On Feb 7, 2008 10:53 AM, Dennis Peterson <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > Thanks for the reply Dennis. The 'virus' is actually a Phishing > > attempt from the 02/04 def update thats hitting on the logwatch email > > here is the line from the clamd.log > > > > Thu Feb 7 10:27:47 2008 -> > > /var/spool/MailScanner/incoming/13948/29EC821AC463.28768.message: > > Email.Phishing.RB-2646 FOUND > > > > Is there any way to find out what that phishing item is hitting on? > > > > Thanks! > > Please resist the urge to top-post. > > Of course it's possible to find what you wish. You have the pattern name > so go to your database directory and grep for that name in the files > there. In my environment I found that in the daily.ndb file. When you > grep for the name you will have returned to you a long string of hex > characters. Copy those characters and paste them into the Hex window at > http://nickciske.com/tools/hex.php then select decode. It will show you > the string of characters that ClamAV is looking for. I'd paste it in > here for you but many mailers would reject this message. > > If you can't get the hex string from your system, here is a copy you can > paste into the URL above: > > 687474703a2f2f63697469627573696e6573736f6e6c696e652e64612d75732e6369746962616e6b2e636f6d2e > > It may line-wrap - there are no natural line breaks in it. Anyway, it > decodes to a bogus citibank URL. Check your problem file to see if > citibank shows up in it. > > > dp > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > Sorry bout the top post, spend enough time with other groups of users and you loose your manners like I have...
I found the bogus URL its part of the logwatch report of detected Phishing attempts. Since they replicate the URL as part of the phishing report then clamd rightly sees it as a threat. I guess my only recourse is to alter the phishing report in logwatch or exclude logwatch emails from being scanned. Talk about having to decide on the lesser of two evils. I guess I should alter logwatch, I can always pull the email from quarantine if I just must see what the problem was. Thank you very much Dennis! -- Richard Ahlquist Systems Analyst http://www.patentlystupid.com _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
