[clamav-users] clamav-users Digest, Vol 150, Issue 19

Wed May 31 08:13:59 UTC 2017


Am 31.05.2017 um 10:05 schrieb Al Varnell:
> Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.

they don't have to feel anything - they have to fix false positives and 
if it means remove heuristic phisiing signatures completly when they are 
provne over years to hit *only* legit mail - until today nobody was able 
to show me a legit reject based on this

> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.
> 
> But I am a bit surprised that they haven't commented.
> 
> -Al-
> 
> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>>
>> Hi,
>>
>> I did but never heard anything back unfortunately.
>>
>> We still had a lot of mail blocked on the 29/5 because of this issue.
>>
>> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>>
>> Thanks,
>>
>> Anne-Sophie
>>
>> -----Original Message-----
>> From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On Behalf Of Al Varnell
>> Sent: 31 May 2017 05:05
>> To: ClamAV users ML <clamav-users at lists.clamav.net>
>> Cc: clamav at jubileegroup.co.uk; clamav-users at lists.clamav.net
>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>
>> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>>
>> Most of the people that participate on this list are users and can't do anything but give you advice.
>>
>> Sent from Janet's iPad
>>
>> -Al-
>>
>> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>>> Hi Ged,
>>>
>>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>>
>>> IPs: 142.54.244.[96-110]
>>>
>>> Domains:
>>> mail.paypal.at
>>> mail.paypal.be
>>> mail.paypal.ch
>>> mail.paypal.co.il
>>> mail.paypal.co.uk
>>> mail.paypal.de
>>> mail.paypal.dk
>>> mail.paypal.es
>>> mail.paypal.fr
>>> mail.paypal.it
>>> mail.paypal.nl
>>> mail.paypal.no
>>> mail.paypal.pl
>>> mail.paypal.se
>>> mail.paypal.com
>>>
>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>>
>>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>>
>>>
>>> Many thanks,
>>>
>>>
>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>>> T   +44 2086143219   M +44 7469352383   Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK  epsilon.com
>>>
>>>
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>>> From: "G.W. Haywood"
>>> To: clamav-users at lists.clamav.net
>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>>    phishing    by ClamAv
>>> Message-ID:
>>>    <alpine.DEB.2.11.1705181726340.4916 at mail6.jubileegroup.co.uk>
>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>>
>>> Hi there,
>>>
>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>>
>>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>>
>>> No surprise there.
>>>
>>>> We get this type of bounce erros:
>>>> 554 Your email was rejected because it contains the
>>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>>
>>> That's not a bounce, it's a reject.
>>>
>>>> Please make the necessary changes to your product ASAP.
>>>
>>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>>
>>> 8<--------------------------------------------------------------------
>>> --
>>> [lefttrianglebracket]
>>> img height="1"
>>> width="1"
>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>>> border="0"
>>> alt=""/
>>> [righttrianglebracket]
>>> 8<--------------------------------------------------------------------
>>> --
>>>
>>> The mail did pass our SPF checks on receipt:
>>>
>>> 8<--------------------------------------------------------------------
>>> --
>>> Received-SPF: pass (mail5: domain of service at paypal.co.uk designates
>>> 173.0.84.226 as permitted sender) receiver=mail5;
>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>>> envelope-from=service at paypal.co.uk;
>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>>> 8<--------------------------------------------------------------------
>>> --
>>>
>>> but then it went in the bin.
>>>
>>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013.  All the same, you aren't helping anybody by doing things like that.
>>>
>>> I don't suppose you'll actually read this