Mailing List Archive

On 2/27/2023 3:47 PM, joe a wrote:
> Got an email marked as infected by clamav.  I cannot determine what was
> detected.
>
> A long time ago I asked here and someone described how to scan an
> individual email file, log the results and scan the log for what was
> detected.   Or maybe clued me in on which log I was not searching properly.
>
> Did not find that conversation it in the email archives.
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

Well never mind that part, it is shown clearly in /var/log/clamd.log as
"Heuristics.Phishing.Email.SpoofedDomain".

What I think I conflated that with the means to determine the details so
I can add that to a .ign* file. Something to do with debug mode I think.


_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 2/27/2023 3:52 PM, joe a wrote:
> On 2/27/2023 3:47 PM, joe a wrote:
>> Got an email marked as infected by clamav.  I cannot determine what
>> was detected.
>>
>> A long time ago I asked here and someone described how to scan an
>> individual email file, log the results and scan the log for what was
>> detected.   Or maybe clued me in on which log I was not searching
>> properly.
>>
>> Did not find that conversation it in the email archives.
>> _______________________________________________
>>
>> Manage your clamav-users mailing list subscription / unsubscribe:
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>>
>> https://docs.clamav.net/#mailing-lists-and-chat
>
> Well never mind that part, it is shown clearly in /var/log/clamd.log as
> "Heuristics.Phishing.Email.SpoofedDomain".
>
> What I think I conflated that with the means to determine the details so
> I can add that to a .ign* file.   Something to do with debug mode I think.
>
>

Or, determine why this was detected in a valid email from a known and
utilized credit card service. Or is it simpler to "white list" this
sender and move on?

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 27/02/2023 20:57, joe a wrote:
> On 2/27/2023 3:52 PM, joe a wrote:
>> On 2/27/2023 3:47 PM, joe a wrote:
>>> Got an email marked as infected by clamav.  I cannot determine what
>>> was detected.
>>>
>>> A long time ago I asked here and someone described how to scan an
>>> individual email file, log the results and scan the log for what was
>>> detected.   Or maybe clued me in on which log I was not searching
>>> properly.
>>>
>>> Did not find that conversation it in the email archives.
>>> _______________________________________________
>>>
>>> Manage your clamav-users mailing list subscription / unsubscribe:
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>>
>>> https://docs.clamav.net/#mailing-lists-and-chat
>>
>> Well never mind that part, it is shown clearly in /var/log/clamd.log
>> as "Heuristics.Phishing.Email.SpoofedDomain".
>>
>> What I think I conflated that with the means to determine the details
>> so I can add that to a .ign* file.   Something to do with debug mode
>> I think.
>>
>>
>
> Or, determine why this was detected in a valid email from a known and
> utilized credit card service.   Or is it simpler to "white list" this
> sender and move on?
>
>
If you have sufficient free memory  use clamscan to scan the email in
question. It should be kind enough to highlight the reason why
Heuristics.Phishing.Email.SpoofedDomain was triggered.


_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 2/27/2023 4:24 PM, Paul Netpresto wrote:
>
> On 27/02/2023 20:57, joe a wrote:
>> On 2/27/2023 3:52 PM, joe a wrote:
>>> On 2/27/2023 3:47 PM, joe a wrote:
>>>> Got an email marked as infected by clamav.  I cannot determine what
>>>> was detected.
>>>>
>>>> A long time ago I asked here and someone described how to scan an
>>>> individual email file, log the results and scan the log for what was
>>>> detected.   Or maybe clued me in on which log I was not searching
>>>> properly.
>>>>
>>>> Did not find that conversation it in the email archives.
>>>> _______________________________________________
>>>>
>>>> Manage your clamav-users mailing list subscription / unsubscribe:
>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>
>>>>
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>>
>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>>
>>> Well never mind that part, it is shown clearly in /var/log/clamd.log
>>> as "Heuristics.Phishing.Email.SpoofedDomain".
>>>
>>> What I think I conflated that with the means to determine the details
>>> so I can add that to a .ign* file.   Something to do with debug mode
>>> I think.
>>>
>>>
>>
>> Or, determine why this was detected in a valid email from a known and
>> utilized credit card service.   Or is it simpler to "white list" this
>> sender and move on?
>>
>>
> If you have sufficient free memory  use clamscan to scan the email in
> question. It should be kind enough to highlight the reason why
> Heuristics.Phishing.Email.SpoofedDomain was triggered.
>
>

I attempted that just now. Ran clamscan --debug -f some-email.eml

After it cranks up and apparently beings actually scanning the email,
starts cranking out errors/warnings like:

Return-path: <some@body.com>: No such file or directory
WARNING: Return-path: <some@body.com>: Can't access file
Seems to be t
This particular email was previously scanned and found to be possibly
infected with "Heuristics.Phishing.Email.SpoofedDomain" and am
attempting to determine the actual objectionable domain.

