clamav Heuristics.Phishing.Email.SpoofedDomain | MDaemon Technologies, Ltd.

clamav Heuristics.Phishing.Email.SpoofedDomain


  • Wellsfargo user causing av virus hit but it is clean message i see it was asked in 7/3/2018 but linked message no longer exists can you tell me how to fix this at least for wellsfargo domain.  Thanks



  • If you want to disable the spoofed domain check in ClamAV, edit the MDaemon\SecurityPlus\ClamAVPlugin\Conf\clamd.conf file and change:
     
    PhishingScanURLs no
     
    Save the file and restart MDaemon.

  • Thanks


  • changed the setting and rebooted but still getting and this was legit from amex

    Fri 2024-04-26 08:11:46.427: [52081385] Passing message through AntiVirus (Size: 53893)...
    Fri 2024-04-26 08:11:46.475: [52081385] * Message scanned by (ClamAV: infected (0.02768s)) is infected with Heuristics.Phishing.Email.SpoofedDomain

    Apr 26 08:11:46 bolt114a postfix/pickup[11539]: 4VQx5Z0Q8qz7Hckk: uid=1100 from=<r_rvneea3a21158c8436d82f06_1_c.AmericanExpress@welcome.americanexpress.com> orig_id=4VQwp64q8fz6h33m_8007_20240426
    Apr 26 08:11:46 bolt114a postfix/cleanup[25517]: 4VQx5Z0Q8qz7Hckk: message-id=<20.EB.23132.B01CB266@hpgplmomiw05>
    Apr 26 08:11:46 bolt114a postfix/qmgr[5501]: 4VQx5Z0Q8qz7Hckk: from=<r_rvneea3a21158c8436d82f06_1_c.AmericanExpress@welcome.americanexpress.com>, size=53894, nrcpt=1 (queue active)
    Apr 26 08:11:46 bolt114a postfix/smtp[31302]: 4VQx5Z0Q8qz7Hckk: to=<email address was here>, relay=mail.esintl.com[mail ip]:25, delay=804, delays=803/0.01/0.25/0.2, dsn=5.6.0, status=bounced (host [mymailhost and ip] said: 550 5.6.0 Sorry, virus detected within message (in reply to end of DATA command))
    Apr 26 08:11:46 bolt114a postfix/bounce[23527]: 4VQx5Z0Q8qz7Hckk: sender non-delivery notification: 4VQx5Z3hCxz7Hckg
    Apr 26 08:11:46 bolt114a postfix/qmgr[5501]: 4VQx5Z0Q8qz7Hckk: removed


  • What is this log snippet from?  It doesn't look like an MDaemon or ClamAV log to me.

    Apr 26 08:11:46 bolt114a postfix/pickup[11539]: 4VQx5Z0Q8qz7Hckk: uid=1100 from=<r_rvneea3a21158c8436d82f06_1_c.AmericanExpress@welcome.americanexpress.com> orig_id=4VQwp64q8fz6h33m_8007_20240426
    Apr 26 08:11:46 bolt114a postfix/cleanup[25517]: 4VQx5Z0Q8qz7Hckk: message-id=<20.EB.23132.B01CB266@hpgplmomiw05>
    Apr 26 08:11:46 bolt114a postfix/qmgr[5501]: 4VQx5Z0Q8qz7Hckk: from=<r_rvneea3a21158c8436d82f06_1_c.AmericanExpress@welcome.americanexpress.com>, size=53894, nrcpt=1 (queue active)
    Apr 26 08:11:46 bolt114a postfix/smtp[31302]: 4VQx5Z0Q8qz7Hckk: to=<email address was here>, relay=mail.esintl.com[mail ip]:25, delay=804, delays=803/0.01/0.25/0.2, dsn=5.6.0, status=bounced (host [mymailhost and ip] said: 550 5.6.0 Sorry, virus detected within message (in reply to end of DATA command))
    Apr 26 08:11:46 bolt114a postfix/bounce[23527]: 4VQx5Z0Q8qz7Hckk: sender non-delivery notification: 4VQx5Z3hCxz7Hckg
    Apr 26 08:11:46 bolt114a postfix/qmgr[5501]: 4VQx5Z0Q8qz7Hckk: removed

