I am still looking for an answer as to what function this Malware performs. Clamxav virus software downloaded from the App store identified several "Apple mails" and identified it as "Heuristic.Phishing.email.SpoofedDomain". I am unable to find the definition from Clamxav or searches through web serches.
MacBook Pro, Mac OS X (10.6.8)
I put that message in a google search, and it found 1,950 entries. ClamXav is identifying email that appears to be phishing emails with a spoofed address (looks legit but on careful examination it may not be). You can delete the emails if the ClamXav message bothers you or just leave them. As long as you don't respond to them, there's no damage being done. If the email is a legitimate Apple email, then something in the email is generating a false positive. When I get those, I delete the offending email ... done.
ClamXav is simply confused (as it often is) doing it's pattern matching and heuristics looking at date that just happens to match those patterms and heuristics. The fact that it is in mail is a giveaway that ClamXav is too stupid to know what it is looking at. Don't let ClamXav move anything it finds in mail our you could corrupt the mail data bases.
The OP has been told multiple times about everything you have said. I have personally shown him the definition of this infection in official clamav.net documentation, but he continues to ignore everything we've told him over the past several months, so don't waste a lot of time on this.
macfrombrampton wrote:
Clamxav is able to removing the offending files on its own.
It is able to, but you should never do that with an e-mail file as it will corrupt the mailbox index. Always delete an e-mail using your e-mail client to make certain you don't lose additional e-mail and that it is also deleted from your ISP's e-mail server.
macfrombrampton wrote:
I have asked in the clamXav forum but no answers.
Actually, you received three replies function of a couple of viruses.
Unfortunately, the developer of ClamXav is not responsible for the malware definitions which belong to the folks at clamav.net, developers of the multi-platform scanning engine used by ClamXav.
Mad, I apologize for hijacking this thread, but I am completely stuck and maybe you can help with this. I tried registering for the ClamX forum, but never received my activation e-mail. I wrote the following message, here excerpted, to Mark Allan twice, but haven't received a reply. I realize he can't reply to every e-mail he receives, but I would have thought he'd make an exception for this. Maybe I made a mistake by choosing the category "other."
This is the second time I am writing, as I have had no reply to my first message, sent on 4/27.
I registered for the ClamXav support forum last Friday, 4/27, but never received my activation email and am unable to log in. I have no blocking or rules set up either on my email server or locally that would have prevented this email getting through. I am blocked from re-registering using the same email address.
After I registered, I saw that my user name "brillo" appeared as "newest member," so that part, at least, went through.
I am completely stuck.
One other ClamX related question, if I may.
The ClamAV scanning engine installer I'm seeing in receipts is version 0.95.3 from 4/25/2010. I would have thought updating ClamXav would have brought along the latest ClamAV engine, but maybe not. Do I need to separately download and install the current one, which is 0.97.4? And if I do, will it properly overwrite the older one?
I'm also seeing this ClamAV folder with a creation date of 3/17/2012. Does that mean it was updated?
/usr/local/clamXav/share/clamav
Thanks
<Edited by Host>
WZZZ wrote:
Mad, I apologize for hijacking this thread, but I am completely stuck and maybe you can help with this. I tried registering for the ClamX forum, but never received my activation e-mail.
Mark just returned from Holiday (a European term) so he's running a bit behind, but I would expect him to get back to you when he has a moment. I've not heard of this problem before, but I'm not sure how I would. I do know that I had a similar problem getting an activation e-mail for over a week at another site before it finally worked.
The ClamAV scanning engine installer I'm seeing in receipts is version 0.95.3 from 4/25/2010. I would have thought updating ClamXav would have brought along the latest ClamAV engine, but maybe not. Do I need to separately download and install the current one, which is 0.97.4? And if I do, will it properly overwrite the older one?
I'm also seeing this ClamAV folder with a creation date of 3/17/2012. Does that mean it was updated?
/usr/local/clamXav/share/clamav
That's very strange. I've never paid attention to that but when I look at /Library/Receipts/clamavEngineInstaller104.pkg I see v0.97.4 dated 3/30/12. The 0.95.3 version came with ClamXav 2.0.4 & 2.0.5 back in Nov/Dec 2009.
To find out what version is actually installed try this Terminal command:
/usr/local/clamXav/bin/clamscan -V
You didn't mention whether you are using the AppStore or the website version, which store the engine in different places. If it's the AppStore version then you should probably remove any older scan engines that remain on your hard drive. Use the "ClamAV Engine REMOVER" script found on any ClamXav_2.x.x.dmg file you downloaded.
If you are using the web site version and the above command shows an older scan engine, use the same script to remove it (make sure both ClamXav and Sentry are not running), then launch ClamXav and it should offer to install the newer engine for you.
Thanks very much. First, from running that command, I'm seeing I do have the 0.97.4. So no problem there after all. And thanks for the word on the registration. Perhaps that e-mail will arrive eventually or Mark will be able to look into it.
