[clamav-users] Amazon/SpoofedDomain FP
Maarten Broekman
maarten.broekman at gmail.com
Thu Mar 17 17:26:56 UTC 2022
That's indicating that there is a link in the email that's displaying "
www.americanexpress.com" but is actually going to "www.amazonbusiness.com".
It's hard to help without seeing the original email code.
On Thu, Mar 17, 2022 at 12:55 PM Alex via clamav-users <
clamav-users at lists.clamav.net> wrote:
> Hi,
> The link description is a URL and apparently doesn't match the link
> itself, resulting in email from Amazon Business being marked as
> malicious. Do I just add this to some kind of allow/bypass list?
>
> How do I go about doing that?
>
> $ clamscan -v amazon-fp.eml
> Scanning /home/alex/quarantine/amazon-fp.eml
> LibClamAV info: Suspicious link found!
> LibClamAV info: Real URL: https://www.amazonbusiness.com
> LibClamAV info: Display URL: www.americanexpress.com
> /root/quarantine/amazon-fp.eml: Heuristics.Phishing.Email.SpoofedDomain
> FOUND
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220317/c3ae1a4c/attachment.htm>
More information about the clamav-users
mailing list