On Tue, December 15, 2015 1:43 pm, Alex wrote: > Hi, > > > I have an email that was marked as having a spoofed domain, but I > believe it's a false-positive. It's one of those smartbrief.com > newsletters. > > How do I find out which domain specifically it thinks was spoofed?
--debug will help.... .... snip..... Got a match: f.email.americanexpress.com/ with /moc.sserpxenacirema Before inserting .: .f.email.americanexpress.com Lookup result: in regex list Phishcheck:host:.r.smartbrief.com Phishing: looking up in whitelist: .r.smartbrief.com:.f.email.americanexpress. Looking up in regex_list: r.smartbrief.com:f.email.americanexpress.com/ Lookup result: not in regex list Phishcheck: Phishing scan result: URLs are way too different found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain emax_reached: marked parents as non cacheable ............. Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
