one header is from sendnode.com and the other one from sls-direct.de
this is one of the MIME-header:
> X-Spam-Status: No, score=-1.619 tagged_above=-1000 required=7
> tests=[.AV:Heuristics.Phishing.Email.SpoofedDomain=0.1,
> HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_FONT_LOW_CONTRAST=0.001,
> HTML_MESSAGE=0.001, POSTEO_BTC_B=0.01, POSTEO_GENERICS_LP_CCOUNT=0.01,
> RCVD_IN_ABUSIX_WHITE=-2, RCVD_IN_DNSWL_NONE=-0.0001,
> T_RCVD_IN_CSA_WHITELIST=0.01] autolearn=disabled
> X-Posteo-Antispam-Signature: v=1; e=base64; a=aes-256-gcm; d=tq7ngM2/JpxeKCE7x3oKNbzuOK5a2NHnEt9R6s548o4NWBMTE18t0Fx9xkJQ7nTZU1TM0nP2xqIosfmpQT/nSQQCVDyrJVgj2HE1PoGeP+i+dkcA9t6Uv5C9FPSCEcPE+u6/iFv5
> Authentication-Results: posteo.de; dmarc=none (p=none dis=none) header.from=sls-direkt.de
> Authentication-Results: posteo.de;
> dkim=pass (2048-bit key) header.d=sendnode.com header.i=@sendnode.com header.b=Ms2neRyO;
> dkim-atps=neutral
> X-Posteo-TLS-Received-Status: TLSv1.3
> Received: from mda38f.sendnode.com (mda38f.sendnode.com [185.98.184.143])
> by mx04.posteo.de (Postfix) with ESMTPS id 4Gln4t192Mz10WC
> for <xxx@posteo.de>; Thu, 12 Aug 2021 15:06:22 +0200 (CEST)
> MIME-Version: 1.0
> Date: Thu, 12 Aug 2021 15:06:09 +0200
> Message-ID: <5j4.57t.jh@sendnode.com>
> From: Sparkasse Langen-Seligenstadt <mailing@sls-direkt.de>
> To: <xxx@posteo.de>
> Reply-To: <mailing@sls-direkt.de>
> Subject: Herzlich willkommen!
> List-Unsubscribe: <https://mailing.sparkasse.de/-list-unsubscribe/7168/6761/701/vUQn8vSJ>,
> <mailto:list-unsubscribe@sendnode.com?subject=7168-6761-701-vUQn8vSJ>
> List-Unsubscribe-Post: List-Unsubscribe=One-Click
> List-ID: <1c00.1a69.sendnode.com>
> X-Abuse-ID: MTI3LjAuMC4xLTcxNjgtNjc2MS03MDEtem5lcC5jaHJmcHVyeUBjYmZncmIucXI=
> X-SendJob-ID: 206828196
> X-Complaints-To: <abuse@sendnode.com>
> X-CSA-Complaints: <csa-complaints@eco.de>
> X-Mailer: Mailingwork
> X-Fi-Abs-Verify: SFP
> DKIM-Signature: v=1;
> a=rsa-sha256;
> q=dns/txt;
> l=47242;
> s=mdkv20200702;
> t=1628773569;
> c=relaxed/simple;
> h=From:To:Reply-To:Subject:X-CSA-Complaints:List-Unsubscribe-Post:List-Unsubscribe;
> d=sendnode.com;
> bh=U8HbPK6DbgmQ2Aw524utUF5pT+EcPCR6uPh9N1oJDTc=;
> b=Ms2neRyObxjnw/5kqX3YBADyoWW81EA2kavDX5NmBjq480N9Bv8LZgrOpBg4zM36ZjfbDIqD4v4bw0rHTFDDGehb0nDEgkK710Qhkil4Oeyrb1RoNVAFJnhM3Eh2sENnCdH6q0sMJFptEMjb9e5vf4+KHrON6VCbdJlLTv3sAPHH8b2E8GqhXinaI5PLB1JJqE8XW46VuekFMcbLvy6tRYGdy0HUciuKRkZiylneESKvzHbJ3vBrRWBNEo/8s2GaZuYNEjJsO/DOoRCZrmpJpEhcwn2/T7OneqTVtZXQOGWnsBpLJwbAamVMuwkrf7XTDSkyM74nGaT9jm3Nwh1/Ng==
> Content-Type: multipart/alternative;
> boundary="=_alternative_db2ca59dbda23e1a4edb30eaa2ffedc6"
Von / From: Matus Uhlar - Fantomas <mailto:uhlar@fantomas.sk>
An / To: Newcomer01 <mailto:newcomer01@posteo.de>
Gesendet / Sent: Freitag, Dezember 23, 2022 um 16:54 (at 04:54 PM) +0100
Betreff / Subject: Re: [clamav-users] false positive
>>> On Dec 23, 2022, at 03:26, newcomer01 via clamav-users <clamav-users@lists.clamav.net> wrote:
>>> is there a way to submit a false positive "Phishing.Email.SpoofedDomain" so that an exception can be added?
> On 23.12.22 05:28, Al Varnell via clamav-users wrote:
>> A good start would be to tell us what the domain in question is.
> What those domains in question are.
> Phishing.Email.SpoofedDomain means there are two different domains in name
> and URL, IIRC.
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat