[clamav-users] Mail from Paypal wrongly identified as phishing by ClamAv
G.W. Haywood
clamav at jubileegroup.co.uk
Thu May 18 16:51:15 UTC 2017
Hi there,
On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
No surprise there.
> We get this type of bounce erros:
> 554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus
That's not a bounce, it's a reject.
> Please make the necessary changes to your product ASAP.
Well... the last email I saw from PayPal had this in it, carefully hidden:
8<----------------------------------------------------------------------
[lefttrianglebracket]
img height="1"
width="1"
src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
border="0"
alt=""/
[righttrianglebracket]
8<----------------------------------------------------------------------
The mail did pass our SPF checks on receipt:
8<----------------------------------------------------------------------
Received-SPF: pass (mail5: domain of service at paypal.co.uk designates 173.0.84.226 as permitted sender)
receiver=mail5; client-ip=173.0.84.226; helo=mx0.slc.paypal.com; envelope-from=service at paypal.co.uk;
x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
8<----------------------------------------------------------------------
but then it went in the bin.
Admittedly this was quite a while ago; we've been rejecting all mail
from PayPal since 2013. All the same, you aren't helping anybody by
doing things like that.
I don't suppose you'll actually read this.
--
73,
Ged.
More information about the clamav-users
mailing list