Re: [clamav-users] SpoofedDomain FOUND
Ellan, I'm afraid it's going to be more trouble than it's worth. You will need to turn debugging on when you scan that mailbox which will produce a huge amount of output, but includes details about exactly what was found. You would then need to search that mailbox in Thunderbird for the offending URL and decide whether you need the message or it can be deleted. A SpoofedDomain finding is not necessarily an attempt to misdirect you. It's a technique sometimes used to give a message clarity. -Al- On Wed, Feb 15, 2017 at 12:17 PM, ellanios82 wrote: > > scanning my Thunderbird directory , am getting : > > /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus: > Heuristics.Phishing.Email.SpoofedDomain FOUND > /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus: copied to > '/var/log/clams.infected/bus' > > > How please do i locate the offending message to delete, as i do not want to > delete the entire directory ? smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] SpoofedDomain FOUND
Am 15.02.2017 um 22:26 schrieb ellanios82: How please can i identify which is the Offending message : am getting : /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus: Heuristics.Phishing.Email.SpoofedDomain FOUND you can't because thunderbird is using https://en.wikipedia.org/wiki/Mbox and so there are more than one messages in a single file, clamav tells you that file and that's it it's likely one of the thread "clamdscan mail file" on this list today with a sample of that idiotic "Heuristics.Phishing.Email.SpoofedDomain" which hits in fact also *origin* paypal mails for a very long time an dhence *can not* be used in context of a milter and so only with a spamassassin-plugin which only scores instead absolute decisions weird that you local scan hits on the mailbox while that message don't hit "Heuristics.Phishing.Email.SpoofedDomain" while wrap it through clamdscan which is the whole point of the thread ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] SpoofedDomain FOUND
On 02/15/17 22:48, Kees Theunissen wrote: On Wed, 15 Feb 2017, ellanios82 wrote: Hello List , scanning my Thunderbird directory , am getting : /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus: Heuristics.Phishing.Email.SpoofedDomain FOUND /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus: copied to '/var/log/clams.infected/bus' How please do i locate the offending message to delete, as i do not want to delete the entire directory ? It's likely a message from this mailinglist: My spam/virus fileter rejected a messeage from this list: Timestamp:Feb 15 17:50:33 (UTC +1) Size: 1365308 Subject: Re: [clamav-users] clamdscan mail file Message-ID: 43291D57DEB83042A250562D597FDBDA477C0EED@PC1WEPSIEXDAG02 Status: Rejecting because of virus Heuristics.Phishing.Email.SpoofedDomain The timestamp is not the "Date:" header from the message but the time of the delivery attempt at my mail server. Looks like this was the message that Reindl Harald replied to with his last message in the thread: "clamdscan mail file". This should be sufficient information to locate the message. Regards, Kees Theunissen. - many thanks Kees : No : do not have that message : How please can i identify which is the Offending message : am getting : /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus: Heuristics.Phishing.Email.SpoofedDomain FOUND have tried : clamscan -i --phishing-cloak=yes & clamscan --phishing-sigs=yes but they do not reveal identity of infected message ? How to identify please? thanks ellan ... ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] SpoofedDomain FOUND
On Wed, 15 Feb 2017, ellanios82 wrote: > Hello List , > > > scanning my Thunderbird directory , am getting : > > /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus: > Heuristics.Phishing.Email.SpoofedDomain FOUND > /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus: copied to > '/var/log/clams.infected/bus' > > > How please do i locate the offending message to delete, as i do not want to > delete the entire directory ? It's likely a message from this mailinglist: My spam/virus fileter rejected a messeage from this list: Timestamp:Feb 15 17:50:33 (UTC +1) Size: 1365308 Subject: Re: [clamav-users] clamdscan mail file Message-ID: 43291D57DEB83042A250562D597FDBDA477C0EED@PC1WEPSIEXDAG02 Status: Rejecting because of virus Heuristics.Phishing.Email.SpoofedDomain The timestamp is not the "Date:" header from the message but the time of the delivery attempt at my mail server. Looks like this was the message that Reindl Harald replied to with his last message in the thread: "clamdscan mail file". This should be sufficient information to locate the message. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] SpoofedDomain FOUND
Hello List , scanning my Thunderbird directory , am getting : /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus: Heuristics.Phishing.Email.SpoofedDomain FOUND /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus: copied to '/var/log/clams.infected/bus' How please do i locate the offending message to delete, as i do not want to delete the entire directory ? thanks ellan ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Can't download daily.cvd
On 15/02/17 19:32, Opiniano, Joyce wrote: > ClamAV update process started at Mon Feb 13 14:51:17 2017 > main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: > amishhammer) > nonblock_recv: recv timing out (30 secs) > WARNING: getfile: Error while reading database from database.clamav.net (IP: > 168.143.19.95): Operation already in progress > WARNING: getpatch: Can't download daily-23032.cdiff from database.clamav.net > WARNING: getpatch: Can't download daily-23032.cdiff from database.clamav.net [...] Looks suspiciously like what we also have, except it's dayly-21972 (despite DNS saying it should download 23067) on our side. -- B&A Consultants - Sécurité informatique - www.ba-consultants.fr Tel. : +33 (0) 563 277 241 - Fax : +33 (0) 567 737 829 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Can't download daily.cvd
Hi, We started getting this error message 5 days ago when we were trying to update the USB used for virus scan. Kindly advise on what tasks is needed to perform in order to successfully download the daily.cvd from database.clamav.net ClamAV update process started at Mon Feb 13 14:51:17 2017 main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from database.clamav.net (IP: 168.143.19.95): Operation already in progress WARNING: getpatch: Can't download daily-23032.cdiff from database.clamav.net WARNING: getpatch: Can't download daily-23032.cdiff from database.clamav.net nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from database.clamav.net (IP: 194.8.197.22): Operation already in progress WARNING: getpatch: Can't download daily-23032.cdiff from database.clamav.net nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from database.clamav.net (IP: 128.199.133.36): Operation already in progress WARNING: Can't download daily.cvd from database.clamav.net Trying again in 5 secs... ClamAV update process started at Mon Feb 13 14:55:20 2017 main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from database.clamav.net (IP: 69.163.100.14): Operation already in progress WARNING: getpatch: Can't download daily-23032.cdiff from database.clamav.net nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from database.clamav.net (IP: 207.57.106.31): Operation already in progress WARNING: getpatch: Can't download daily-23032.cdiff from database.clamav.net nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from database.clamav.net (IP: 168.143.19.95): Operation already in progress WARNING: getpatch: Can't download daily-23032.cdiff from database.clamav.net nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from database.clamav.net (IP: 64.22.33.90): Operation already in progress WARNING: Can't download daily.cvd from database.clamav.net Trying again in 5 secs... ClamAV update process started at Mon Feb 13 14:59:48 2017 main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) WARNING: getpatch: Can't download daily-23032.cdiff from database.clamav.net nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from database.clamav.net (IP: 128.199.133.36): Operation already in progress WARNING: getpatch: Can't download daily-23032.cdiff from database.clamav.net nonblock_recv: recv timing out (30 secs) ERROR: getfile: Error while reading database from database.clamav.net (IP: 207.57.106.31): Operation already in progress nonblock_recv: recv timing out (30 secs) ERROR: getfile: Error while reading database from database.clamav.net (IP: 69.163.100.14): Operation already in progress ERROR: Can't download daily.cvd from database.clamav.net Giving up on database.clamav.net... Update failed. Your network may be down or none of the mirrors listed in c:\users\alcazarm\appdata\local\temp\tmp0ev_go is working. Check http://www.clamav.net/support/mirror-problem for possible reasons. -- Completed -- Thanks in advance, Joyce ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamdscan mail file
they indeed do not fire with "clamdscan" these mails which are *not phishings* and are the reason why i configured as second clamd and disabled that idiotic stuff in the milter-instance http://lists.clamav.net/pipermail/clamav-users/2016-July/003113.html -100 USER_IN_SPF_WHITELIST From: address is in the user's SPF whitelist -0.0 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule -0.0 CUST_SHORTCIRCUIT1 Skip tests for whitelists and local relays Am 15.02.2017 um 17:49 schrieb outre...@epsilon.com: Dear all, Please see the two source files attached for the English and German versions of the email. Many thanks for your help, Anne-Sophie -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Steven Morgan Sent: 15 February 2017 16:33 To: ClamAV users ML Subject: Re: [clamav-users] clamdscan mail file Hi, Can you try 'clamscan --phishing-scan-urls'? ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamdscan mail file
Hi, Can you try 'clamscan --phishing-scan-urls' ? Thanks, Steve On Mon, Feb 13, 2017 at 7:05 AM, TBits.net, Mailinglists < mailingli...@tbits.net> wrote: > Hi @all, > > clamav-milter identify an email as infected by > Heuristics.Phishing.Email.SSL-Spoof. > > This is correct, but when I scan this file in the quarantine with > clamdscan or clamscan the file is clean. > It seams that the clamscan or clamdscan do not scan this file for Phishing. > Is it possible to scan a text file as a mail to identify with phishing? > > Regards > Andreas > > > Diese Nachricht wurde versandt mit Webmail von www.tbits.net. > This message was sent using webmail of www.tbits.net. > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Freshclam troubles
Hello, We are having some troubles with freshclam. Following a server crash, we reinstalled ClamAV (on a Gentoo box). Seems to work properly, but freshclam has bee spitting the same error ever since (see below). Mirrors are db.fr.clamav.net, db.de.clamav.net and database.clamav.net (in this order). What we do not understand is - why requesting daily-21972.diff - when the last version from the DNS query is 23067 - and, of course, where does daily-21972 come from ? $ freshclam -v Current working dir is /var/lib/clamav Max retries == 2 ClamAV update process started at Wed Feb 15 16:14:36 2017 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 1468 Software version from DNS: 0.99.2 main.cvd version from DNS: 57 main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) daily.cvd version from DNS: 23067 Retrieving http://db.fr.clamav.net/daily-21972.cdiff Trying to download http://db.fr.clamav.net/daily-21972.cdiff nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from db.fr.clamav.net: Operation now in progress WARNING: getpatch: Can't download daily-21972.cdiff from db.fr.clamav.net Querying daily.21972.82.0.0.C0A85302.ping.clamav.net Retrieving http://db.fr.clamav.net/daily-21972.cdiff Trying to download http://db.fr.clamav.net/daily-21972.cdiff nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from db.fr.clamav.net: Operation now in progress WARNING: getpatch: Can't download daily-21972.cdiff from db.fr.clamav.net Querying daily.21972.82.0.0.C0A85302.ping.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Whitelisting short-term blacklisted mirrors Retrieving http://db.fr.clamav.net/daily.cvd Trying to download http://db.fr.clamav.net/daily.cvd Downloading daily.cvd [100%] WARNING: Mirror 192.168.83.2 is not synchronized. Querying daily.0.82.0.0.C0A85302.ping.clamav.net Trying again in 5 secs... ClamAV update process started at Wed Feb 15 16:15:49 2017 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 1395 Software version from DNS: 0.99.2 main.cvd version from DNS: 57 main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) daily.cvd version from DNS: 23067 Retrieving http://db.fr.clamav.net/daily-21972.cdiff Trying to download http://db.fr.clamav.net/daily-21972.cdiff WARNING: getfile: daily-21972.cdiff not found on db.fr.clamav.net WARNING: getpatch: Can't download daily-21972.cdiff from db.fr.clamav.net Querying daily.21972.82.0.0.C0A85302.ping.clamav.net Retrieving http://db.fr.clamav.net/daily-21972.cdiff Trying to download http://db.fr.clamav.net/daily-21972.cdiff WARNING: getfile: daily-21972.cdiff not found on db.fr.clamav.net ERROR: getpatch: Can't download daily-21972.cdiff from db.fr.clamav.net Querying daily.21972.82.0.0.C0A85302.ping.