[clamav-users] clamav-users Digest, Vol 150, Issue 19

Dennis Peterson dennispe at inetnw.com
Thu Jun 1 16:01:17 UTC 2017 

If I were to have gotten a suspicious message notice from 
epl.paypal-communication.com and gone through a whois, nslookup, whois (ip 
address), dig txt paypal-communication.com, dig mx paypal-communication.com, dig 
mx epl.paypal-communication.com routine I would have found a very suspicious 
pedigree and I would add the IP and domain name to my blacklist. And that is 
exactly what I did. Businesses that send email that is indistinguishable from 
spam/phishing/obfuscation/cloaking/tracking don't deserve space in my systems. 
And because I'll not remember long that I did all this forensic investigation 
and was dissatisfied with the results, I go with the least-effort option of 
blocking. It is your problem to fix. Be obvious or be blocked. There's too much 
at risk.

And including a link to a one-pixel (spacer1.gif) image, obviously a tracking 
beacon, in already suspect messages always looks more suspicious yet.

dp

On 6/1/17 1:19 AM, Outreach at epsilon.com wrote:
> Hi Reindl and Al,
>
> Thank you for your feedback.
>
> The domain https://epl.paypal-communication.com is used by Paypal for link tracking purposes in their emails. Their sending domains are for example: mail.paypal.com, mail.paypal.co.uk, mail.paypal.fr etc.
>
> To clarify, I work for Epsilon which is a major Email Service Provider (www.epsilon.com) and Paypal use our platform to deploy their emails, hence me contacting you about this delivery issue.
>
> I will pass back your feedback to Paypal so they can make a decision on whether or not they will want to make any changes to their emails moving forward.
>
> Best regards,
>
>
> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>   T   +44 2086143219   M +44 7469352383   Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK  epsilon.com
>
>
>
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On Behalf Of Reindl Harald
> Sent: 01 June 2017 07:24
> To: clamav-users at lists.clamav.net
> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>
>
>
> Am 01.06.2017 um 03:04 schrieb Al Varnell:
>> I made an attempt to determine whether epl.paypal-communication.com was a legitimate domain owned by PayPal with very mixed results.
>>
>> No WhoIs service could identify it directly
> and here is stop to read - let me guess you entered "epl.paypal-communication.com" including the subdomain and/or used some obsucre website doing whois requests
>
>
> [harry at srv-rhsoft:~]$ whois paypal-communication.com
>
> Whois Server Version 2.0
>
> Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information.
>
>      Domain Name: PAYPAL-COMMUNICATION.COM
>      Registrar: MARKMONITOR INC.
>      Sponsoring Registrar IANA ID: 292
>      Whois Server: whois.markmonitor.com
>      Referral URL: http://www.markmonitor.com
>      Name Server: NS1.P57.DYNECT.NET
>      Name Server: NS2.P57.DYNECT.NET
>      Name Server: PDNS100.ULTRADNS.COM
>      Name Server: PDNS100.ULTRADNS.NET
>      Status: clientDeleteProhibited
> https://icann.org/epp#clientDeleteProhibited
>      Status: clientTransferProhibited
> https://icann.org/epp#clientTransferProhibited
>      Status: clientUpdateProhibited
> https://icann.org/epp#clientUpdateProhibited
>      Updated Date: 05-mar-2017
>      Creation Date: 06-apr-2011
>      Expiration Date: 06-apr-2018
>
>   >>> Last update of whois database: Thu, 01 Jun 2017 06:20:04 GMT <<<
>
> For more information on Whois status codes, please visit https://icann.org/epp
>
> NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar.  Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration.
>
> Domain Name: paypal-communication.com
> Registry Domain ID: 1649488607_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2017-03-05T02:14:48-0800 Creation Date: 2011-04-06T05:23:32-0700
>   
>
> Registrar Registration Expiration Date: 2018-04-06T00:00:00-0700
>   
>
> Registrar: MarkMonitor, Inc.
>   
>
> Registrar IANA ID: 292
>   
>
> Registrar Abuse Contact Email: abusecomplaints at markmonitor.com
>   
>
> Registrar Abuse Contact Phone: +1.2083895740
>   
>
> Domain Status: clientUpdateProhibited
> (https://www.icann.org/epp#clientUpdateProhibited)
>   
>
> Domain Status: clientTransferProhibited
> (https://www.icann.org/epp#clientTransferProhibited)
>   
>
> Domain Status: clientDeleteProhibited
> (https://www.icann.org/epp#clientDeleteProhibited)
> Domain Status: serverUpdateProhibited
> (https://www.icann.org/epp#serverUpdateProhibited)
> Domain Status: serverTransferProhibited
> (https://www.icann.org/epp#serverTransferProhibited)
> Domain Status: serverDeleteProhibited
> (https://www.icann.org/epp#serverDeleteProhibited)
> Registry Registrant ID:
> Registrant Name: Domain Administrator
> Registrant Organization: PayPal Inc.
> Registrant Street: 2211 North First Street,
> Registrant City: San Jose
> Registrant State/Province: CA
> Registrant Postal Code: 95131
> Registrant Country: US
> Registrant Phone: +1.8882211161
> Registrant Phone Ext:
> Registrant Fax: +1.4025375774
> Registrant Fax Ext:
> Registrant Email: hostmaster at paypal.com
> Registry Admin ID:
> Admin Name: Domain Administrator
> Admin Organization: PayPal Inc.
> Admin Street: 2211 North First Street,
> Admin City: San Jose
> Admin State/Province: CA
> Admin Postal Code: 95131
> Admin Country: US
> Admin Phone: +1.8882211161
> Admin Phone Ext:
> Admin Fax: +1.4025375774
> Admin Fax Ext:
> Admin Email: hostmaster at paypal.com
> Registry Tech ID:
> Tech Name: Domain Administrator
> Tech Organization: PayPal Inc.
> Tech Street: 2211 North First Street,
> Tech City: San Jose
> Tech State/Province: CA
> Tech Postal Code: 95131
> Tech Country: US
> Tech Phone: +1.8882211161
> Tech Phone Ext:
> Tech Fax: +1.4025375774
> Tech Fax Ext:
> Tech Email: hostmaster at paypal.com
> Name Server: ns2.p57.dynect.net
> Name Server: pdns100.ultradns.com.
> Name Server: ns1.p57.dynect.net
> Name Server: pdns100.ultradns.net.
> DNSSEC: signedDelegation
> URL of the ICANN WHOIS Data Problem Reporting System:
> http://wdprs.internic.net/
>   >>> Last update of WHOIS database: 2017-05-31T23:20:11-0700 <<<
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list