[clamav-users] Understanding 'Heuristics.Phishing.Email.SpoofedDomain' debug output
Mickey Williams
M.Williams at kent.ac.uk
Wed Nov 11 11:58:08 UTC 2020
Hi,
I'm trying and failing to understand the debug output for a positive phishing check result coming from a legitimate email from a bank.
If I do a scan with the debug flag I get the following -
LibClamAV debug: Looking up in regex_list: www.hsbc.co.uk/
LibClamAV debug: calc_pos_with_skip: skip:16, 8 - 22 "https://www.hsbc.co.uk","www.hsbc.co.uk/"
LibClamAV debug: calc_pos_with_skip:
LibClamAV debug: calc_pos_with_skip: skip:4, 8 - 22 "https://www.hsbc.co.uk","www.hsbc.co.uk/"
LibClamAV debug: calc_pos_with_skip:hsbc.co.uk
LibClamAV debug: Got a match: www.hsbc.co.uk/ with /ku.oc.cbsh
LibClamAV debug: Before inserting .: .www.hsbc.co.uk
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
I understand what the Heuristics.Phishing.Email.SpoofedDomain is checking for and understand that most "false positives" aren't actually false positives when someone sends a HTML email with a HREF link target differing from a URL entered as the link text.
But with the above debug output I can't understand what it is trying to tell me. I don't see a 'false' URL being compared against.
If I look through the HTML email message for 'hsbc' I also don't see any HTML that uses a URL as the visible text.
Does anyone know what these two lines mean?
LibClamAV debug: Got a match: www.hsbc.co.uk/ with /ku.oc.cbsh
LibClamAV debug: Before inserting .: .www.hsbc.co.uk
Regards
Mickey Williams
More information about the clamav-users
mailing list