Alex wrote: > Steve Basford wrote: >> I've posted the email here: >> http://pastebin.com/n4WRjmzE > >> Got a match: f.email.americanexpress.com/ with /moc.sserpxenacirema >> Before inserting .: .f.email.americanexpress.com >> Lookup result: in regex list >> Phishcheck:host:.r.smartbrief.com >> Phishing: looking up in whitelist: >> .r.smartbrief.com:.f.email.americanexpress. >> Looking up in regex_list: r.smartbrief.com:f.email.americanexpress.com/ >> Lookup result: not in regex list >> Phishcheck: Phishing scan result: URLs are way too different >> found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain >> emax_reached: marked parents as non cacheable > > Okay, interesting, thanks. > > While I don't necessarily expect clamav to understand > americanexpress.com isn't a phishing/spoofed site, should we expect > every time a URL is rewritten in this way for it to be labelled as a > phishing attack? > > I actually also don't see in the message where > f.email.americanexpress.com was wrapped inside of a smartbrief.com > URL. I only see americanexpress.com/merchant, so perhaps I'm not > understanding.
The thing to look for are links that appear to the eye as americanexpress.com, but actually lead to smartbrief.com: Visit us at: <a href="http://r.smartbrief.com/resp/<tracking ID>" target="_new" style="text-decoration:none; color:#2196c2">americanexpress.com/merchant</a></td> You would just see americanexpress.com/merchant, but the link does not lead *directly* to that location, it redirects from a clicktracking link under smartbrief.com. -kgd _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
