[clamav-users] Phishing FPs (chase.com, americanexpress.com)
Alex
mysqlstudent at gmail.com
Thu Apr 7 19:06:29 UTC 2016
Hi,
This HTML is resulting in an FP with hyatt.com and chase.com:
<a href=3D"http://e.hyatt.com/a/hBXBU6kB8hHSgB9KBuvAATyM-YE/gpgchfaq?MARKET=
ING_CODE=3DHycardSolo16GE1T&RECIPIENT_ID=3DG-G96179703L"
target=3D"_blank" = style=3D"color:#1564a4;
text-decoration:underline;">www.Chase.com/RewardsFA=
Qs</a>.
LibClamAV debug: Phishcheck:Checking url
http://e.hyatt.com/a/hBXBU6kB8hHSgB9KBuvAATyM-YE/gpgchfaq?MARKETING_CODE=HycardSolo16GE1T&recipient_id=G-G96179703L->www.Chase.com/RewardsFAQs
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted:
Heuristics.Phishing.Email.SpoofedDomain
This HTML is resulting in an FP with hilton.com and americanexpress.com:
<a href=3D"http://h1.hilton.com/a/hBXBouxAJZxlvB9L9=
L5ArLZiuwY/hhon28" style=3D"color: #7c7c7c;">AmericanExpress.com/PPterms</a>
LibClamAV debug: Phishcheck:Checking url
http://h1.hilton.com/a/hBXBouxAJZxlvB9L9L5ArLZiuwY/hhon28->AmericanExpress.com/PPt
erms
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted:
Heuristics.Phishing.Email.SpoofedDomain
I've added two entries to my whitelist.wdb file:
X:.+hilton\.com:americanexpress\.com:17-
X:.+hyatt.com:www.chase.com:17-
Thanks,
Alex
More information about the clamav-users
mailing list