[clamav-users] clamav-users Digest, Vol 150, Issue 19

Outreach at epsilon.com Outreach at epsilon.com
Wed May 31 10:51:44 UTC 2017 

Hi Al,

Thank you for your help with this, it's appreciated.

Not being a ClamAv user myself, this doesn't make much sense to me tough.  Could someone please confirm what this issue is in clear terms?

Thanks,

Anne-Sophie

-----Original Message-----
From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On Behalf Of Al Varnell
Sent: 31 May 2017 11:38
To: ClamAV users ML <clamav-users at lists.clamav.net>
Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

OK, I managed to clean it up enough and added a fake header so I could run clamscan --debug and it confirmed my suspicions:

> LibClamAV debug: Phishcheck:host:.epl.paypal-communication.com
> LibClamAV debug: Phishing: looking up in whitelist: 
> .epl.paypal-communication.com:.www.paypal.com; host-only:1 LibClamAV 
> debug: Looking up in regex_list: 
> epl.paypal-communication.com:www.paypal.com/
> LibClamAV debug: Lookup result: not in regex list LibClamAV debug: 
> Phishcheck: Phishing scan result: URLs are way too different LibClamAV 
> debug: found Possibly Unwanted: 
> Heuristics.Phishing.Email.SpoofedDomain

-Al-

On Wed, May 31, 2017 at 02:05 AM, Outreach at epsilon.com wrote:
> 
> Hi Al,
> 
> Could you please confirm exactly what is the issue you see with the links? As far as I can see, they use standard link tracking. Here are two examples:
> 
> <a style=3D"font-family:Arial; font-siz= e:13px; color:#009cde; 
> text-decoration:none; font-weight:bold;" 
> href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b
> 8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b0
> 57-9f4d47f20daa"> <a href=3D= 
> "https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4
> bbc782e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d
> 47f20daa" = target=3D"_blank">
> 
> This is an example of their images URL:
> <img style=3D"display:block; border= :none;" 
> src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/11
> 11_cta_blue_left=2Ejpg" width=3D"5" height=3D"40" alt=3D""/>
> 
> Many thanks,
> 
> Anne-Sophie
> 
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On 
> Behalf Of Al Varnell
> Sent: 31 May 2017 09:06
> To: ClamAV users ML <clamav-users at lists.clamav.net>
> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
> 
> Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.
> 
> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.
> 
> But I am a bit surprised that they haven't commented.
> 
> -Al-
> 
> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>> 
>> Hi,
>> 
>> I did but never heard anything back unfortunately.
>> 
>> We still had a lot of mail blocked on the 29/5 because of this issue. 
>> 
>> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>> 
>> Thanks,
>> 
>> Anne-Sophie
>> 
>> -----Original Message-----
>> From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On 
>> Behalf Of Al Varnell
>> Sent: 31 May 2017 05:05
>> To: ClamAV users ML <clamav-users at lists.clamav.net>
>> Cc: clamav at jubileegroup.co.uk; clamav-users at lists.clamav.net
>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>> 
>> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>> 
>> Most of the people that participate on this list are users and can't do anything but give you advice.
>> 
>> Sent from Janet's iPad
>> 
>> -Al-
>> 
>> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>>> Hi Ged,
>>> 
>>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>> 
>>> IPs: 142.54.244.[96-110]
>>> 
>>> Domains: 
>>> mail.paypal.at
>>> mail.paypal.be
>>> mail.paypal.ch
>>> mail.paypal.co.il
>>> mail.paypal.co.uk
>>> mail.paypal.de
>>> mail.paypal.dk
>>> mail.paypal.es
>>> mail.paypal.fr
>>> mail.paypal.it
>>> mail.paypal.nl
>>> mail.paypal.no
>>> mail.paypal.pl
>>> mail.paypal.se               
>>> mail.paypal.com
>>> 
>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv. 
>>> 
>>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>> 
>>> 
>>> Many thanks,
>>> 
>>> 
>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>>> T   +44 2086143219   M +44 7469352383   Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK  epsilon.com
>>> 
>>> 
>>> 
>>> 
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> 
>>> Message: 1
>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>>> From: "G.W. Haywood"
>>> To: clamav-users at lists.clamav.net
>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>>  phishing    by ClamAv
>>> Message-ID:
>>>  <alpine.DEB.2.11.1705181726340.4916 at mail6.jubileegroup.co.uk>
>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>> 
>>> Hi there,
>>> 
>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>> 
>>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>> 
>>> No surprise there.
>>> 
>>>> We get this type of bounce erros:
>>>> 554 Your email was rejected because it contains the 
>>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>> 
>>> That's not a bounce, it's a reject.
>>> 
>>>> Please make the necessary changes to your product ASAP.
>>> 
>>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>> 
>>> 8<------------------------------------------------------------------
>>> -
>>> -
>>> --
>>> [lefttrianglebracket]
>>> img height="1"
>>> width="1"
>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>>> border="0"
>>> alt=""/
>>> [righttrianglebracket]
>>> 8<------------------------------------------------------------------
>>> -
>>> -
>>> --
>>> 
>>> The mail did pass our SPF checks on receipt:
>>> 
>>> 8<------------------------------------------------------------------
>>> -
>>> -
>>> --
>>> Received-SPF: pass (mail5: domain of service at paypal.co.uk designates
>>> 173.0.84.226 as permitted sender) receiver=mail5; 
>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com; 
>>> envelope-from=service at paypal.co.uk;
>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>>> 8<------------------------------------------------------------------
>>> -
>>> -
>>> --
>>> 
>>> but then it went in the bin.
>>> 
>>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013.  All the same, you aren't helping anybody by doing things like that.
>>> 
>>> I don't suppose you'll actually read this.
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA

More information about the clamav-users mailing list