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Whitelisting short-term blacklisted mirrors Retrieving http://db.fr.clamav.net/daily.cvd Trying to download http://db.fr.clamav.net/daily.cvd Downloading daily.cvd [100%] WARNING: Mirror 192.168.83.2 is not synchronized. Querying daily.0.82.0.0.C0A85302.ping.clamav.net Giving up on db.fr.clamav.net... ClamAV update process started at Wed Feb 15 16:15:58 2017 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 1386 Software version from DNS: 0.99.2 main.cvd version from DNS: 57 main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) daily.cvd version from DNS: 23067 Retrieving http://db.de.clamav.net/daily-21972.cdiff Trying to download http://db.de.clamav.net/daily-21972.cdiff WARNING: getfile: daily-21972.cdiff not found on db.de.clamav.net WARNING: getpatch: Can't download daily-21972.cdiff from db.de.clamav.net Querying daily.21972.82.0.0.C0A85302.ping.clamav.net Retrieving http://db.de.clamav.net/daily-21972.cdiff Trying to download http://db.de.clamav.net/daily-21972.cdiff WARNING: getfile: daily-21972.cdiff not found on db.de.clamav.net ERROR: getpatch: Can't download daily-21972.cdiff from db.de.clamav.net Querying daily.21972.82.0.0.C0A85302.ping.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Whitelisting short-term blacklisted mirrors Retrieving http://db.de.clamav.net/daily.cvd Trying to download http://db.de.clamav.net/daily.cvd Downloading daily.cvd [100%] WARNING: Mirror 192.168.83.2 is not synchronized. Querying daily.0.82.0.0.C0A85302.ping.clamav.net Giving up on db.de.clamav.net... ClamAV update process started at Wed Feb 15 16:16:09 2017 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 1375 Software version from DNS: 0.99.2 main.cvd version from DNS: 57 main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) daily.cvd version from DNS: 23067 Retrieving http://database.clamav.net/daily-21972.cdiff Trying to download http://database.clamav.net/daily-21972.cdiff WARNING: getfile: daily-21972.c
Re: [clamav-users] clamdscan mail file
Am 15.02.2017 um 13:23 schrieb outre...@epsilon.com: Thank you for your help. I am not familiar with ClamAv and what you are describing below. Please let me know - is there any information I can provide that would help you to correct the issue? i asked simply for the email file - please understand that talking about things and provide mangeled and cutted snippets of the files in doubt is useless because nobody can try to reproduce a issue since you are not the OP for the usage of clamdscan and clamd itself please consult the documentations -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Reindl Harald Sent: 15 February 2017 12:16 To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] clamdscan mail file Am 15.02.2017 um 13:10 schrieb TBits.net, Mailinglists: On 2017-02-13 15:07, TBits.net, Mailinglists wrote: On 2017-02-13 14:39, Reindl Harald wrote: Am 13.02.2017 um 14:33 schrieb TBits.net, Mailinglists: On 2017-02-13 13:19, Reindl Harald wrote: Am 13.02.2017 um 13:05 schrieb TBits.net, Mailinglists: Hi @all, clamav-milter identify an email as infected by Heuristics.Phishing.Email.SSL-Spoof. This is correct, but when I scan this file in the quarantine with clamdscan or clamscan the file is clean.8154 It seams that the clamscan or clamdscan do not scan this file for Phishing. Is it possible to scan a text file as a mail to identify with phishing? clamdscan is using clamd the same way as "clamav-milter" and so if it's the same clamd configuration it behaves identically clamav-milter identify it as Heuristics.Phishing.Email.SSL-Spoof but in clamdscan it is clean. And I think the result should be the same they are - proven by a webinterface where i upload eml files at pass them through spamd and clamdscan using two different clamd-instances which are used by clamav-milter and/or spamassassin are you 100% certain that clamdscan is using the identical clamd instance with identical configuration? Yes only one instance of clamd is running. I scan only the quarantined mail which was hold by clamav-milter before. Tested under different servers, on all servers are the same result. any idea how I can scan a text file as email, that phishing attempts are identified? if you send the code