[sanesecurity] Re: winnow_phish_complete - false positive ?!?
- From: CLEMENT Francis <fclement@xxxxxxxxxxxxxxxx>
- To: "'sanesecurity@xxxxxxxxxxxxx'" <sanesecurity@xxxxxxxxxxxxx>
- Date: Thu, 9 Jul 2009 09:42:49 +0200
>-----Message d'origine-----
>De : sanesecurity-bounce@xxxxxxxxxxxxx
>[mailto:sanesecurity-bounce@xxxxxxxxxxxxx]De la part de GrayHat
>Envoyé : jeudi 9 juillet 2009 09:29
>À : sanesecurity@xxxxxxxxxxxxx
>Objet : [sanesecurity] winnow_phish_complete - false positive ?!?
>
>
>A user reported that his mail was blocked by
>
>"winnow.phish.br.bankofamerica.mc.285415"
>
>and sent me a full copy of the email, I decoded
>the above signature and found that it contains
>a pointer to exchangedefender
>
>Now... the "flagged" message had a link to the
>above site at bottom; an URL which could be
>used to verify the authenticity of the message
>so... I'm wondering if this may be a false positive
>or if the exchangedefender site was "owned"
>and used for phishing
>
>any info ?
>
>
Didn't find winnow.phish.br.bankofamerica.mc.285415 in my
winnow_phish_complete db !?!?
But I found "winnow.phish.br.bankofamerica.hc.285415" (with .hc. replacing
.mc. :) )
Finger or Clipboard past error ? or does have I another db version ?
Francis
Other related posts:
