[clamav-users] Heuristics.Phishing.Email.SpoofedDomain...

Robert Kudyba rkudyba at fordham.edu
Tue Apr 13 14:39:31 UTC 2021 

I'm seeing a FP from a Delta Airlines email.

Also, with clamav-milter and sendmail. I see that the headers of
quarantined messages go to /var/spool/mqueue with root:smmsp owner/group
permissions and the header of the email starts with hf whilst the body of
the message starts with df. So the message in question looks like this:
-rw------- 1 root smmsp    10050 Apr 12 09:40 hf13CDdtaZ2926176
-rw------- 1 root smmsp   100157 Apr 12 09:39 df13CDdtaZ2926176

To release the message how does one find the queue_id to use the sendmail
-qI command?


On Thu, Apr 1, 2021 at 7:11 PM G.W. Haywood via clamav-users <
clamav-users at lists.clamav.net> wrote:

> Hi there,
>
> On Thu, 1 Apr 2021, eric-list at truenet.com wrote:
>
> > Just a heads up.  I noticed a bunch of American Express Statements in our
> > quarantine.
> > My guess is because they are using m.amex and go.amex links in the
> emails.
> >
> > DKIM and SPF pass so these definitely seem to be legit AMEX emails.
> > From address is "American Express" <AmericanExpress at welcome.aexp.com>
>
> Name(s) of the signature(s) detected?
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.clamav.net_mailman_listinfo_clamav-2Dusers&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=-Ywl1Y1MejQU-csE6Jqe9E3SmvO8PsWBo-EwYfHf15s&s=Bdo5j9dvw_GstTEa1ILzn6mOYmD8W0IVP0I8_GsdYHY&e=
>
>
> Help us build a comprehensive ClamAV guide:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=-Ywl1Y1MejQU-csE6Jqe9E3SmvO8PsWBo-EwYfHf15s&s=M_PbxgBAZBj7rq-kfXkFAipn5xCbNt98-fKsWwVxAtE&e=
>
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=-Ywl1Y1MejQU-csE6Jqe9E3SmvO8PsWBo-EwYfHf15s&s=HLTiTlk4nPlro9VIn2SAysUbnxk5AHP6mJZx2kXLVMs&e=
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210413/71497049/attachment.htm>

More information about the clamav-users mailing list