Hi, >>>> I found another false-positive, this time with >>>> Heuristics.Phishing.Email.SpoofedDomain and I'd like help in figuring >>>> out what domain within the email it thinks is spoofed. >>>> >>>> I've pasted the email here: >>>> >>>> http://pastebin.com/S7XkCg9a >>>> >>>> Any ideas greatly appreciated. >>> >>> LibClamAV debug: Phishcheck:host:.ems1.aeroplan.com >>> LibClamAV debug: Phishing: looking up in whitelist: >>> .ems1.aeroplan.com:.www.tdcanadatrust.com; host-only:1 >>> LibClamAV debug: Looking up in regex_list: >>> ems1.aeroplan.com:www.tdcanadatrust.com/ >>> LibClamAV debug: Lookup result: not in regex list >>> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too >>> different >>> LibClamAV debug: found Possibly Unwanted: >>> Heuristics.Phishing.Email.SpoofedDomain >> >> I don't understand what this means. How did you generate this? Where >> did the tdcanadatrust.com come from? > > running clamscan --debug against the file. > http://www.tdcanadatrust.com/tdvisa/agreements appears > several times in the body of the message but links to > http://ems1.aeroplan.com/a/l.x?t=icholbpbeophbeocnlmimpbc&; > M=1&L=2&v=4.
Ah, thanks. I should have known that. In this case it wasn't intended to be malicious, but I'm surprised more legitimate mail isn't tagged for doing this. Thanks again, Alex _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
