Hi there, On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
No surprise there.
We get this type of bounce erros: 554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus
That's not a bounce, it's a reject.
Please make the necessary changes to your product ASAP.
Well... the last email I saw from PayPal had this in it, carefully hidden: 8<---------------------------------------------------------------------- [lefttrianglebracket] img height="1" width="1" src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814" border="0" alt=""/ [righttrianglebracket] 8<---------------------------------------------------------------------- The mail did pass our SPF checks on receipt: 8<---------------------------------------------------------------------- Received-SPF: pass (mail5: domain of serv...@paypal.co.uk designates 173.0.84.226 as permitted sender) receiver=mail5; client-ip=173.0.84.226; helo=mx0.slc.paypal.com; envelope-from=serv...@paypal.co.uk; x-software=spfmilter 0.98-gwh with libspf2-1.2.9; 8<---------------------------------------------------------------------- but then it went in the bin. Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that. I don't suppose you'll actually read this. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml