[clamav-users] Finding the spoofed domain
Steve Basford
steveb_clamav at sanesecurity.com
Tue Dec 15 13:53:11 UTC 2015
On Tue, December 15, 2015 1:43 pm, Alex wrote:
> Hi,
>
>
> I have an email that was marked as having a spoofed domain, but I
> believe it's a false-positive. It's one of those smartbrief.com
> newsletters.
>
> How do I find out which domain specifically it thinks was spoofed?
--debug will help....
.... snip.....
Got a match: f.email.americanexpress.com/ with /moc.sserpxenacirema
Before inserting .: .f.email.americanexpress.com
Lookup result: in regex list
Phishcheck:host:.r.smartbrief.com
Phishing: looking up in whitelist:
.r.smartbrief.com:.f.email.americanexpress.
Looking up in regex_list: r.smartbrief.com:f.email.americanexpress.com/
Lookup result: not in regex list
Phishcheck: Phishing scan result: URLs are way too different
found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain
emax_reached: marked parents as non cacheable
.............
Cheers,
Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
More information about the clamav-users
mailing list