Re: [clamav-users] Phishing.Heuristics.Email.SpoofedDomain
On 2011-08-02 02:56, Al Varnell wrote: On Jul 26, 2011, at 2:06 PM, Török Edwin ed...@clamav.net wrote: On 07/26/2011 11:59 PM, Al Varnell wrote: Is there something going on with subject infections? I see that it's listed on the clamav home page as a Current Threat. We got several users asking about this in the ClamXav Forum (including a Linux user?) and I can't seem to find it in the signature database any more. It is an engine detection (actually it is Heuristics.Phishing.Email.SpoofedDomain). All engine detections are prefixed with 'Heuristics.'. This detection is for phishing emails, you can look in daily.pdb to see a list of 'protected' domains (i.e. if a phishing email targets one of those domains we should detect it). Thanks for that explanation, that helps a lot. Is there any reason why clamscan would be making such detections and clamd not? Maybe someone edited clamd.conf and turned off phishing detection? (PhishingScanURLs no). clamscan uses the default settings that can be overriden by command-line flags, it doesn't use the clamd.conf settings. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Phishing.Heuristics.Email.SpoofedDomain
On Jul 26, 2011, at 2:06 PM, Török Edwin ed...@clamav.net wrote: On 07/26/2011 11:59 PM, Al Varnell wrote: Is there something going on with subject infections? I see that it's listed on the clamav home page as a Current Threat. We got several users asking about this in the ClamXav Forum (including a Linux user?) and I can't seem to find it in the signature database any more. It is an engine detection (actually it is Heuristics.Phishing.Email.SpoofedDomain). All engine detections are prefixed with 'Heuristics.'. This detection is for phishing emails, you can look in daily.pdb to see a list of 'protected' domains (i.e. if a phishing email targets one of those domains we should detect it). Thanks for that explanation, that helps a lot. Is there any reason why clamscan would be making such detections and clamd not? One of our users is running into this, which could just be related to database updates, but I want to be sure. Also, it would seem that the inclusion of Facebook.com was causing a spike in these detections and today I noticed it is no longer one of the protected domaines. The number of hits on my computer went from over 30 last week to just three today. I couldn't quite figure out why they needed to be protected, anyway. Just an observation. Sent from Janet's iPad -Al- -- Al Varnell ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Phishing.Heuristics.Email.SpoofedDomain
On 07/26/2011 11:59 PM, Al Varnell wrote: Is there something going on with subject infections? I see that it's listed on the clamav home page as a Current Threat. We got several users asking about this in the ClamXav Forum (including a Linux user?) and I can't seem to find it in the signature database any more. It is an engine detection (actually it is Heuristics.Phishing.Email.SpoofedDomain). All engine detections are prefixed with 'Heuristics.'. This detection is for phishing emails, you can look in daily.pdb to see a list of 'protected' domains (i.e. if a phishing email targets one of those domains we should detect it). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Phishing.Heuristics.Email.SpoofedDomain Query
On 2009-04-29 11:43, Greg McCarthy wrote: I've upgraded to 0.95.1 and have a few mails that are getting quarantined as Phishing.Heuristics.Email.SpoofedDomain How do I go about checking for spoofed domains in the email headers? Its quite possible that the domain has been spoofed but I would like to just double check? You should look at the body of the mail, not the headers (headers in an email can be easily forged, so they're usually not to be trusted anyway). You can use clamscan --debug to find out why ClamAV considers the email phishing, the output should be similar to the following: $ clamscan --debug /path/to/emailfile.eml 21|grep -i phish LibClamAV debug: Initializing phishcheck module LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$ LibClamAV debug: Phishcheck module initialized LibClamAV debug: Skipping signature Email.Phishing.DblDom-72 @ main.ndb:54219 LibClamAV debug: Module PHISHING On LibClamAV debug: Phishcheck:Checking url http://fake.example.com-banksite-example.com LibClamAV debug: Phishcheck:URL after cleanup: http://fake.example.com-banksite-example.com LibClamAV debug: Phishing: looking up in whitelist: http://fake.example.com:banksite-example.com; host-only:0 LibClamAV debug: Phishcheck:host:.banksite-example.com LibClamAV debug: Phishcheck:host:.fake.example.com LibClamAV debug: Phishing: looking up in whitelist: .fake.example.com:.banksite-example.com; host-only:1 LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different LibClamAV debug: found Possibly Unwanted: Phishing.Heuristics.Email.SpoofedDomain /path/to/emailfile.eml: Phishing.Heuristics.Email.SpoofedDomain FOUND In this case the reason is that the 2 domains are different (the former is the URL real target of the hyperlink, the latter is the URL as shown to the user). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Phishing.Heuristics.Email.SpoofedDomain Query