One more quick hijack: I completely forgot to ask, will ClamX, by default, scan invisible files for any given selection? I am seeing "Show invisible files" as a separate box to check when you go into Source List, so wondered if it's necessary to check that box and then select all those different invisibles in order for ClamX to scan them? This was the question I wanted to ask when I tried registering for the forum.
WZZZ wrote:
thanks for the word on the registration. Perhaps that e-mail will arrive eventually or Mark will be able to look into it.
Mark was in London today, but I'm sure he'll take care of it when he gets back.
WZZZ wrote:
One more quick hijack: I completely forgot to ask, will ClamX, by default, scan invisible files for any given selection?
Yes, as long as you have read access to a file it will scan it.
I am seeing "Show invisible files" as a separate box to check when you go into Source List, so wondered if it's necessary to check that box and then select all those different invisibles in order for ClamX to scan them? This was the question I wanted to ask when I tried registering for the forum.
That is for when you are looking for a specific file or directory that is invisible so that it can be selected. If you opt to scan a directory that contains invisible files, they will be scanned regardless of whether the box is checked or not.
The Malware identified by Clamxav it finds only in Monster Apple Mail. the Monster emails do have links as a copy of the text portion email below shows. I don't know if Email is valid but Clamxav is consistent in identifing this Email as well as other Monster advertising Emails only.
The Reply address is
| communications@monster.ca |
To ensure delivery of this email please add monster@e0.monster.ca to your Address Book or Safe List.
Save the date!
Monster’s Virtual Career Fair
begins April 16th.
Registration opens March 26th.
Experience career opportunities, networking and live
chats with hiring managers at Monster.ca’s Virtual
Career Fair. April 16th-22nd, 2012.
What’s a Virtual Career Fair?
Imagine a live career fair held at a convention centre, complete with exhibitor booths, corporate presentations, and live interaction between you and company representatives. Now imagine experiencing all this while seated comfortably in front of your own computer.
This innovative solution provides a unique way for job seekers and employers to interact on a virtual level.
Sign up and you'll be able to:
Access job vacancies from wherever you are at a time that suits you
Interact directly with companies through a number of methods including Chat, Video and Skype. Ask questions, introduce yourself to hiring managers, and discuss company-wide employment opportunities
Complete compatibility tests to better match your skills with suitable companies
Contact Us | Resume | Jobs | Career Tools | Advice
2012 Monster - All Rights Reserved
2020 University Avenue, Suite 2000, Montreal, Quebec H3A 2A5
Monster respects your online time and privacy. If you no longer wish to receive Monster emails, please click here and submit your request or call 1-800-MONSTER.
Requests for unsubscribing or for changing preferences can be made by clicking on the link above and may take up to 10 days to take effect.
Questions? Email us directly by visiting http://my.monster.ca/ContactUs.aspx. Please do not reply to this email.
To read the Monster Privacy Commitment, visit http://my.monster.ca/privacy.
This is a marketing message from Monster.ca ©, 2020 University Avenue, Suite 2000, Montreal, Quebec H3A 2A5.
Add monster@e0.monster.com to your address book or safe list to ensure delivery of Monster emails.
If you have any doubt about the authenticity of an email from Monster, simply open a new Web browser, type in: http://www.monster.ca/, log into your Monster account safely and securely and then perform the requested activity.
Campaign_To:
macfrombrampton wrote:
The Malware identified by Clamxav it finds only in Monster Apple Mail. the Monster emails do have links as a copy of the text portion email below shows. I don't know if Email is valid but Clamxav is consistent in identifing this Email as well as other Monster advertising Emails only.
I don't know either. It looks to be OK, but I did find some inconsistencies.
First of all, I check the ClamXav database and can verify that monster.com is one of the protected domains that is checked but monster.ca is not, and as you will see there is one instance of that: "Add monster@e0.monster.com...". Why they would list that when the rest of the domains are all monster.ca is strange to me. I think the fact that it comes from monster.ca and contains a monster.com URL is enough to have marked this as a possible phishing attempt, but it could well be a simple mistake on the message author's part.
I did check out the my.monster.ca web site privacy page and it checks as being OK to Google Safe Browsing and WOT, however there is a TRUSTe icon on that page which comes back with monster.com, not monster.ca. Another oversight?
Since this is simply an invitation to Virtual Job Fair, it seems harmless enough, especially since it occurred in the past. If they were really phishing I would think they would be asking you for a resume and a lot of privacy information to go with it.
Hope this helps.
This malware Heuristic.Phishing.email.SpoofedDomain will prevent a Apple Mail veresion 4.5 used in Snow leopard from delivering sent mail to a destination . The mail will appear to send in Apple Mail but will not be sent. I came to this conclusion on testing this Malware. It appears to be received by a Email sent and read through Apple Mail account and read through Apple mail.
macfrombrampton wrote:
This malware Heuristic.Phishing.email.SpoofedDomain will prevent a Apple Mail veresion 4.5 used in Snow leopard from delivering sent mail to a destination .
This is totally false.
What are your qualifications as a malware tester?
"Heuristic.Phishing.email.SpoofedDomain" Virus
