On Tue, Dec 15, 2015 at 06:21 PM, Alex wrote: > >>> Steve Basford wrote: >>>> I've posted the email here: >>>> http://pastebin.com/n4WRjmzE >>> >>>> Got a match: f.email.americanexpress.com/ with /moc.sserpxenacirema >>>> Before inserting .: .f.email.americanexpress.com >>>> Lookup result: in regex list >>>> Phishcheck:host:.r.smartbrief.com >>>> Phishing: looking up in whitelist: >>>> .r.smartbrief.com:.f.email.americanexpress. >>>> Looking up in regex_list: r.smartbrief.com:f.email.americanexpress.com/ >>>> Lookup result: not in regex list >>>> Phishcheck: Phishing scan result: URLs are way too different >>>> found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain >>>> emax_reached: marked parents as non cacheable >>> >>> Okay, interesting, thanks. >>> >>> While I don't necessarily expect clamav to understand >>> americanexpress.com isn't a phishing/spoofed site, should we expect >>> every time a URL is rewritten in this way for it to be labelled as a >>> phishing attack? >>> >>> I actually also don't see in the message where >>> f.email.americanexpress.com was wrapped inside of a smartbrief.com >>> URL. I only see americanexpress.com/merchant, so perhaps I'm not >>> understanding. >> >> The thing to look for are links that appear to the eye as >> americanexpress.com, but actually lead to smartbrief.com: >> >> Visit us at: <a href="http://r.smartbrief.com/resp/<tracking ID>" >> target="_new" style="text-decoration:none; >> color:#2196c2">americanexpress.com/merchant</a></td> >> >> You would just see americanexpress.com/merchant, but the link does not >> lead *directly* to that location, it redirects from a clicktracking link >> under smartbrief.com. > > Yes, I see that, but it doesn't appear to be the one clamav was > complaining about. As above: > >> Looking up in regex_list: r.smartbrief.com:f.email.americanexpress.com/ >> Lookup result: not in regex list >> Phishcheck: Phishing scan result: URLs are way too different > > It seems to be complaining about f.email.americanexpress.com, which > doesn't even exist in this email.
Pastebin line #154. > Am I missing something, or is it really not even worth worrying about > at this point? > > Thanks, > Alex -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
