On Feb 1, 2014, at 1:44 PM, Alex <mysqlstud...@gmail.com> wrote: > Hi, > > On Sat, Feb 1, 2014 at 5:32 AM, Al Varnell <alvarn...@mac.com> wrote: >> >> On Jan 31, 2014, at 5:26 PM, Alex <mysqlstud...@gmail.com> wrote: >> >>> Hi, >>> >>> I found another false-positive, this time with >>> Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring >>> out what domain within the email it thinks is spoofed. >>> >>> I've pasted the email here: >>> >>> http://pastebin.com/S7XkCg9a >>> >>> Any ideas greatly appreciated. >> >> LibClamAV debug: Phishcheck:host:.ems1.aeroplan.com >> LibClamAV debug: Phishing: looking up in whitelist: >> .ems1.aeroplan.com:.www.tdcanadatrust.com; host-only:1 >> LibClamAV debug: Looking up in regex_list: >> ems1.aeroplan.com:www.tdcanadatrust.com/ >> LibClamAV debug: Lookup result: not in regex list >> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different >> LibClamAV debug: found Possibly Unwanted: >> Heuristics.Phishing.Email.SpoofedDomain > > I don't understand what this means. How did you generate this? Where > did the tdcanadatrust.com come from?
running clamscan --debug against the file. http://www.tdcanadatrust.com/tdvisa/agreements appears several times in the body of the message but links to http://ems1.aeroplan.com/a/l.x?t=icholbpbeophbeocnlmimpbc&M=1&L=2&v=4. -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
