Nationwide sending me infected emails

[Deleted User]
[Deleted User] Posts: 0 Newbie
500 Posts Name Dropper Photogenic
edited 23 June 2021 at 3:47PM in Techie Stuff
Nationwide keep on sending me infected emails
"ALERT: A virus was detected in the contents of this email, which have been removed for your protection.ClamAV Report:

/tmp/66108: Heuristics.Phishing.Email.SpoofedDomain FOUND

----------- SCAN SUMMARY -----------

Infected files: 1

Time: 0.063 sec (0 m 0 s)"

Is this a known problem or is it a false alert ?

The strange thing is that I don't use CLAM AV - I use MS Defender

The email IS a from genuine nationwide address
«1

Comments

  • Jenni_D
    Jenni_D Posts: 5,400 Forumite
    1,000 Posts Fourth Anniversary Name Dropper Photogenic
    Check the email headers ... it might look like it's come from a genuine address, but it's easy to spoof the address that you first see.

    Which email provider do you use? (They might use Clam AV at the server level before the email is sent to you).
    Jenni x
  • The_Fat_Controller
    The_Fat_Controller Posts: 2,006 Forumite
    Part of the Furniture 1,000 Posts Photogenic Name Dropper
    edited 23 June 2021 at 4:09PM
    Inspect the complete header.

    HOVER over any links in the email and see the true URL that it would direct you to.
  • ClamAV will be used on you mail providers mail server.

    /tmp/66108: Heuristics.Phishing.Email.SpoofedDomain FOUND

    I think that means ClamAV thinks that the email has a fake domain on it. Perhaps the email is purporting to be from nationwide when it really isn't? Looking at the message headers is the key to finding out what is going on here. My email from nationwide comes from "nationwide@nationwide-communications.co.uk" or from "nationwide@nationwide-service.co.uk". Sample emails I have looked at come from a server claiming to be "mta.nationwide-service.co.uk" on the IP address "199.122.127.114".


    A dream is not reality, but who's to say which is which?
  • ClamAV will be used on you mail providers mail server.

    /tmp/66108: Heuristics.Phishing.Email.SpoofedDomain FOUND

    I think that means ClamAV thinks that the email has a fake domain on it. Perhaps the email is purporting to be from nationwide when it really isn't? Looking at the message headers is the key to finding out what is going on here. My email from nationwide comes from "nationwide@nationwide-communications.co.uk" or from "nationwide@nationwide-service.co.uk". Sample emails I have looked at come from a server claiming to be "mta.nationwide-service.co.uk" on the IP address "199.122.127.114".


    It comes from nationwide@nationwide-communications.co.uk 
  • Jenni_D said:
    Check the email headers ... it might look like it's come from a genuine address, but it's easy to spoof the address that you first see.

    Which email provider do you use? (They might use Clam AV at the server level before the email is sent to you).
    I use Talktalk 
  • arciere
    arciere Posts: 1,361 Forumite
    Eighth Anniversary 1,000 Posts Name Dropper
    edited 24 June 2021 at 8:46AM
    ClamAV will be used on you mail providers mail server.

    /tmp/66108: Heuristics.Phishing.Email.SpoofedDomain FOUND

    I think that means ClamAV thinks that the email has a fake domain on it. Perhaps the email is purporting to be from nationwide when it really isn't? Looking at the message headers is the key to finding out what is going on here. My email from nationwide comes from "nationwide@nationwide-communications.co.uk" or from "nationwide@nationwide-service.co.uk". Sample emails I have looked at come from a server claiming to be "mta.nationwide-service.co.uk" on the IP address "199.122.127.114".


    It comes from nationwide@nationwide-communications.co.uk 
    I could easily send an email using your email address.

    You can be sure that it's not Nationwide sending you those emails.
  • @arciere

    The  (nationwide@nationwide-communications.co.uk) address is a valid Nationwide address.

    I have my statements, newsletters and an invitation to vote in the AGM with all the correct log in codes from that exact address.

    @Deleted_User, I wouldn't worry about it.
  • OK I have looked at the header and it appears to be being blocked by Spam Assassin
    I do not have any control over this - it may be an ISP controlled filter
  • arciere
    arciere Posts: 1,361 Forumite
    Eighth Anniversary 1,000 Posts Name Dropper
    edited 24 June 2021 at 9:43AM
    I mean, what does the email actually say? Can you read the content? If it asks you to open the attached file, then you've got your answer, regardless of where the email was sent from.
  • @Deleted_User

    My NW emails come to an AOL address and that address has never been identified as unsafe.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 349.8K Banking & Borrowing
  • 252.6K Reduce Debt & Boost Income
  • 453K Spending & Discounts
  • 242.8K Work, Benefits & Business
  • 619.6K Mortgages, Homes & Bills
  • 176.4K Life & Family
  • 255.7K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.