Thanks for the info. I've run the scan on the body file and headers file and get: LibClamAV debug: Initializing phishcheck module LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$ LibClamAV debug: Phishcheck module initialized LibClamAV debug: Skipping signature Email.Phishing.DblDom-72 @ main.ndb:54219 LibClamAV debug: Module PHISHING On LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up The mail has been quarantined though - I don't have the .eml file. I've scanned the hf and df files. 2009/4/29 Török Edwin edwinto...@gmail.com: On 2009-04-29 11:43, Greg McCarthy wrote: I've upgraded to 0.95.1 and have a few mails that are getting quarantined as Phishing.Heuristics.Email.SpoofedDomain How do I go about checking for spoofed domains in the email headers? Its quite possible that the domain has been spoofed but I would like to just double check? You should look at the body of the mail, not the headers (headers in an email can be easily forged, so they're usually not to be trusted anyway). You can use clamscan --debug to find out why ClamAV considers the email phishing, the output should be similar to the following: $ clamscan --debug /path/to/emailfile.eml 21|grep -i phish LibClamAV debug: Initializing phishcheck module LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$ LibClamAV debug: Phishcheck module initialized LibClamAV debug: Skipping signature Email.Phishing.DblDom-72 @ main.ndb:54219 LibClamAV debug: Module PHISHING On LibClamAV debug: Phishcheck:Checking url http://fake.example.com-banksite-example.com LibClamAV debug: Phishcheck:URL after cleanup: http://fake.example.com-banksite-example.com LibClamAV debug: Phishing: looking up in whitelist: http://fake.example.com:banksite-example.com; host-only:0 LibClamAV debug: Phishcheck:host:.banksite-example.com LibClamAV debug: Phishcheck:host:.fake.example.com LibClamAV debug: Phishing: looking up in whitelist: .fake.example.com:.banksite-example.com; host-only:1 LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different LibClamAV debug: found Possibly Unwanted: Phishing.Heuristics.Email.SpoofedDomain /path/to/emailfile.eml: Phishing.Heuristics.Email.SpoofedDomain FOUND In this case the reason is that the 2 domains are different (the former is the URL real target of the hyperlink, the latter is the URL as shown to the user). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Phishing.Heuristics.Email.SpoofedDomain -
Hi, The problem is I never got this email, so how should I report it ? Regards, Garry On 2008-07-24 13:23, Török Edwin wrote: On 2008-07-24 13:41, Garry wrote: Hi, Yestarday I made a Paypal payment and didn't get the email saying the payment was made through my VPS, when I check the exim_mainlog I saw: 2008-07-23 12:24:42 H=mx0.phx.paypal.com (phx01imail02.phx.paypal.com) [66.211.168.230] Warning: Sender rate 0.0 / 1h 2008-07-23 12:24:42 1KLh8s-0006KC-CV H=mx0.phx.paypal.com (phx01imail02.phx.paypal.com) [66.211.168.230] F=[EMAIL PROTECTED] rejected after DATA: This message contains a virus or other harmful content (Phishing.Heuristics.Email.SpoofedDomain) I have checked the IP address it comes back as belonging to Ebay which I believe is also Paypal For now I have editted /etc/clamd.conf ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Phishing.Heuristics.Email.SpoofedDomain - possible false positive please advise
On 2008-07-24 13:23, Török Edwin wrote: On 2008-07-24 13:41, Garry wrote: Hi, Yestarday I made a Paypal payment and didn't get the email saying the payment was made through my VPS, when I check the exim_mainlog I saw: 2008-07-23 12:24:42 H=mx0.phx.paypal.com (phx01imail02.phx.paypal.com) [66.211.168.230] Warning: Sender rate 0.0 / 1h 2008-07-23 12:24:42 1KLh8s-0006KC-CV H=mx0.phx.paypal.com (phx01imail02.phx.paypal.com) [66.211.168.230] F=[EMAIL PROTECTED] rejected after DATA: This message contains a virus or other harmful content (Phishing.Heuristics.Email.SpoofedDomain) I have checked the IP address it comes back as belonging to Ebay which I believe is also Paypal For now I have editted /etc/clamd.conf Please submit the e-mail as a false positive: http://www.clamav.net/sendvirus/ You can remove personal data from it, but please keep the URLs intact. Thanks, --Edwin Hi, The problem is I never got this email, so how should I report it ? Regards, Garry ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Phishing.Heuristics.Email.SpoofedDomain - possible false positive please advise
On 2008-07-24 17:47, Garry wrote: On 2008-07-24 13:23, Török Edwin wrote: On 2008-07-24 13:41, Garry wrote: Hi, Yestarday I made a Paypal payment and didn't get the email saying the payment was made through my VPS, when I check the exim_mainlog I saw: 2008-07-23 12:24:42 H=mx0.phx.paypal.com (phx01imail02.phx.paypal.com) [66.211.168.230] Warning: Sender rate 0.0 / 1h 2008-07-23 12:24:42 1KLh8s-0006KC-CV H=mx0.phx.paypal.com (phx01imail02.phx.paypal.com) [66.211.168.230] F=[EMAIL PROTECTED] rejected after DATA: This message contains a virus or other harmful content (Phishing.Heuristics.Email.SpoofedDomain) I have checked the IP address it comes back as belonging to Ebay which I believe is also Paypal For now I have editted /etc/clamd.conf Please submit the e-mail as a false positive: http://www.clamav.net/sendvirus/ You can remove personal data from it, but please keep the URLs intact. Thanks, --Edwin Hi, The problem is I never got this email, so how should I report it ? I thought you quarantine it automatically. The next time you make a paypal payment, can you scan the email you get with clamscan, and submit that? [now that your turned of phishing detection you should get the mail] Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Phishing.Heuristics.Email.SpoofedDomain - possible false positive please advise
On 2008-07-24 13:41, Garry wrote: Hi, Yestarday I made a Paypal payment and didn't get the email saying the payment was made through my VPS, when I check the exim_mainlog I saw: 2008-07-23 12:24:42 H=mx0.phx.paypal.com (phx01imail02.phx.paypal.com) [66.211.168.230] Warning: Sender rate 0.0 / 1h 2008-07-23 12:24:42 1KLh8s-0006KC-CV H=mx0.phx.paypal.com (phx01imail02.phx.paypal.com) [66.211.168.230] F=[EMAIL PROTECTED] rejected after DATA: This message contains a virus or other harmful content (Phishing.Heuristics.Email.SpoofedDomain) I have checked the IP address it comes back as belonging to Ebay which I believe is also Paypal For now I have editted /etc/clamd.conf # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes PhishingScanURLs no I found this info after doing a google for Email.SpoofedDomain Can you advise as what to do ? Please submit the e-mail as a false positive: http://www.clamav.net/sendvirus/ You can remove personal data from it, but please keep the URLs intact. Thanks, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Phishing.Heuristics.Email.SpoofedDomain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Török Edvin schrieb: On 7/13/07, Robert Schetterer [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi @ll can someone explain this virus type Phishing.Heuristics.Email.SpoofedDomain PhishingScanURLs BOOL Scan URLs found in mails for phishing attempts using heuristics. This will classify Possibly Unwanted phishing emails as Phishing.Heuristics.Email.* Default: yes this mail looks good , on a first look, seems to be amazon promotion, also spf record are fine Sent by amazon, or some 3rdparty? Submit it as a false positive at http://cgi.clamav.net/sendvirus.cgi --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html Hi Edvin, thx for explain to me this mail looks good i will submit it to http://cgi.clamav.net/sendvirus.cgi perhaps your eyes will see more than mine - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Germany -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGl1hFfGH2AvR16oERAhGWAJ9mnesCZ2yL3R6qBYHnjT/YKPhuxwCcC9su GK4b9cyeAkOa8E1YoFgQUSc= =Ac0E -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Phishing.Heuristics.Email.SpoofedDomain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Török Edvin schrieb: On 7/13/07, Robert Schetterer [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi @ll can someone explain this virus type Phishing.Heuristics.Email.SpoofedDomain PhishingScanURLs BOOL Scan URLs found in mails for phishing attempts using heuristics. This will classify Possibly Unwanted phishing emails as Phishing.Heuristics.Email.* Default: yes this mail looks good , on a first look, seems to be amazon promotion, also spf record are fine Sent by amazon, or some 3rdparty? Submit it as a false positive at http://cgi.clamav.net/sendvirus.cgi --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html Submited it as false positve, i think the Problem results out of using lots amazon.de urls in the body but comming from amazon.com servers - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Germany -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGl1sIfGH2AvR16oERAp7kAJ4scLmLzK9AIVAnXelxlXOiPljXBACffjSA 5WkEZtT/78b+S+fcVSfj0tA= =XdgV -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Phishing.Heuristics.Email.SpoofedDomain
On 7/13/07, Robert Schetterer [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi @ll can someone explain this virus type Phishing.Heuristics.Email.SpoofedDomain PhishingScanURLs BOOL Scan URLs found in mails for phishing attempts using heuristics. This will classify Possibly Unwanted phishing emails as Phishing.Heuristics.Email.* Default: yes this mail looks good , on a first look, seems to be amazon promotion, also spf record are fine Sent by amazon, or some 3rdparty? Submit it as a false positive at http://cgi.clamav.net/sendvirus.cgi --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html