Robert, > From: clamav-users <clamav-users-boun...@lists.clamav.net> On Behalf Of > Robert Kudyba > Sent: Tuesday, April 13, 2021 10:40 AM > To: ClamAV users ML <clamav-users@lists.clamav.net> > Cc: G.W. Haywood <cla...@jubileegroup.co.uk> > Subject: Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain... > > I'm seeing a FP from a Delta Airlines email. > > Also, with clamav-milter and sendmail. I see that the headers of quarantined > messages go to /var/spool/mqueue with root:smmsp owner/group permissions and > the header of the email starts with hf whilst the body of the message starts > with df. So the message in question looks like this: > -rw------- 1 root smmsp 10050 Apr 12 09:40 hf13CDdtaZ2926176 > -rw------- 1 root smmsp 100157 Apr 12 09:39 df13CDdtaZ2926176 > > To release the message how does one find the queue_id to use the sendmail -qI > command?
I just checked out our quarantine to see what you were talking about and found a couple of ads in there. Forwarded off a sample to Micah, but it looks like there are some very phishy looking links in the samples I have. HTML link: americanexpress.com/rewards-info Actual underlying link: https://click.o.delta.com/u/?qs=1568763c78f67b6cdcd44df9cfac10c6bdd8a68c567c4d04238da45d4092cc1adeef2f53a3a8c4248f7140f92bd80fb33b830537983d2ad07ed440f137dd0226 If you ask me, that deserves to be quarantined. For Sendmail, it should be something like "sendmail -q" I would definitely look it up in the man pages, as I've been using postfix and exim now for awhile. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300sen _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
