On Feb 1, 2014, at 3:01 PM, Alex <[email protected]> wrote: > Hi, > >>>>> I found another false-positive, this time with >>>>> Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring >>>>> out what domain within the email it thinks is spoofed. >>>>> >>>>> I've pasted the email here: >>>>> >>>>> http://pastebin.com/S7XkCg9a >>>>> >>>>> Any ideas greatly appreciated. >>>> >>>> LibClamAV debug: Phishcheck:host:.ems1.aeroplan.com >>>> LibClamAV debug: Phishing: looking up in whitelist: >>>> .ems1.aeroplan.com:.www.tdcanadatrust.com; host-only:1 >>>> LibClamAV debug: Looking up in regex_list: >>>> ems1.aeroplan.com:www.tdcanadatrust.com/ >>>> LibClamAV debug: Lookup result: not in regex list >>>> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too >>>> different >>>> LibClamAV debug: found Possibly Unwanted: >>>> Heuristics.Phishing.Email.SpoofedDomain >>> >>> I don't understand what this means. How did you generate this? Where >>> did the tdcanadatrust.com come from? >> >> running clamscan --debug against the file. >> http://www.tdcanadatrust.com/tdvisa/agreements appears >> several times in the body of the message but links to >> http://ems1.aeroplan.com/a/l.x?t=icholbpbeophbeocnlmimpbc&; >> M=1&L=2&v=4. > > Ah, thanks. I should have known that. > > In this case it wasn't intended to be malicious, but I'm surprised > more legitimate mail isn't tagged for doing this.
The heuristics engine is only used for selected financial institution domains (currently 263) listed in ���������������������������������������������������������������������������������������������daily.pdb as H:<domain> -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
