>-----Message d'origine----- >De : sanesecurity-bounce@xxxxxxxxxxxxx >[mailto:sanesecurity-bounce@xxxxxxxxxxxxx]De la part de GrayHat >Envoyé : jeudi 9 juillet 2009 09:29 >À : sanesecurity@xxxxxxxxxxxxx >Objet : [sanesecurity] winnow_phish_complete - false positive ?!? > > >A user reported that his mail was blocked by > >"winnow.phish.br.bankofamerica.mc.285415" > >and sent me a full copy of the email, I decoded >the above signature and found that it contains >a pointer to exchangedefender > >Now... the "flagged" message had a link to the >above site at bottom; an URL which could be >used to verify the authenticity of the message >so... I'm wondering if this may be a false positive >or if the exchangedefender site was "owned" >and used for phishing > >any info ? > > Didn't find winnow.phish.br.bankofamerica.mc.285415 in my winnow_phish_complete db !?!? But I found "winnow.phish.br.bankofamerica.hc.285415" (with .hc. replacing .mc. :) ) Finger or Clipboard past error ? or does have I another db version ? Francis