     


  • was from my spam filter logs here is the mdaemon log

     

    Fri 2024-04-26 08:31:44.124: [52083481] --> 220 2.7.0 Ready to start TLS
    Fri 2024-04-26 08:31:44.201: [52083481] SSL negotiation successful (TLS 1.3, TLS_AES_256_GCM_SHA384)
    Fri 2024-04-26 08:31:44.238: [52083481] <-- EHLO cx-a.mxthunder.net
    Fri 2024-04-26 08:31:44.239: [52083481] --> 250-mail.mydomain.com Hello cx-a.mxthunder.net [ip address], pleased to meet you
    Fri 2024-04-26 08:31:44.239: [52083481] --> 250-ETRN
    Fri 2024-04-26 08:31:44.239: [52083481] --> 250-AUTH LOGIN CRAM-MD5 PLAIN
    Fri 2024-04-26 08:31:44.239: [52083481] --> 250-8BITMIME
    Fri 2024-04-26 08:31:44.239: [52083481] --> 250-ENHANCEDSTATUSCODES
    Fri 2024-04-26 08:31:44.239: [52083481] --> 250-PIPELINING
    Fri 2024-04-26 08:31:44.239: [52083481] --> 250-CHUNKING
    Fri 2024-04-26 08:31:44.239: [52083481] --> 250-REQUIRETLS
    Fri 2024-04-26 08:31:44.239: [52083481] --> 250 SIZE
    Fri 2024-04-26 08:31:44.276: [52083481] <-- MAIL FROM:<r_ALE240426DCPUPEMFKTUWAHH_1_t.AmericanExpress@welcome.americanexpress.com> SIZE=47087
    Fri 2024-04-26 08:31:44.276: [52083481] --> 250 2.1.0 Sender OK
    Fri 2024-04-26 08:31:44.276: [52083481] <-- RCPT TO:<someuser@mydomain.com>
    Fri 2024-04-26 08:31:44.278: [52083481] --> 250 2.1.5 Recipient OK
    Fri 2024-04-26 08:31:44.278: [52083481] <-- DATA
    Fri 2024-04-26 08:31:44.279: [52083481] --> 354 Enter mail, end with <CRLF>.<CRLF>
    Fri 2024-04-26 08:31:44.393: [52083481] Message size: 47086 bytes
    Fri 2024-04-26 08:31:44.394: [52083481] Passing message through AntiVirus (Size: 47086)...
    Fri 2024-04-26 08:31:44.441: [52083481] * Message scanned by (ClamAV: infected (0.02711s)) is infected with Heuristics.Phishing.Email.SpoofedDomain
    Fri 2024-04-26 08:31:44.441: [52083481] ---- End AntiVirus results
    Fri 2024-04-26 08:31:44.441: [52083481] Message refused because it contains a virus
    Fri 2024-04-26 08:31:44.442: [52083481] --> 550 5.6.0 Sorry, virus detected within message
    Fri 2024-04-26 08:31:44.442: [52083481] <-- QUIT
    Fri 2024-04-26 08:31:44.442: [52083481] --> 221 2.0.0 See ya in cyberspace
    Fri 2024-04-26 08:31:44.443: [52083481] SMTP session terminated (Bytes in/out: 48140/4654)


  • Is your spam filter running ClamAV?


  • My guess is that ClamAV is running from a different location on the MDaemon server.  Or its getting its configurations from a different location.  

    Open Task manager on the MDaemon server, find the clamd.exe process, right click and select Open File location.  It should open the path where clamd.exe is being ran from.  What is the path?


  • F:\mdaemon\SecurityPlus\ClamAVPlugin

     

    F:\mdaemon is where mdaemon is installed.


  • oh my spam filter is spam hero no idea what they use


  • Please post the clamd.conf file from F:\MDaemon\SecurityPlus\ClamAVPlugin\Conf\clamd.conf.

     


  • Another possiblity is that clamd.exe didn't stop when MDaemon stopped.  You can use task manager to do an end task on the clamd.exe process.  MDaemon should automatically restart it. 


