[clamav-users] Finding the spoofed domain
Kris Deugau
kdeugau at vianet.ca
Tue Dec 15 15:17:20 UTC 2015
Alex wrote:
> Steve Basford wrote:
>> I've posted the email here:
>> http://pastebin.com/n4WRjmzE
>
>> Got a match: f.email.americanexpress.com/ with /moc.sserpxenacirema
>> Before inserting .: .f.email.americanexpress.com
>> Lookup result: in regex list
>> Phishcheck:host:.r.smartbrief.com
>> Phishing: looking up in whitelist:
>> .r.smartbrief.com:.f.email.americanexpress.
>> Looking up in regex_list: r.smartbrief.com:f.email.americanexpress.com/
>> Lookup result: not in regex list
>> Phishcheck: Phishing scan result: URLs are way too different
>> found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain
>> emax_reached: marked parents as non cacheable
>
> Okay, interesting, thanks.
>
> While I don't necessarily expect clamav to understand
> americanexpress.com isn't a phishing/spoofed site, should we expect
> every time a URL is rewritten in this way for it to be labelled as a
> phishing attack?
>
> I actually also don't see in the message where
> f.email.americanexpress.com was wrapped inside of a smartbrief.com
> URL. I only see americanexpress.com/merchant, so perhaps I'm not
> understanding.
The thing to look for are links that appear to the eye as
americanexpress.com, but actually lead to smartbrief.com:
Visit us at: <a href="http://r.smartbrief.com/resp/<tracking ID>"
target="_new" style="text-decoration:none;
color:#2196c2">americanexpress.com/merchant</a></td>
You would just see americanexpress.com/merchant, but the link does not
lead *directly* to that location, it redirects from a clicktracking link
under smartbrief.com.
-kgd
More information about the clamav-users
mailing list