Hi, I'm trying and failing to understand the debug output for a positive phishing check result coming from a legitimate email from a bank.
If I do a scan with the debug flag I get the following - LibClamAV debug: Looking up in regex_list: www.hsbc.co.uk/ LibClamAV debug: calc_pos_with_skip: skip:16, 8 - 22 "https://www.hsbc.co.uk","www.hsbc.co.uk/"; LibClamAV debug: calc_pos_with_skip: LibClamAV debug: calc_pos_with_skip: skip:4, 8 - 22 "https://www.hsbc.co.uk","www.hsbc.co.uk/"; LibClamAV debug: calc_pos_with_skip:hsbc.co.uk LibClamAV debug: Got a match: www.hsbc.co.uk/ with /ku.oc.cbsh LibClamAV debug: Before inserting .: .www.hsbc.co.uk LibClamAV debug: Lookup result: in regex list LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different I understand what the Heuristics.Phishing.Email.SpoofedDomain is checking for and understand that most "false positives" aren't actually false positives when someone sends a HTML email with a HREF link target differing from a URL entered as the link text. But with the above debug output I can't understand what it is trying to tell me. I don't see a 'false' URL being compared against. If I look through the HTML email message for 'hsbc' I also don't see any HTML that uses a URL as the visible text. Does anyone know what these two lines mean? LibClamAV debug: Got a match: www.hsbc.co.uk/ with /ku.oc.cbsh LibClamAV debug: Before inserting .: .www.hsbc.co.uk Regards Mickey Williams _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
