2 Replies Latest reply: Nov 17, 2012 12:33 PM by MadMacs0
ebilgatoloco Level 1 Level 1 (0 points)

Hi

 

I ran ClamXav earlier today and came back with a heuristics.phishing.email.ssl-spoof

 

Do I quarantine the email? Or reveal it in finder and manually delete it? I'd like to know what to do before continuing. Don't want to mess up my five year old MBP by deleting random code by accident =]

 

Thanks!


MacBook Pro (15-inch 2.4/2.2 GHz), Mac OS X (10.6.8)
  • John Galt Level 8 Level 8 (41,400 points)

    Do I quarantine the email? Or reveal it in finder and manually delete it?

     

    No, don't do that: http://www.clamxav.com/docs_prefs_quarantine.php

     

    Just forget about the email. ClamXav identified a phishing attempt.

     

    Delete the message (or just mark it as spam) and forget you ever saw it.

  • MadMacs0 Level 5 Level 5 (4,605 points)

    ebilgatoloco wrote:

     

    Hi

     

    I ran ClamXav earlier today and came back with a heuristics.phishing.email.ssl-spoof

     

    Do I quarantine the email? Or reveal it in finder and manually delete it? I'd like to know what to do before continuing.

    Don't do either of those things as it will corrupt the mailbox index which could cause several other issues with your mail.

     

    First of all, the word "heuristics" means that the scan engine saw something suspicious about one of the URL's in the message and issued this as a warning that you need to check it out. It did not match a specific signature.

     

    Use reveal in Finder then double-click the file to read it in your e-mail reader. If it looks to be a legitimate e-mail, then you can ask that it be ignored in future scans. If you agree that it's junk/spam/phishing then use the delete button in your mail reader to get rid of the file both on your Mac as well as the e-mail server. If you have elected to save trash on the server, be sure and go to your trash mailbox and delete it there, as well.

     

    This is somewhat repetative, but here's my standard guidance for suspected e-mail infections:

    Never use ClamXav (or any other A-V software) to move (quarantine) or delete e-mail. It will corrupt the mailbox index which could cause loss of other e-mail and other issues with functions such as searching. It may also leave the original e-mail on your ISP's e-mail server and will be re-downloaded to your hard drive the next time you check for new mail.

     

    So, if you choose to "Scan e-mail content for malware and phishing" in the General Preferences, make sure you do not elect to either Quarantine or Delete infected files.

     

    When possibly infected e-mail files are found:

    1. Right-click/Control-click on either the infection or file name in the ClamXav window.
    2. Select "Reveal In Finder" from the pop-up menu.
    3. When the window opens, double-click on the file to open the message in your e-mail client application.
    4. Read the message and if you agree that it is junk/spam/phishing then use the e-mail client's delete button to delete it (this is especially important when the word "Heuristics" appears in the infection name).
    5. If you disagree and choose to retain the message, return to ClamXav and choose "Exclude From Future Scans" from the pop-up menu.
    6. If this is a g-mail account and those messages continue to show up after you have deleted them in the above manner, you may need to log in to webmail using your browser, go to the "All Mail" folder, find the message(s) and use the delete button there to permanently delete them from the server.

     

    To fix the corrupted mailbox index(es), highlight each one that was corrupted and choose Rebuild from the appropriate menu.