[clamav-users] clamav-users Digest, Vol 150, Issue 19

Al Varnell alvarnell at mac.com
Wed May 31 08:05:42 UTC 2017 

Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.

Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.

But I am a bit surprised that they haven't commented.

-Al-

On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
> 
> Hi,
> 
> I did but never heard anything back unfortunately.
> 
> We still had a lot of mail blocked on the 29/5 because of this issue. 
> 
> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
> 
> Thanks,
> 
> Anne-Sophie
> 
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On Behalf Of Al Varnell
> Sent: 31 May 2017 05:05
> To: ClamAV users ML <clamav-users at lists.clamav.net>
> Cc: clamav at jubileegroup.co.uk; clamav-users at lists.clamav.net
> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
> 
> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
> 
> Most of the people that participate on this list are users and can't do anything but give you advice.
> 
> Sent from Janet's iPad
> 
> -Al-
> 
> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>> Hi Ged,
>> 
>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>> 
>> IPs: 142.54.244.[96-110]
>> 
>> Domains: 
>> mail.paypal.at
>> mail.paypal.be
>> mail.paypal.ch
>> mail.paypal.co.il
>> mail.paypal.co.uk
>> mail.paypal.de
>> mail.paypal.dk
>> mail.paypal.es
>> mail.paypal.fr
>> mail.paypal.it
>> mail.paypal.nl
>> mail.paypal.no
>> mail.paypal.pl
>> mail.paypal.se               
>> mail.paypal.com
>> 
>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv. 
>> 
>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>> 
>> 
>> Many thanks,
>> 
>> 
>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>> T   +44 2086143219   M +44 7469352383   Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK  epsilon.com
>> 
>> 
>> 
>> 
>> ----------------------------------------------------------------------
>> 
>> Message: 1
>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>> From: "G.W. Haywood"
>> To: clamav-users at lists.clamav.net
>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>   phishing    by ClamAv
>> Message-ID:
>>   <alpine.DEB.2.11.1705181726340.4916 at mail6.jubileegroup.co.uk>
>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>> 
>> Hi there,
>> 
>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>> 
>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>> 
>> No surprise there.
>> 
>>> We get this type of bounce erros:
>>> 554 Your email was rejected because it contains the 
>>> Heuristics.Phishing.Email.SpoofedDomain virus
>> 
>> That's not a bounce, it's a reject.
>> 
>>> Please make the necessary changes to your product ASAP.
>> 
>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>> 
>> 8<--------------------------------------------------------------------
>> --
>> [lefttrianglebracket]
>> img height="1"
>> width="1"
>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>> border="0"
>> alt=""/
>> [righttrianglebracket]
>> 8<--------------------------------------------------------------------
>> --
>> 
>> The mail did pass our SPF checks on receipt:
>> 
>> 8<--------------------------------------------------------------------
>> --
>> Received-SPF: pass (mail5: domain of service at paypal.co.uk designates 
>> 173.0.84.226 as permitted sender) receiver=mail5; 
>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com; 
>> envelope-from=service at paypal.co.uk;
>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>> 8<--------------------------------------------------------------------
>> --
>> 
>> but then it went in the bin.
>> 
>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013.  All the same, you aren't helping anybody by doing things like that.
>> 
>> I don't suppose you'll actually read this.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170531/7df20c2a/attachment.bin>

More information about the clamav-users mailing list