[clamav-users] clamav-users Digest, Vol 150, Issue 19

Al Varnell alvarnell at mac.com
Wed May 31 04:04:52 UTC 2017 

Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.

Most of the people that participate on this list are users and can't do anything but give you advice.

Sent from Janet's iPad

-Al-

On May 19, 2017, at 9:14 AM, "Outreach wrote:
> Hi Ged,
> 
> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
> 
> IPs: 142.54.244.[96-110]
> 
> Domains: 
> mail.paypal.at 
> mail.paypal.be
> mail.paypal.ch
> mail.paypal.co.il
> mail.paypal.co.uk
> mail.paypal.de
> mail.paypal.dk
> mail.paypal.es
> mail.paypal.fr
> mail.paypal.it
> mail.paypal.nl
> mail.paypal.no
> mail.paypal.pl
> mail.paypal.se               
> mail.paypal.com
> 
> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv. 
> 
> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
> 
> 
> Many thanks,
> 
> 
> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>  T   +44 2086143219   M +44 7469352383   Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK  epsilon.com
> 
> 
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
> From: "G.W. Haywood"
> To: clamav-users at lists.clamav.net
> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>    phishing    by ClamAv
> Message-ID:
>    <alpine.DEB.2.11.1705181726340.4916 at mail6.jubileegroup.co.uk>
> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
> 
> Hi there,
> 
> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
> 
>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
> 
> No surprise there.
> 
>> We get this type of bounce erros:
>> 554 Your email was rejected because it contains the 
>> Heuristics.Phishing.Email.SpoofedDomain virus
> 
> That's not a bounce, it's a reject.
> 
>> Please make the necessary changes to your product ASAP.
> 
> Well... the last email I saw from PayPal had this in it, carefully hidden:
> 
> 8<----------------------------------------------------------------------
> [lefttrianglebracket]
> img height="1"
> width="1"
> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
> border="0"
> alt=""/
> [righttrianglebracket]
> 8<----------------------------------------------------------------------
> 
> The mail did pass our SPF checks on receipt:
> 
> 8<----------------------------------------------------------------------
> Received-SPF: pass (mail5: domain of service at paypal.co.uk designates 173.0.84.226 as permitted sender) receiver=mail5; client-ip=173.0.84.226; helo=mx0.slc.paypal.com; envelope-from=service at paypal.co.uk;
> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
> 8<----------------------------------------------------------------------
> 
> but then it went in the bin.
> 
> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013.  All the same, you aren't helping anybody by doing things like that.
> 
> I don't suppose you'll actually read this.

More information about the clamav-users mailing list