  • Rebooted server after change so i would have had to stop.  here is clamd.conf

    ## ## Please read the clamd.conf(5) manual before editing this file. ## # Uncomment this option to enable logging. # LogFile must be writable for the user running daemon. # A full path is required. # Default: disabled #LogFile "F:\MDaemon\SecurityPlus\ClamAVPlugin\Logs\clamd.log" # By default the log file is locked for writing - the lock protects against # running clamd multiple times (if want to run another clamd, please # copy the configuration file, change the LogFile variable, and run # the daemon with --config-file option). # This option disables log file locking. # Default: no #LogFileUnlock yes # Maximum size of the log file. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 1M LogFileMaxSize 0 # Log time with each message. # Default: no LogTime yes # Also log clean files. Useful in debugging but drastically increases the # log size. # Default: no #LogClean yes # Use system logger (can work together with LogFile). # Default: no #LogSyslog yes # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. # Default: LOG_LOCAL6 LogFacility LOG_MAIL # Enable verbose logging. # Default: no #LogVerbose yes # This option allows you to save a process identifier of the listening # daemon (main thread). # Default: disabled #PidFile /var/run/clamd.pid # Optional path to the global temporary directory. # Default: system specific (usually /tmp or /var/tmp). TemporaryDirectory "F:\MDaemon\SecurityPlus\ClamAVPlugin\temp" # Path to the database directory. # Default: hardcoded (depends on installation options) DatabaseDirectory "F:\MDaemon\SecurityPlus\ClamAVPlugin\data" # The daemon works in a local OR a network mode. Due to security reasons we # recommend the local mode. # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) # LocalSocket /tmp/clamd.socket # Remove stale socket after unclean shutdown. # Default: yes #FixStaleSocket yes # TCP port address. # Default: no TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no TCPAddr 127.0.0.1 # Maximum length the queue of pending connections may grow to. # Default: 15 MaxConnectionQueueLength 30 # Clamd uses FTP-like protocol to receive data from remote clients. # If you are using clamav-milter to balance load between remote clamd daemons # on firewall servers you may need to tune the options below. # Close the connection when the data size limit is exceeded. # The value should match your MTA's limit for a maximum attachment size. # Default: 10M #StreamMaxLength 20M # Limit port range. # Default: 1024 #StreamMinPort 30000 # Default: 2048 #StreamMaxPort 32000 # Maximum number of threads running at the same time. # Default: 10 MaxThreads 20 # Waiting for data from a client socket will timeout after this time (seconds). # Value of 0 disables the timeout. # Default: 120 #ReadTimeout 300 # Waiting for a new job will timeout after this time (seconds). # Default: 30 #IdleTimeout 60 # Maximum depth directories are scanned at. # Default: 15 #MaxDirectoryRecursion 20 # Follow directory symlinks. # Default: no #FollowDirectorySymlinks yes # Follow regular file symlinks. # Default: no #FollowFileSymlinks yes # Perform a database check. # Default: 1800 (30 min) SelfCheck 3600 # Execute a command when virus is found. In the command string %v will # be replaced with the virus name. # Default: no #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges #User clamav # Initialize supplementary group access (clamd must be started by root). # Default: no #AllowSupplementaryGroups no # Stop daemon when libclamav reports out of memory condition. #ExitOnOOM yes # Don't fork into background. # Default: no Foreground yes # Enable debug messages in libclamav. # Default: no #Debug yes # Do not remove temporary files (for debug purposes). # Default: no #LeaveTemporaryFiles yes # Detect Possibly Unwanted Applications. # Default: no #DetectPUA yes # In some cases (eg. complex malware, exploits in graphic files, and others), # ClamAV uses special algorithms to provide accurate detection. This option # controls the algorithmic detection. # Default: yes #AlgorithmicDetection yes ## ## Executable files ## # PE stands for Portable Executable - it's an executable file format used # in all 32 and 64-bit versions of Windows operating systems. This option allows # ClamAV to perform a deeper analysis of executable files and it's also # required for decompression of popular executable packers such as UPX, FSG, # and Petite. # Default: yes #ScanPE yes # Executable and Linking Format is a standard format for UN*X executables. # This option allows you to