Thanks for the info. I've run the scan on the body file and headers
file and get:
LibClamAV debug: Initializing phishcheck module
LibClamAV debug: Phishcheck: Compiling regex: ^
*(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$
LibClamAV debug: Phishcheck module initialized
LibClamAV debug: Skipping signature Email.Phishing.DblDom-72 @ main.ndb:54219
LibClamAV debug: Module PHISHING On
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up
The mail has been quarantined though - I don't have the .eml file.
I've scanned the hf and df files.
2009/4/29 Török Edwin <edwinto...@gmail.com>:
> On 2009-04-29 11:43, Greg McCarthy wrote:
>> I've upgraded to 0.95.1 and have a few mails that are getting
>> quarantined as Phishing.Heuristics.Email.SpoofedDomain
>>
>> How do I go about checking for spoofed domains in the email headers?
>> Its quite possible that the domain has been spoofed but I would like
>> to just double check?
>
> You should look at the body of the mail, not the headers (headers in an
> email can be easily forged, so they're usually not to be trusted anyway).
>
> You can use clamscan --debug to find out why ClamAV considers the email
> phishing, the output should be similar to the following:
>
> $ clamscan --debug /path/to/emailfile.eml 2>&1|grep -i phish
> LibClamAV debug: Initializing phishcheck module
> LibClamAV debug: Phishcheck: Compiling regex: ^
> *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$
> LibClamAV debug: Phishcheck module initialized
> LibClamAV debug: Skipping signature Email.Phishing.DblDom-72 @
> main.ndb:54219
> LibClamAV debug: Module PHISHING On
> LibClamAV debug: Phishcheck:Checking url
> http://fake.example.com->banksite-example.com
> LibClamAV debug: Phishcheck:URL after cleanup:
> http://fake.example.com->banksite-example.com
> LibClamAV debug: Phishing: looking up in whitelist:
> http://fake.example.com:banksite-example.com; host-only:0
> LibClamAV debug: Phishcheck:host:.banksite-example.com
> LibClamAV debug: Phishcheck:host:.fake.example.com
> LibClamAV debug: Phishing: looking up in whitelist:
> .fake.example.com:.banksite-example.com; host-only:1
> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
> different
> LibClamAV debug: found Possibly Unwanted:
> Phishing.Heuristics.Email.SpoofedDomain
> /path/to/emailfile.eml: Phishing.Heuristics.Email.SpoofedDomain FOUND
>
> In this case the reason is that the 2 domains are different (the former
> is the URL real target of the hyperlink, the latter is the URL as shown
> to the user).
>
> Best regards,
> --Edwin
>
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