Clearly I am doing something wrong.


_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 27/02/2023 21:33, joe a wrote:
> On 2/27/2023 4:24 PM, Paul Netpresto wrote:
>>
>> On 27/02/2023 20:57, joe a wrote:
>>> On 2/27/2023 3:52 PM, joe a wrote:
>>>> On 2/27/2023 3:47 PM, joe a wrote:
>>>>> Got an email marked as infected by clamav.  I cannot determine
>>>>> what was detected.
>>>>>
>>>>> A long time ago I asked here and someone described how to scan an
>>>>> individual email file, log the results and scan the log for what
>>>>> was detected.   Or maybe clued me in on which log I was not
>>>>> searching properly.
>>>>>
>>>>> Did not find that conversation it in the email archives.
>>>>> _______________________________________________
>>>>>
>>>>> Manage your clamav-users mailing list subscription / unsubscribe:
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>>>
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/Cisco-Talos/clamav-documentation
>>>>>
>>>>> https://docs.clamav.net/#mailing-lists-and-chat
>>>>
>>>> Well never mind that part, it is shown clearly in
>>>> /var/log/clamd.log as "Heuristics.Phishing.Email.SpoofedDomain".
>>>>
>>>> What I think I conflated that with the means to determine the
>>>> details so I can add that to a .ign* file.   Something to do with
>>>> debug mode I think.
>>>>
>>>>
>>>
>>> Or, determine why this was detected in a valid email from a known
>>> and utilized credit card service.   Or is it simpler to "white list"
>>> this sender and move on?
>>>
>>>
>> If you have sufficient free memory  use clamscan to scan the email in
>> question. It should be kind enough to highlight the reason why
>> Heuristics.Phishing.Email.SpoofedDomain was triggered.
>>
>>
>
> I attempted that just now.  Ran clamscan --debug -f some-email.eml
>
> After it cranks up and apparently beings actually scanning the email,
> starts cranking out errors/warnings like:
>
> Return-path: <some@body.com>: No such file or directory
> WARNING: Return-path: <some@body.com>: Can't access file
> Seems to be t
> This particular email was previously scanned and found to be possibly
> infected with "Heuristics.Phishing.Email.SpoofedDomain" and am
> attempting to determine the actual objectionable domain.
>
> Clearly I am doing something wrong.

Try clamscan  some-email.eml


_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On Mon, 27 Feb 2023, joe a wrote:
66
> On 2/27/2023 4:24 PM, Paul Netpresto wrote:
>
> I attempted that just now. Ran clamscan --debug -f some-email.eml
>
> After it cranks up and apparently beings actually scanning the email,
> starts cranking out errors/warnings like:
>
> Return-path: <some@body.com>: No such file or directory
> WARNING: Return-path: <some@body.com>: Can't access file
> Seems to be t
> This particular email was previously scanned and found to be possibly
> infected with "Heuristics.Phishing.Email.SpoofedDomain" and am attempting
> to determine the actual objectionable domain.
>
> Clearly I am doing something wrong.

Drop the '-f' - it says read the filenames from some-file.eml

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 2/27/2023 4:49 PM, Andrew C Aitchison via clamav-users wrote:
> On Mon, 27 Feb 2023, joe a wrote:
> 66
>> On 2/27/2023 4:24 PM, Paul Netpresto wrote:
>>
>> I attempted that just now.  Ran clamscan --debug -f some-email.eml
>>
>> After it cranks up and apparently beings actually scanning the email,
>> starts cranking out errors/warnings like:
>>
>> Return-path: <some@body.com>: No such file or directory
>> WARNING: Return-path: <some@body.com>: Can't access file
>> Seems to be t
>> This particular email was previously scanned and found to be possibly
>> infected with "Heuristics.Phishing.Email.SpoofedDomain" and am
>> attempting to determine the actual objectionable domain.
>>
>> Clearly I am doing something wrong.
>
> Drop the '-f' - it says read the filenames from some-file.eml
> Try clamscan some-email.eml

Thanks folks, that did it for me. I guess it helps to slow down and read
what -f actually means

Found the link and added it to my ignore file. And it actually does
ignore the"iffy-spoofy" domain.

Maybe I will also save notes this time.


_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat