So is it us that needs to adjust our software for something that PayPal is doing? Or should PayPal adjust what they are doing?
-- Sent from my iPhone > On May 31, 2017, at 06:38, Al Varnell <alvarn...@mac.com> wrote: > > OK, I managed to clean it up enough and added a fake header so I could run > clamscan --debug and it confirmed my suspicions: > >> LibClamAV debug: Phishcheck:host:.epl.paypal-communication.com >> LibClamAV debug: Phishing: looking up in whitelist: >> .epl.paypal-communication.com:.www.paypal.com; host-only:1 >> LibClamAV debug: Looking up in regex_list: >> epl.paypal-communication.com:www.paypal.com/ >> LibClamAV debug: Lookup result: not in regex list >> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different >> LibClamAV debug: found Possibly Unwanted: >> Heuristics.Phishing.Email.SpoofedDomain > > -Al- > >> On Wed, May 31, 2017 at 02:05 AM, outre...@epsilon.com wrote: >> >> Hi Al, >> >> Could you please confirm exactly what is the issue you see with the links? >> As far as I can see, they use standard link tracking. Here are two examples: >> >> <a style=3D"font-family:Arial; font-siz= e:13px; color:#009cde; >> text-decoration:none; font-weight:bold;" >> href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b057-9f4d47f20daa";> >> <a href=3D= >> "https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d47f20daa"; >> = target=3D"_blank"> >> >> This is an example of their images URL: >> <img style=3D"display:block; border= :none;" >> src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/1111_cta_blue_left=2Ejpg"; >> width=3D"5" height=3D"40" alt=3D""/> >> >> Many thanks, >> >> Anne-Sophie >> >> -----Original Message----- >> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf >> Of Al Varnell >> Sent: 31 May 2017 09:06 >> To: ClamAV users ML <clamav-users@lists.clamav.net> >> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19 >> >> Perhaps they feel the burden is on PayPal to remove the obfuscation being >> used in their links. >> >> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV >> directly to resolve this long standing issue. >> >> But I am a bit surprised that they haven't commented. >> >> -Al- >> >>> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote: >>> >>> Hi, >>> >>> I did but never heard anything back unfortunately. >>> >>> We still had a lot of mail blocked on the 29/5 because of this issue. >>> >>> Is there any other way I can submit the samples than via the website? It >>> looks like no-one is following up on this, which is very poor. >>> >>> Thanks, >>> >>> Anne-Sophie >>> >>> -----Original Message----- >>> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On >>> Behalf Of Al Varnell >>> Sent: 31 May 2017 05:05 >>> To: ClamAV users ML <clamav-users@lists.clamav.net> >>> Cc: cla...@jubileegroup.co.uk; clamav-users@lists.clamav.net >>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19 >>> >>> Did I you ever submit those samples as I recommended. It's unlikely that >>> any action will be taken until you do. >>> >>> Most of the people that participate on this list are users and can't do >>> anything but give you advice. >>> >>> Sent from Janet's iPad >>> >>> -Al- >>> >>>> On May 19, 2017, at 9:14 AM, "Outreach wrote: >>>> Hi Ged, >>>> >>>> I did read your message. Note that the header that you quote below is not >>>> related to my request. I am contacting you regarding the following: >>>> >>>> IPs: 142.54.244.[96-110] >>>> >>>> Domains: >>>> mail.paypal.at >>>> mail.paypal.be >>>> mail.paypal.ch >>>> mail.paypal.co.il >>>> mail.paypal.co.uk >>>> mail.paypal.de >>>> mail.paypal.dk >>>> mail.paypal.es >>>> mail.paypal.fr >>>> mail.paypal.it >>>> mail.paypal.nl >>>> mail.paypal.no >>>> mail.paypal.pl >>>> mail.paypal.se >>>> mail.paypal.com >>>> >>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that >>>> legitimate mail from our client (including financial communications from >>>> account holders) is not being delivered and wrongly identified as a phish >>>> by ClamAv. >>>> >>>> These emails are authenticated, they come from a well-respected >>>> organization - hence there is no reason for them to be rejected with the >>>> message "554 Your email was rejected because it contains the >>>> Heuristics.Phishing.Email.SpoofedDomain virus" >>>> >>>> >>>> Many thanks, >>>> >>>> >>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA >>>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, >>>> Teddington TW11 8QZ, UK epsilon.com >>>> >>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> - >>>> >>>> Message: 1 >>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST) >>>> From: "G.W. Haywood" >>>> To: clamav-users@lists.clamav.net >>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as >>>> phishing by ClamAv >>>> Message-ID: >>>> <alpine.deb.2.11.1705181726340.4...@mail6.jubileegroup.co.uk> >>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII >>>> >>>> Hi there, >>>> >>>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote: >>>>> >>>>> Mail from our client Paypal is being wrongly flagged as phishing by >>>>> ClamAv. >>>> >>>> No surprise there. >>>> >>>>> We get this type of bounce erros: >>>>> 554 Your email was rejected because it contains the >>>>> Heuristics.Phishing.Email.SpoofedDomain virus >>>> >>>> That's not a bounce, it's a reject. >>>> >>>>> Please make the necessary changes to your product ASAP. >>>> >>>> Well... the last email I saw from PayPal had this in it, carefully hidden: >>>> >>>> 8<------------------------------------------------------------------- >>>> - >>>> -- >>>> [lefttrianglebracket] >>>> img height="1" >>>> width="1" >>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"; >>>> border="0" >>>> alt=""/ >>>> [righttrianglebracket] >>>> 8<------------------------------------------------------------------- >>>> - >>>> -- >>>> >>>> The mail did pass our SPF checks on receipt: >>>> >>>> 8<------------------------------------------------------------------- >>>> - >>>> -- >>>> Received-SPF: pass (mail5: domain of serv...@paypal.co.uk designates >>>> 173.0.84.226 as permitted sender) receiver=mail5; >>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com; >>>> envelope-from=serv...@paypal.co.uk; >>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9; >>>> 8<------------------------------------------------------------------- >>>> - >>>> -- >>>> >>>> but then it went in the bin. >>>> >>>> Admittedly this was quite a while ago; we've been rejecting all mail from >>>> PayPal since 2013. All the same, you aren't helping anybody by doing >>>> things like that. >>>> >>>> I don't suppose you'll actually read this. >> _______________________________________________ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > > -Al- > -- > Al Varnell > Mountain View, CA > > > > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
