[clamav-users] clamav-users Digest, Vol 150, Issue 19

Outreach at epsilon.com Outreach at epsilon.com
Fri May 19 16:14:31 UTC 2017 

Hi Ged,

I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:

IPs: 142.54.244.[96-110]

Domains: 
mail.paypal.at 
mail.paypal.be
mail.paypal.ch
mail.paypal.co.il
mail.paypal.co.uk
mail.paypal.de
mail.paypal.dk
mail.paypal.es
mail.paypal.fr
mail.paypal.it
mail.paypal.nl
mail.paypal.no
mail.paypal.pl
mail.paypal.se               
 mail.paypal.com

Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv. 

These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"


Many thanks,


Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
 T   +44 2086143219   M +44 7469352383   Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK  epsilon.com



 
----------------------------------------------------------------------

Message: 1
Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
From: "G.W. Haywood" <clamav at jubileegroup.co.uk>
To: clamav-users at lists.clamav.net
Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
	phishing	by ClamAv
Message-ID:
	<alpine.DEB.2.11.1705181726340.4916 at mail6.jubileegroup.co.uk>
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII

Hi there,

On Thu, 18 May 2017, Anne-Sophie Marsh wrote:

> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.

No surprise there.

> We get this type of bounce erros:
> 554 Your email was rejected because it contains the 
> Heuristics.Phishing.Email.SpoofedDomain virus

That's not a bounce, it's a reject.

> Please make the necessary changes to your product ASAP.

Well... the last email I saw from PayPal had this in it, carefully hidden:

8<----------------------------------------------------------------------
[lefttrianglebracket]
img height="1"
width="1"
src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
border="0"
alt=""/
[righttrianglebracket]
8<----------------------------------------------------------------------

The mail did pass our SPF checks on receipt:

8<----------------------------------------------------------------------
Received-SPF: pass (mail5: domain of service at paypal.co.uk designates 173.0.84.226 as permitted sender) receiver=mail5; client-ip=173.0.84.226; helo=mx0.slc.paypal.com; envelope-from=service at paypal.co.uk;
x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
8<----------------------------------------------------------------------

but then it went in the bin.

Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013.  All the same, you aren't helping anybody by doing things like that.

I don't suppose you'll actually read this.

-- 

73,
Ged.

More information about the clamav-users mailing list