control the scanning of ELF files. # Default: yes #ScanELF yes # With this option clamav will try to detect broken executables (both PE and # ELF) and mark them as Broken.Executable. # Default: no #DetectBrokenExecutables yes ## ## Documents ## # This option enables scanning of OLE2 files, such as Microsoft Office # documents and .msi files. # Default: yes #ScanOLE2 yes # This option enables scanning within PDF files. # Default: no ScanPDF yes ## ## Mail files ## # Enable internal e-mail scanner. # Default: yes #ScanMail yes # If an email contains URLs ClamAV can download and scan them. # WARNING: This option may open your system to a DoS attack. # Never use it on loaded servers. # Default: no #MailFollowURLs no # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes #PhishingSignatures yes # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes #PhishingScanURLs no # Always block SSL mismatches in URLs, even if the URL isn't in the database. # This can lead to false positives. # # Default: no #PhishingAlwaysBlockSSLMismatch no # Always block cloaked URLs, even if URL isn't in database. # This can lead to false positives. # # Default: no #PhishingAlwaysBlockCloak no ## ## HTML ## # Perform HTML normalisation and decryption of MS Script Encoder code. # Default: yes #ScanHTML yes ## ## Archives ## # ClamAV can scan within archives and compressed files. # Default: yes #ScanArchive yes # Use slower but memory efficient decompression algorithm. # only affects the bzip2 decompressor. # Default: no #ArchiveLimitMemoryUsage yes # Alert on encrypted archives _and_ documents with heuristic signature # (encrypted .zip, .7zip, .rar, .pdf). # Default: no AlertEncrypted yes # Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, # .rar). # Default: no #AlertEncryptedArchive yes # Alert on encrypted archives with heuristic signature (encrypted .pdf). # Default: no #AlertEncryptedDoc yes # With this option enabled OLE2 files containing VBA macros, which were not # detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". # Default: no #AlertOLE2Macros yes ## ## Limits ## # The options below protect your system against Denial of Service attacks # using archive bombs. # This option sets the maximum amount of data to be scanned for each input file. # Archives and other containers are recursively extracted and scanned up to this # value. # Value of 0 disables the limit # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 100M #MaxScanSize 150M # This option sets the maximum scan time. This was added in version 0.102.4. # The default scan time limit is 2 minutes (120000 milliseconds). MaxScanTime 600000 # Files larger than this limit won't be scanned. Affects the input file itself # as well as files contained inside it (when the input file is an archive, a # document or some other kind of container). # Value of 0 disables the limit. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 25M #MaxFileSize 30M # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR # file, all files within it will also be scanned. This options specifies how # deeply the process should be continued. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Value of 0 disables the limit. # Default: 16 #MaxRecursion 10 # Number of files to be scanned within an archive, a document, or any other # container file. # Value of 0 disables the limit. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 10000 #MaxFiles 15000 # Alert on files that exceed max file size, max scan size, or max recursion limit # (Heuristics.Limits.Exceeded). # Default: no #AlertExceedsMax yes ## ## Clamuko settings ## WARNING: This is experimental software. It is very likely it will hang ## up your system!!! ## # Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running. # Default: no #ClamukoScanOnAccess yes # Set access mask for Clamuko. # Default: no #ClamukoScanOnOpen yes #ClamukoScanOnClose yes #ClamukoScanOnExec yes # Set the include paths (all files inside them will be scanned). You can have # multiple ClamukoIncludePath directives but each directory must be added # in a seperate line. # Default: disabled #ClamukoIncludePath /home #ClamukoIncludePath /students # Set the exclude paths. All subdirectories are also excluded. # Default: disabled #ClamukoExcludePath /home/bofh # Don't scan files larger than ClamukoMaxFileSize # Value of 0 disables the limit. # Default: 5M #ClamukoMaxFileSize 10M

  • Remove the # from this line:

    #PhishingScanURLs no

    Save the file and restart clamd.exe.

     


  • That seems to have done it thanks Arron appreciate the quick help.


Please login to reply this topic!