Mailing List Archive

A good start would be to tell us what the domain in question is.

Sent from my iPad

-Al-

> On Dec 23, 2022, at 03:26, newcomer01 via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?Hi @ all,
>
> is there a way to submit a false positive "Phishing.Email.SpoofedDomain" so that an exception can be added?
>
> kind regards,
> Marc
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

>> On Dec 23, 2022, at 03:26, newcomer01 via clamav-users <clamav-users@lists.clamav.net> wrote:
>> is there a way to submit a false positive "Phishing.Email.SpoofedDomain" so that an exception can be added?

On 23.12.22 05:28, Al Varnell via clamav-users wrote:
>A good start would be to tell us what the domain in question is.

What those domains in question are.
Phishing.Email.SpoofedDomain means there are two different domains in name
and URL, IIRC.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

one header is from sendnode.com and the other one from sls-direct.de

this is one of the MIME-header:

> X-Spam-Status: No, score=-1.619 tagged_above=-1000 required=7
> tests=[.AV:Heuristics.Phishing.Email.SpoofedDomain=0.1,
> HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_FONT_LOW_CONTRAST=0.001,
> HTML_MESSAGE=0.001, POSTEO_BTC_B=0.01, POSTEO_GENERICS_LP_CCOUNT=0.01,
> RCVD_IN_ABUSIX_WHITE=-2, RCVD_IN_DNSWL_NONE=-0.0001,
> T_RCVD_IN_CSA_WHITELIST=0.01] autolearn=disabled
> X-Posteo-Antispam-Signature: v=1; e=base64; a=aes-256-gcm; d=tq7ngM2/JpxeKCE7x3oKNbzuOK5a2NHnEt9R6s548o4NWBMTE18t0Fx9xkJQ7nTZU1TM0nP2xqIosfmpQT/nSQQCVDyrJVgj2HE1PoGeP+i+dkcA9t6Uv5C9FPSCEcPE+u6/iFv5
> Authentication-Results: posteo.de; dmarc=none (p=none dis=none) header.from=sls-direkt.de
> Authentication-Results: posteo.de;
> dkim=pass (2048-bit key) header.d=sendnode.com header.i=@sendnode.com header.b=Ms2neRyO;
> dkim-atps=neutral
> X-Posteo-TLS-Received-Status: TLSv1.3
> Received: from mda38f.sendnode.com (mda38f.sendnode.com [185.98.184.143])
> by mx04.posteo.de (Postfix) with ESMTPS id 4Gln4t192Mz10WC
> for <xxx@posteo.de>; Thu, 12 Aug 2021 15:06:22 +0200 (CEST)
> MIME-Version: 1.0
> Date: Thu, 12 Aug 2021 15:06:09 +0200
> Message-ID: <5j4.57t.jh@sendnode.com>
> From: Sparkasse Langen-Seligenstadt <mailing@sls-direkt.de>
> To: <xxx@posteo.de>
> Reply-To: <mailing@sls-direkt.de>
> Subject: Herzlich willkommen!
> List-Unsubscribe: <https://mailing.sparkasse.de/-list-unsubscribe/7168/6761/701/vUQn8vSJ>,
> <mailto:list-unsubscribe@sendnode.com?subject=7168-6761-701-vUQn8vSJ>
> List-Unsubscribe-Post: List-Unsubscribe=One-Click
> List-ID: <1c00.1a69.sendnode.com>
> X-Abuse-ID: MTI3LjAuMC4xLTcxNjgtNjc2MS03MDEtem5lcC5jaHJmcHVyeUBjYmZncmIucXI=
> X-SendJob-ID: 206828196
> X-Complaints-To: <abuse@sendnode.com>
> X-CSA-Complaints: <csa-complaints@eco.de>
> X-Mailer: Mailingwork
> X-Fi-Abs-Verify: SFP
> DKIM-Signature: v=1;
> a=rsa-sha256;
> q=dns/txt;
> l=47242;
> s=mdkv20200702;
> t=1628773569;
> c=relaxed/simple;
> h=From:To:Reply-To:Subject:X-CSA-Complaints:List-Unsubscribe-Post:List-Unsubscribe;
> d=sendnode.com;
> bh=U8HbPK6DbgmQ2Aw524utUF5pT+EcPCR6uPh9N1oJDTc=;
> b=Ms2neRyObxjnw/5kqX3YBADyoWW81EA2kavDX5NmBjq480N9Bv8LZgrOpBg4zM36ZjfbDIqD4v4bw0rHTFDDGehb0nDEgkK710Qhkil4Oeyrb1RoNVAFJnhM3Eh2sENnCdH6q0sMJFptEMjb9e5vf4+KHrON6VCbdJlLTv3sAPHH8b2E8GqhXinaI5PLB1JJqE8XW46VuekFMcbLvy6tRYGdy0HUciuKRkZiylneESKvzHbJ3vBrRWBNEo/8s2GaZuYNEjJsO/DOoRCZrmpJpEhcwn2/T7OneqTVtZXQOGWnsBpLJwbAamVMuwkrf7XTDSkyM74nGaT9jm3Nwh1/Ng==
> Content-Type: multipart/alternative;
> boundary="=_alternative_db2ca59dbda23e1a4edb30eaa2ffedc6"



Von / From: Matus Uhlar - Fantomas <mailto:uhlar@fantomas.sk>
An / To: Newcomer01 <mailto:newcomer01@posteo.de>
Gesendet / Sent: Freitag, Dezember 23, 2022 um 16:54 (at 04:54 PM) +0100
Betreff / Subject: Re: [clamav-users] false positive
>>> On Dec 23, 2022, at 03:26, newcomer01 via clamav-users <clamav-users@lists.clamav.net> wrote:
>>> is there a way to submit a false positive "Phishing.Email.SpoofedDomain" so that an exception can be added?
> On 23.12.22 05:28, Al Varnell via clamav-users wrote:
>> A good start would be to tell us what the domain in question is.
> What those domains in question are.
> Phishing.Email.SpoofedDomain means there are two different domains in name
> and URL, IIRC.

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat