Hi Ged,
I did read your message. Note that the header that you quote below is not
related to my request. I am contacting you regarding the following:
IPs: 142.54.244.[96-110]
Domains:
mail.paypal.at
mail.paypal.be
mail.paypal.ch
mail.paypal.co.il
mail.paypal.co.uk
mail.paypal.de
mail.paypal.dk
mail.paypal.es
mail.paypal.fr
mail.paypal.it
mail.paypal.nl
mail.paypal.no
mail.paypal.pl
mail.paypal.se
mail.paypal.com
Call it "reject", "bounce" or "delivery error" - the bottom line is that
legitimate mail from our client (including financial communications from
account holders) is not being delivered and wrongly identified as a phish by
ClamAv.
These emails are authenticated, they come from a well-respected organization -
hence there is no reason for them to be rejected with the message "554 Your
email was rejected because it contains the
Heuristics.Phishing.Email.SpoofedDomain virus"
Many thanks,
Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington
TW11 8QZ, UK epsilon.com
----------------------------------------------------------------------
Message: 1
Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
From: "G.W. Haywood" <cla...@jubileegroup.co.uk>
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
phishing by ClamAv
Message-ID:
<alpine.deb.2.11.1705181726340.4...@mail6.jubileegroup.co.uk>
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Hi there,
On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
No surprise there.
> We get this type of bounce erros:
> 554 Your email was rejected because it contains the
> Heuristics.Phishing.Email.SpoofedDomain virus
That's not a bounce, it's a reject.
> Please make the necessary changes to your product ASAP.
Well... the last email I saw from PayPal had this in it, carefully hidden:
8<----------------------------------------------------------------------
[lefttrianglebracket]
img height="1"
width="1"
src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814";
border="0"
alt=""/
[righttrianglebracket]
8<----------------------------------------------------------------------
The mail did pass our SPF checks on receipt:
8<----------------------------------------------------------------------
Received-SPF: pass (mail5: domain of serv...@paypal.co.uk designates
173.0.84.226 as permitted sender) receiver=mail5; client-ip=173.0.84.226;
helo=mx0.slc.paypal.com; envelope-from=serv...@paypal.co.uk;
x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
8<----------------------------------------------------------------------
but then it went in the bin.
Admittedly this was quite a while ago; we've been rejecting all mail from
PayPal since 2013. All the same, you aren't helping anybody by doing things
like that.
I don't suppose you'll actually read this.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
