Heuristics.Phishing.Email.SpoofedDomain FOUND

Joe Gramm wrote:

Comcast sent me an email saying one of my computers was infected with a bot. And I have been getting a lot of Junk email lately. So I ran ClamXav and scanned my User Folder. The scan came up with one infected file in a deleted email folder / Heuristics.Phishing.Email.SpoofedDomain FOUND

Should I simply Secure Trash the file and I guess I should see if the file still exists on the server level.

No! All you need to do for this one is to go back to your Mail app and empty the "Deleted Messages" mailbox since you have apparently already decided it's not something you need.

Normally, I would tell you to read any e-mail that has the word Heuristics in the infection name, since this is only a warning that something about the format of the e-mail is suspicious. It did not match a specific signature of a known phishing attempt so the scanner is simply guessing.

Never use ClamXav (or any other A-V software) to move (quarantine) or delete e-mail. It will corrupt the mailbox index which could cause loss of other e-mail and other issues with functions such as searching. It may also leave the original e-mail on your ISP's e-mail server and will be re-downloaded to your hard drive the next time you check for new mail.

So, if you choose to "Scan e-mail content for malware and phishing" in the General Preferences, make sure you do not elect to either Quarantine or Delete infected files.

When possibly infected e-mail files are found:

Highlight the entry in the ClamXav window's top pane that needs to be dealt with.

Right-click/Control-click on the entry.

Select "Reveal In Finder" from the pop-up menu.

When the window opens, double-click on the file to open the message in your e-mail client application.

Read the message and if you agree that it is junk/spam/phishing then use the e-mail client's delete button to delete it (reading it is especially important when the word "Heuristics" appears in the infection name).

If you disagree and choose to retain the message, return to ClamXav and choose "Exclude From Future Scans" from the pop-up menu.

As far as Comcast is concerned, ask them for details as their are currently no known "bots" that impact OS X.

Joe Gramm wrote:

As for Comcast. I am getting a high number of unwanted, unsolicited junk email. Junk mail comes in many ways to keep up with. Some of it that has consistent addresses I can set up rule.

I think that most all users suffer from this, some have told me they get over 200 a day. My wife and I experience far fewer than that and most are properly moved to the Junk/Spam folders.

I forward all mine to my e-mail providers and the FTC <spam@uce.gov> and then report it through SpamCop. If it's an obvious phishing attempt I forward it to APWG <reportphishing@antiphishing.org> and CERT Phishing <phishing-report@us-cert.gov>. It usually takes a long time to have any effect, especially when the sending ISP is uncooperative, but I figure I'm doing my part in trying to reduce this for everybody.

Here is the message from Comcast. Maybe they are just trying to sell an added feature.

I've gotten one of these myself. I'm almost positive it was related to a runaway process that kept trying to contact it's server over and over. I had seen it in the console logs and killed it off a few days before I got the message and I never heard from them again, so that's why I suspect it. Tells me their monitoring software can't tell a bot from a legitimate connection query.

I don't think that Constant Guard costs the subscriber anything, but I also don't find it to be necessary. Last time I looked, it included a Norton product, which I have no use for. You will get an extremely negative reaction from most users if you bring that name up in this Forum. Mostly a bad rep from a long time ago, but there are still users that have issues with it today.

Something else I should mention is that Windows PC's are easily infected to join global botnets, so if there are any of these on your network (with or without your knowledge) that could be the source. There are tens of thousands of such "bots" active today.

Macs are not immune and there were an estimated 600,000 infected by Flashback via Java about a year ago (it's been declared extinct, but we still run across users that still have it after all this time). As long as your OS is fully up-to-date, you have nothing to fear from any currently known malware.

Joe Gramm wrote:

... Maybe they are just trying to sell an added feature.

Comcast is notorious for these solicitations. Under "what is a bot" they explain a "bot" is something that infects your computer, which is true. It's their system and they implicated one or more of your computers. If Comcast sent this email and you are satisfied it is legitimately from them (it is possible it may be spam itself), ask them to either defend their accusation or leave you alone.

Obtain specific details regarding the particular activity associated with your computers. De-identify any personal information and post their reply here.

... I know it's been said since the beginning of time that Macs don't get viruses, but.......

They don't. No virus has ever successfully infected OS X, though there were a few notorious ones that targeted the 68k CPU and "classic" Mac OS there are no OS X viruses known to exist.

Malware is another story, and has been around since the beginning of time. Flashback found its way in through a Java exploit, which Apple addressed about a year ago. Future Java and / or Flash Player exploits are certainly possible - likely, in my opinion - but since their nature is unknown, it is unlikely any present utility will be able to anticipate or identify them. Your best defense against such exploits is to accept the fact that Java is a potential vector for malware, and use it appropriately. I would not, for example, ever consider using a banking or brokerage website that required Java to function. Enable Java only if absolutely necessary for your work, and disable it when not required.

ClamXav will identify Windows viruses. There are plenty of them, and emails with spoofed domains are common. Phishing attempts are a constant threat that are impossible to prevent through any automated means. Your own common sense is the only defense against these attempts to convince you to willfully divulge personal information. I have never seen any that were not pathetic, but plenty of people fall for them anyway. Such attempts are certain to get better in time.

If it were not for Windows and its traditional affinity for viruses we would not be having this discussion. The assumption that OS X is just as vulnerable to viruses as Windows and that it requires just as much protection from third party products is not going away any time soon. An entire industry owes its very existence to such misinformation, and is highly motivated to maintain this perceived indispensability. The fact that OS X and iOS are becoming increasingly popular alternatives to Windows presents a major threat to them.

You can type the  character, owning a Mac is the only privilege required: option shift k.

Joe Gramm wrote:

In Mail, can an email with Maleware attached or embedded, read Contacts or Calendar files.

Not yet and not likely with the features currently implemented in Mountain Lion. It's easier to hack a mail account on a server and get contacts and calendar information that way.

At present there is absolutely no known way for any malicious Mail attachment to read your Mac's Contacts or Calendar files.

Windows malware exists that can harvest email addresses though. This means that if you send an email to someone with an infected Windows PC, your email address can be harvested from that PC and used for malicious purposes. There is nothing you can do about that, other than to not correspond with those who use Windows.

Joe Gramm wrote:

Then I have a Guest Network enabled with some Windows and Android devices ...

That could explain it. Check those devices for malware but I'm out of my depth as to what to suggest.

The Comcast email is a scam. Either ignore it or report it to your state Attorney General as the fraud that it is.

Yes, absolutely.