Hi, >> Steve Basford wrote: >>> I've posted the email here: >>> http://pastebin.com/n4WRjmzE >> >>> Got a match: f.email.americanexpress.com/ with /moc.sserpxenacirema >>> Before inserting .: .f.email.americanexpress.com >>> Lookup result: in regex list >>> Phishcheck:host:.r.smartbrief.com >>> Phishing: looking up in whitelist: >>> .r.smartbrief.com:.f.email.americanexpress. >>> Looking up in regex_list: r.smartbrief.com:f.email.americanexpress.com/ >>> Lookup result: not in regex list >>> Phishcheck: Phishing scan result: URLs are way too different >>> found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain >>> emax_reached: marked parents as non cacheable >> >> Okay, interesting, thanks. >> >> While I don't necessarily expect clamav to understand >> americanexpress.com isn't a phishing/spoofed site, should we expect >> every time a URL is rewritten in this way for it to be labelled as a >> phishing attack? >> >> I actually also don't see in the message where >> f.email.americanexpress.com was wrapped inside of a smartbrief.com >> URL. I only see americanexpress.com/merchant, so perhaps I'm not >> understanding. > > The thing to look for are links that appear to the eye as > americanexpress.com, but actually lead to smartbrief.com: > > Visit us at: <a href="http://r.smartbrief.com/resp/<tracking ID>" > target="_new" style="text-decoration:none; > color:#2196c2">americanexpress.com/merchant</a></td> > > You would just see americanexpress.com/merchant, but the link does not > lead *directly* to that location, it redirects from a clicktracking link > under smartbrief.com.
Yes, I see that, but it doesn't appear to be the one clamav was complaining about. As above: > Looking up in regex_list: r.smartbrief.com:f.email.americanexpress.com/ > Lookup result: not in regex list > Phishcheck: Phishing scan result: URLs are way too different It seems to be complaining about f.email.americanexpress.com, which doesn't even exist in this email. Am I missing something, or is it really not even worth worrying about at this point? Thanks, Alex _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml