[clamav-users] Finding the spoofed domain

Al Varnell alvarnell at mac.com
Wed Dec 16 03:02:29 UTC 2015 

On Tue, Dec 15, 2015 at 06:21 PM, Alex wrote:
> 
>>> Steve Basford wrote:
>>>> I've posted the email here:
>>>> http://pastebin.com/n4WRjmzE
>>> 
>>>> Got a match: f.email.americanexpress.com/ with /moc.sserpxenacirema
>>>> Before inserting .: .f.email.americanexpress.com
>>>> Lookup result: in regex list
>>>> Phishcheck:host:.r.smartbrief.com
>>>> Phishing: looking up in whitelist:
>>>> .r.smartbrief.com:.f.email.americanexpress.
>>>> Looking up in regex_list: r.smartbrief.com:f.email.americanexpress.com/
>>>> Lookup result: not in regex list
>>>> Phishcheck: Phishing scan result: URLs are way too different
>>>> found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain
>>>> emax_reached: marked parents as non cacheable
>>> 
>>> Okay, interesting, thanks.
>>> 
>>> While I don't necessarily expect clamav to understand
>>> americanexpress.com isn't a phishing/spoofed site, should we expect
>>> every time a URL is rewritten in this way for it to be labelled as a
>>> phishing attack?
>>> 
>>> I actually also don't see in the message where
>>> f.email.americanexpress.com was wrapped inside of a smartbrief.com
>>> URL. I only see americanexpress.com/merchant, so perhaps I'm not
>>> understanding.
>> 
>> The thing to look for are links that appear to the eye as
>> americanexpress.com, but actually lead to smartbrief.com:
>> 
>> Visit us at: <a href="http://r.smartbrief.com/resp/<tracking ID>"
>> target="_new" style="text-decoration:none;
>> color:#2196c2">americanexpress.com/merchant</a></td>
>> 
>> You would just see americanexpress.com/merchant, but the link does not
>> lead *directly* to that location, it redirects from a clicktracking link
>> under smartbrief.com.
> 
> Yes, I see that, but it doesn't appear to be the one clamav was
> complaining about. As above:
> 
>> Looking up in regex_list: r.smartbrief.com:f.email.americanexpress.com/
>> Lookup result: not in regex list
>> Phishcheck: Phishing scan result: URLs are way too different
> 
> It seems to be complaining about f.email.americanexpress.com, which
> doesn't even exist in this email.

Pastebin line #154.

> Am I missing something, or is it really not even worth worrying about
> at this point?
> 
> Thanks,
> Alex


-Al-
-- 
Al Varnell
Mountain View, CA




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2366 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20151215/ff3bbf62/attachment.bin>

More information about the clamav-users mailing list