[clamav-users] Finding the spoofed domain
Alex
mysqlstudent at gmail.com
Tue Dec 15 14:55:17 UTC 2015
Hi,
> I've posted the email here:
> http://pastebin.com/n4WRjmzE
> Got a match: f.email.americanexpress.com/ with /moc.sserpxenacirema
> Before inserting .: .f.email.americanexpress.com
> Lookup result: in regex list
> Phishcheck:host:.r.smartbrief.com
> Phishing: looking up in whitelist:
> .r.smartbrief.com:.f.email.americanexpress.
> Looking up in regex_list: r.smartbrief.com:f.email.americanexpress.com/
> Lookup result: not in regex list
> Phishcheck: Phishing scan result: URLs are way too different
> found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain
> emax_reached: marked parents as non cacheable
Okay, interesting, thanks.
While I don't necessarily expect clamav to understand
americanexpress.com isn't a phishing/spoofed site, should we expect
every time a URL is rewritten in this way for it to be labelled as a
phishing attack?
I actually also don't see in the message where
f.email.americanexpress.com was wrapped inside of a smartbrief.com
URL. I only see americanexpress.com/merchant, so perhaps I'm not
understanding.
Thanks,
Alex
More information about the clamav-users
mailing list