Hi,
> I've posted the email here: > http://pastebin.com/n4WRjmzE > Got a match: f.email.americanexpress.com/ with /moc.sserpxenacirema > Before inserting .: .f.email.americanexpress.com > Lookup result: in regex list > Phishcheck:host:.r.smartbrief.com > Phishing: looking up in whitelist: > .r.smartbrief.com:.f.email.americanexpress. > Looking up in regex_list: r.smartbrief.com:f.email.americanexpress.com/ > Lookup result: not in regex list > Phishcheck: Phishing scan result: URLs are way too different > found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain > emax_reached: marked parents as non cacheable Okay, interesting, thanks. While I don't necessarily expect clamav to understand americanexpress.com isn't a phishing/spoofed site, should we expect every time a URL is rewritten in this way for it to be labelled as a phishing attack? I actually also don't see in the message where f.email.americanexpress.com was wrapped inside of a smartbrief.com URL. I only see americanexpress.com/merchant, so perhaps I'm not understanding. Thanks, Alex _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml