Mailing List Archive

Heuristics.Phishing.Email.SpoofedDomain...
Just a heads up. I noticed a bunch of American Express Statements in our
quarantine.
My guess is because they are using m.amex and go.amex links in the emails.

DKIM and SPF pass so these definitely seem to be legit AMEX emails.
From address is "American Express" <AmericanExpress@welcome.aexp.com>

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300




_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Phishing.Email.SpoofedDomain... [ In reply to ]
Hi there,

On Thu, 1 Apr 2021, eric-list@truenet.com wrote:

> Just a heads up. I noticed a bunch of American Express Statements in our
> quarantine.
> My guess is because they are using m.amex and go.amex links in the emails.
>
> DKIM and SPF pass so these definitely seem to be legit AMEX emails.
> From address is "American Express" <AmericanExpress@welcome.aexp.com>

Name(s) of the signature(s) detected?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Phishing.Email.SpoofedDomain... [ In reply to ]
I'm seeing a FP from a Delta Airlines email.

Also, with clamav-milter and sendmail. I see that the headers of
quarantined messages go to /var/spool/mqueue with root:smmsp owner/group
permissions and the header of the email starts with hf whilst the body of
the message starts with df. So the message in question looks like this:
-rw------- 1 root smmsp 10050 Apr 12 09:40 hf13CDdtaZ2926176
-rw------- 1 root smmsp 100157 Apr 12 09:39 df13CDdtaZ2926176

To release the message how does one find the queue_id to use the sendmail
-qI command?


On Thu, Apr 1, 2021 at 7:11 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Thu, 1 Apr 2021, eric-list@truenet.com wrote:
>
> > Just a heads up. I noticed a bunch of American Express Statements in our
> > quarantine.
> > My guess is because they are using m.amex and go.amex links in the
> emails.
> >
> > DKIM and SPF pass so these definitely seem to be legit AMEX emails.
> > From address is "American Express" <AmericanExpress@welcome.aexp.com>
>
> Name(s) of the signature(s) detected?
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.clamav.net_mailman_listinfo_clamav-2Dusers&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=-Ywl1Y1MejQU-csE6Jqe9E3SmvO8PsWBo-EwYfHf15s&s=Bdo5j9dvw_GstTEa1ILzn6mOYmD8W0IVP0I8_GsdYHY&e=
>
>
> Help us build a comprehensive ClamAV guide:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=-Ywl1Y1MejQU-csE6Jqe9E3SmvO8PsWBo-EwYfHf15s&s=M_PbxgBAZBj7rq-kfXkFAipn5xCbNt98-fKsWwVxAtE&e=
>
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=-Ywl1Y1MejQU-csE6Jqe9E3SmvO8PsWBo-EwYfHf15s&s=HLTiTlk4nPlro9VIn2SAysUbnxk5AHP6mJZx2kXLVMs&e=
>
Re: Heuristics.Phishing.Email.SpoofedDomain... [ In reply to ]
Robert,

> From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of Robert Kudyba
> Sent: Tuesday, April 13, 2021 10:40 AM
> To: ClamAV users ML <clamav-users@lists.clamav.net>
> Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
> Subject: Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain...
>
> I'm seeing a FP from a Delta Airlines email.
>
> Also, with clamav-milter and sendmail. I see that the headers of quarantined messages go to /var/spool/mqueue with root:smmsp owner/group permissions and the header of the email starts with hf whilst the body of the message starts with df. So the message in question looks like this:
> -rw------- 1 root smmsp 10050 Apr 12 09:40 hf13CDdtaZ2926176
> -rw------- 1 root smmsp 100157 Apr 12 09:39 df13CDdtaZ2926176
>
> To release the message how does one find the queue_id to use the sendmail -qI command?

I just checked out our quarantine to see what you were talking about and found a couple of ads in there.
Forwarded off a sample to Micah, but it looks like there are some very phishy looking links in the samples I have.
HTML link: americanexpress.com/rewards-info
Actual underlying link: https://click.o.delta.com/u/?qs=1568763c78f67b6cdcd44df9cfac10c6bdd8a68c567c4d04238da45d4092cc1adeef2f53a3a8c4248f7140f92bd80fb33b830537983d2ad07ed440f137dd0226

If you ask me, that deserves to be quarantined.

For Sendmail, it should be something like "sendmail -q" I would definitely look it up in the man pages, as I've been using postfix and exim now for awhile.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300sen



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Phishing.Email.SpoofedDomain... [ In reply to ]
>
> > Also, with clamav-milter and sendmail. I see that the headers of
> quarantined messages go to /var/spool/mqueue with root:smmsp owner/group
> permissions and the header of the email starts with hf whilst the body of
> the message starts with df. So the message in question looks like this:
> > -rw------- 1 root smmsp 10050 Apr 12 09:40 hf13CDdtaZ2926176
> > -rw------- 1 root smmsp 100157 Apr 12 09:39 df13CDdtaZ2926176
> >
> > To release the message how does one find the queue_id to use the
> sendmail -qI command?
>
> I just checked out our quarantine to see what you were talking about and
> found a couple of ads in there.
> Forwarded off a sample to Micah, but it looks like there are some very
> phishy looking links in the samples I have.
> HTML link: americanexpress.com/rewards-info
> Actual underlying link:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__click.o.delta.com_u_-3Fqs-3D1568763c78f67b6cdcd44df9cfac10c6bdd8a68c567c4d04238da45d4092cc1adeef2f53a3a8c4248f7140f92bd80fb33b830537983d2ad07ed440f137dd0226&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=P8yJim8mHfh9YWQcm2zQMPSq7pKr5iHpgTAzY5BA-xw&s=PC29G4XeTV8m9J0VpeSVtq9inSWRkSuL-sm_4k0mvpA&e=
>
> If you ask me, that deserves to be quarantined.
>

Yes I agree but it's a bit subjective.


> For Sendmail, it should be something like "sendmail -q" I would definitely
> look it up in the man pages, as I've been using postfix and exim now for
> awhile.


Well from http://www.postfix.org/postqueue.1.html
-i queue_id
Schedule immediate delivery of deferred mail with the specified queue ID.
This option implements the traditional sendmail -qI command, by contacting
the flush(8) server.

But that (sendmail -qI) doesn't appear to unquarantine anything. My
question is what does "queue_id" refer to?

And from a user's blog (with translation on)
https://nauwg3k7ped5ecgcukpptbgr6e-jj2cvlaia66be-www-usebox-net.translate.goog/jjm/sendmail/

Processing the queue
> If we remember the Sendmail execution line, we will see that it is
> indicated by means of -q30m processing the messages stored in the queue
> every 30 minutes. You can force the process by:
> # sendmail -q
> If we wanted to process a specific message we would use -qI _Q-ID_, for
> example:
> # sendmail -qI hB8HQQhK013863
> Or indicating the sender with -qS _remitente_:
> # sendmail -qS '<reidrac@mydomain.com>'
> Or indicating one of the recipients with -qR _destinatario_:
> # sendmail -qR '<nouser@domain.without-mail.com>'


So I still don't know what "queue_id" is.
Re: Heuristics.Phishing.Email.SpoofedDomain... [ In reply to ]
Hi there,

On Tue, 13 Apr 2021, Robert Kudyba wrote:

> So I still don't know what "queue_id" is.

Try the command

mailq

and look in the Sendmail docs. The queue ID is just the filename in
the mail queue directory without the first two characters. For each
message in the queue there are two files, named [dq]fYMDhmsNppppp.
Remove the df or qf and you have the queue ID. YMD is encoded year,
month and day; hms you can guess; N is envelope number (usually 0) and
ppppp is the first five digits (may be zero padded) of the process ID
of the sendmail which originally received the message.

This is just barely on-topic for this list.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Heuristics.Phishing.Email.SpoofedDomain... [ In reply to ]
> Hi there,
>
> On Tue, 13 Apr 2021, Robert Kudyba wrote:
>
> > So I still don't know what "queue_id" is.
>
> Try the command
>
> mailq
>
> and look in the Sendmail docs. The queue ID is just the filename in
> the mail queue directory without the first two characters. For each
> message in the queue there are two files, named [dq]fYMDhmsNppppp.
> Remove the df or qf and you have the queue ID. YMD is encoded year,
> month and day; hms you can guess; N is envelope number (usually 0) and
> ppppp is the first five digits (may be zero padded) of the process ID
> of the sendmail which originally received the message.
>

Thanks I found a tip that mailq -qQ works but the naming convention you
posted no longer appears to match. Here are a few if ours:
13GD62ID4037876
13GDQhfE4041600
03GJUOKl4119253
fYMDhmsNppppp doesn't match. It does appear the first number, "1", is the
year. But these messages were sent in April so the "3" doesn't
correspond, unless January is "0" so April would be "3"? Is there an
updated convention for this?

This is just barely on-topic for this list.
>
> --
>
> 73,
> Ged.
>

Sorry I know you block emails directly to you so I had to send this to all.