>> The text shown to the user is www.paypal.com but the actual URL being used is https://epl.paypal-communication.com.... <<
Agreed - if any email displays a DIFFERENT domain name to the user than the domain name used in the link, then this IS solid reason to unconditionally block an email. It is a technique used thousands of times daily by phishing emails to trick users into believing they are visiting the legitimate bank site or email provider, and entering their logon data into a form that in reality is hosted on that other (=hidden) domain. If Paypal expects their emails to be delivered, then the CONTENT of their emails must not use phishing techniques. With or without ClamAV, those emails would end up being quarantined on our system. Remember: If we allow our end-users to become accustomed to trust a mismatching link just because they THINK this email really IS from Paypal - then it's only a question of time before a hacker will send a fake PayPal email using that exact SAME link style and NOT raise suspicion...) -----Original Message----- From: Al Varnell [mailto:alvarn...@mac.com] Sent: Wednesday, May 31, 2017 6:03 PM To: ClamAV users ML <clamav-users@lists.clamav.net> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19 Most of your links check out clean. The one that was found to be Possibly Unwanted was this one, apparently regarding Legal Agreements: > <tr> > <td align="left" style="font-family:Arial; font-size:13px; color:#666666;">We're changing our Legal Agreements. We wanted to check it’s OK with you.<br><br> We're making some changes to our Legal Agreements; the documents that govern our relationship with you. We've put details of the changes on our <a style="font-family:Arial; font-size:13px; color:#009cde; text-decoration:none; font-weight:bold;" href="https://epl.paypal-communication.com/T/v20000015c53387d90b8822cf4bbc78 2e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b057-9f4d47f20daa">P olicy Update web page</a> - you can also find the page at <a style="font-family:Arial; font-size:13px; color:#009cde; text-decoration:none; font-weight:bold;" href="https://epl.paypal-communication.com/T/v20000015c53387d90b8822cf4bbc78 2e8/5ac10d12aef141110000021ef3a0bcc4/5ac10d12-aef1-4111-b057-9f4d47f20daa">w ww.paypal.com</a>, by clicking 'Legal’ at the bottom of the page, selecting "Other countries (in English)" from the drop-down menu and then selecting 'Policy Updates’.</td> > </tr> The text shown to the user is www.paypal.com but the actual URL being used is https://epl.paypal-communication.com.... If I was to receive this e-mail and wanted to access these new Legal Agreements I would hover over www.paypal.com, see that I was being directed elsewhere and almost certainly conclude that this was a phishing or spam message. I almost never click a link in an e-mail anyway and advise everybody I know not to do so, but instead use my browser to access a firm like PayPal directly, then check whatever it is the message wants me to know. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