via telnet to the smtp server clamav-milter identify it as "infected by Heuristics.Phishing.Email.SSL-Spoof" If you scan a file with this code, clamdscan identify it as clean. --- snip--- subject: test --_000_ed9530a770f34b59940e38cc79be07c0SE011093_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable http://www.example.de/";>https://www.example.de; --_000_ed9530a770f34b59940e38cc79be07c0SE011093_- ---snip--- a good start would be to provide a *unchanged* sample .eml file so that somebody can reproduce it - at least unmangeled eml files saved with thunderbird and piped through clamdscan behave 100% identical to milter usage because there is technical no difference at all so most likely you file is just recognized as email ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml This e-mail and files transmitted with it are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you are not one of the named recipient(s) or otherwise have reason to believe that you received this message in error, please immediately notify sender by e-mail, and destroy the original message. Thank You. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / CISO / Software-Development m: +43 676 40 221 40 p: +43 1 595 3999 33 http://www.thelounge.net/ ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamdscan mail file
Hello, Thank you for your help. I am not familiar with ClamAv and what you are describing below. Please let me know - is there any information I can provide that would help you to correct the issue? Many thanks, Anne-Sophie -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Reindl Harald Sent: 15 February 2017 12:16 To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] clamdscan mail file Am 15.02.2017 um 13:10 schrieb TBits.net, Mailinglists: > On 2017-02-13 15:07, TBits.net, Mailinglists wrote: >> On 2017-02-13 14:39, Reindl Harald wrote: >>> Am 13.02.2017 um 14:33 schrieb TBits.net, Mailinglists: On 2017-02-13 13:19, Reindl Harald wrote: > Am 13.02.2017 um 13:05 schrieb TBits.net, Mailinglists: >> Hi @all, >> >> clamav-milter identify an email as infected by >> Heuristics.Phishing.Email.SSL-Spoof. >> >> This is correct, but when I scan this file in the quarantine with >> clamdscan or clamscan the file is clean.8154 It seams that the >> clamscan or clamdscan do not scan this file for Phishing. >> Is it possible to scan a text file as a mail to identify with >> phishing? > > clamdscan is using clamd the same way as "clamav-milter" and so if > it's the same clamd configuration it behaves identically clamav-milter identify it as Heuristics.Phishing.Email.SSL-Spoof but in clamdscan it is clean. And I think the result should be the same >>> >>> they are - proven by a webinterface where i upload eml files at pass >>> them through spamd and clamdscan using two different clamd-instances >>> which are used by clamav-milter and/or spamassassin >>> >>> are you 100% certain that clamdscan is using the identical clamd >>> instance with identical configuration? >> >> Yes only one instance of clamd is running. >> I scan only the quarantined mail which was hold by clamav-milter before. >> >> Tested under different servers, on all servers are the same result. >> > > any idea how I can scan a text file as email, that phishing attempts > are identified? > > if you send the code via telnet to the smtp server clamav-milter > identify it as "infected by Heuristics.Phishing.Email.SSL-Spoof" > If you scan a file with this code, clamdscan identify it as clean. > > --- snip--- > subject: test > --_000_ed9530a770f34b59940e38cc79be07c0SE011093_ > Content-Type: text/html; charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable href="http://www.example.de/";>https://www.example.de; > --_000_ed9530a770f34b59940e38cc79be07c0SE011093_- > ---snip--- a good start would be to provide a *unchanged* sample .eml file so that somebody can reproduce it - at least unmangeled eml files saved with thunderbird and piped through clamdscan behave 100% identical to milter usage because there is technical no difference at all so most likely you file is just recognized as email ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml This e-mail and files transmitted with it are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you are not one of the named recipient(s) or otherwise have reason to believe that you received this message in error, please immediately notify sender by e-mail, and destroy the original message. Thank You. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamdscan mail file
