[clamav-users] Heuristics.Phishing.Email.SpoofedDomain...
eric-list at truenet.com
eric-list at truenet.com
Tue Apr 13 15:27:21 UTC 2021
Robert,
> From: clamav-users <clamav-users-bounces at lists.clamav.net> On Behalf Of Robert Kudyba
> Sent: Tuesday, April 13, 2021 10:40 AM
> To: ClamAV users ML <clamav-users at lists.clamav.net>
> Cc: G.W. Haywood <clamav at jubileegroup.co.uk>
> Subject: Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain...
>
> I'm seeing a FP from a Delta Airlines email.
>
> Also, with clamav-milter and sendmail. I see that the headers of quarantined messages go to /var/spool/mqueue with root:smmsp owner/group permissions and the header of the email starts with hf whilst the body of the message starts with df. So the message in question looks like this:
> -rw------- 1 root smmsp 10050 Apr 12 09:40 hf13CDdtaZ2926176
> -rw------- 1 root smmsp 100157 Apr 12 09:39 df13CDdtaZ2926176
>
> To release the message how does one find the queue_id to use the sendmail -qI command?
I just checked out our quarantine to see what you were talking about and found a couple of ads in there.
Forwarded off a sample to Micah, but it looks like there are some very phishy looking links in the samples I have.
HTML link: americanexpress.com/rewards-info
Actual underlying link: https://click.o.delta.com/u/?qs=1568763c78f67b6cdcd44df9cfac10c6bdd8a68c567c4d04238da45d4092cc1adeef2f53a3a8c4248f7140f92bd80fb33b830537983d2ad07ed440f137dd0226
If you ask me, that deserves to be quarantined.
For Sendmail, it should be something like "sendmail -q" I would definitely look it up in the man pages, as I've been using postfix and exim now for awhile.
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300sen
More information about the clamav-users
mailing list