:43, Greg McCarthy wrote:
> I've upgraded to 0.95.1 and have a few mails that are getting
> quarantined as Phishing.Heuristics.Email.SpoofedDomain
>
> How do I go about checking for spoofed domains in the email headers?
> Its quite possible that the domain has been spoofed but I would like
> to just double check?
You should look at the body of the mail, not the headers (headers in an
email can be easily forged, so they're usually not to be trusted anyway).
You can use clamscan --debug to find out why ClamAV considers the email
phishing, the output should be similar to the following:
$ clamscan --debug /path/to/emailfile.eml 2>&1|grep -i phish
LibClamAV debug: Initializing phishcheck module
LibClamAV debug: Phishcheck: Compiling regex: ^
*(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$
LibClamAV debug: Phishcheck module initialized
LibClamAV debug: Skipping signature Email.Phishing.DblDom-72 @
main.ndb:54219
LibClamAV debug: Module PHISHING On
LibClamAV debug: Phishcheck:Checking url
http://fake.example.com->banksite-example.com
LibClamAV debug: Phishcheck:URL after cleanup:
http://fake.example.com->banksite-example.com
LibClamAV debug: Phishing: looking up in whitelist:
http://fake.example.com:banksite-example.com; host-only:0
LibClamAV debug: Phishcheck:host:.banksite-example.com
LibClamAV debug: Phishcheck:host:.fake.example.com
LibClamAV debug: Phishing: looking up in whitelist:
.fake.example.com:.banksite-example.com; host-only:1
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
different
LibClamAV debug: found Possibly Unwanted:
Phishing.Heuristics.Email.SpoofedDomain
/path/to/emailfile.eml: Phishing.Heuristics.Email.SpoofedDomain FOUND
In this case the reason is that the 2 domains are different (the former
is the URL real target of the hyperlink, the latter is the URL as shown
to the user).
Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