Am 15.02.2017 um 13:10 schrieb TBits.net, Mailinglists: On 2017-02-13 15:07, TBits.net, Mailinglists wrote: On 2017-02-13 14:39, Reindl Harald wrote: Am 13.02.2017 um 14:33 schrieb TBits.net, Mailinglists: On 2017-02-13 13:19, Reindl Harald wrote: Am 13.02.2017 um 13:05 schrieb TBits.net, Mailinglists: Hi @all, clamav-milter identify an email as infected by Heuristics.Phishing.Email.SSL-Spoof. This is correct, but when I scan this file in the quarantine with clamdscan or clamscan the file is clean.8154 It seams that the clamscan or clamdscan do not scan this file for Phishing. Is it possible to scan a text file as a mail to identify with phishing? clamdscan is using clamd the same way as "clamav-milter" and so if it's the same clamd configuration it behaves identically clamav-milter identify it as Heuristics.Phishing.Email.SSL-Spoof but in clamdscan it is clean. And I think the result should be the same they are - proven by a webinterface where i upload eml files at pass them through spamd and clamdscan using two different clamd-instances which are used by clamav-milter and/or spamassassin are you 100% certain that clamdscan is using the identical clamd instance with identical configuration? Yes only one instance of clamd is running. I scan only the quarantined mail which was hold by clamav-milter before. Tested under different servers, on all servers are the same result. any idea how I can scan a text file as email, that phishing attempts are identified? if you send the code via telnet to the smtp server clamav-milter identify it as "infected by Heuristics.Phishing.Email.SSL-Spoof" If you scan a file with this code, clamdscan identify it as clean. --- snip--- subject: test --_000_ed9530a770f34b59940e38cc79be07c0SE011093_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable http://www.example.de/";>https://www.example.de; --_000_ed9530a770f34b59940e38cc79be07c0SE011093_- ---snip--- a good start would be to provide a *unchanged* sample .eml file so that somebody can reproduce it - at least unmangeled eml files saved with thunderbird and piped through clamdscan behave 100% identical to milter usage because there is technical no difference at all so most likely you file is just recognized as email ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamdscan mail file
On 2017-02-13 15:07, TBits.net, Mailinglists wrote: On 2017-02-13 14:39, Reindl Harald wrote: Am 13.02.2017 um 14:33 schrieb TBits.net, Mailinglists: On 2017-02-13 13:19, Reindl Harald wrote: Am 13.02.2017 um 13:05 schrieb TBits.net, Mailinglists: Hi @all, clamav-milter identify an email as infected by Heuristics.Phishing.Email.SSL-Spoof. This is correct, but when I scan this file in the quarantine with clamdscan or clamscan the file is clean.8154 It seams that the clamscan or clamdscan do not scan this file for Phishing. Is it possible to scan a text file as a mail to identify with phishing? clamdscan is using clamd the same way as "clamav-milter" and so if it's the same clamd configuration it behaves identically clamav-milter identify it as Heuristics.Phishing.Email.SSL-Spoof but in clamdscan it is clean. And I think the result should be the same they are - proven by a webinterface where i upload eml files at pass them through spamd and clamdscan using two different clamd-instances which are used by clamav-milter and/or spamassassin are you 100% certain that clamdscan is using the identical clamd instance with identical configuration? Yes only one instance of clamd is running. I scan only the quarantined mail which was hold by clamav-milter before. Tested under different servers, on all servers are the same result. any idea how I can scan a text file as email, that phishing attempts are identified? if you send the code via telnet to the smtp server clamav-milter identify it as "infected by Heuristics.Phishing.Email.SSL-Spoof" If you scan a file with this code, clamdscan identify it as clean. --- snip--- subject: test --_000_ed9530a770f34b59940e38cc79be07c0SE011093_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable http://www.example.de/";>https://www.example.de; --_000_ed9530a770f34b59940e38cc79be07c0SE011093_- ---snip--- Diese Nachricht wurde versandt mit Webmail von www.tbits.net. This message was sent using webmail of www.tbits.net. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml