Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.
Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue. But I am a bit surprised that they haven't commented. -Al- On Wed, May 31, 2017 at 12:53 AM, Outreach wrote: > > Hi, > > I did but never heard anything back unfortunately. > > We still had a lot of mail blocked on the 29/5 because of this issue. > > Is there any other way I can submit the samples than via the website? It > looks like no-one is following up on this, which is very poor. > > Thanks, > > Anne-Sophie > > -----Original Message----- > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf > Of Al Varnell > Sent: 31 May 2017 05:05 > To: ClamAV users ML <clamav-users@lists.clamav.net> > Cc: cla...@jubileegroup.co.uk; clamav-users@lists.clamav.net > Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19 > > Did I you ever submit those samples as I recommended. It's unlikely that any > action will be taken until you do. > > Most of the people that participate on this list are users and can't do > anything but give you advice. > > Sent from Janet's iPad > > -Al- > > On May 19, 2017, at 9:14 AM, "Outreach wrote: >> Hi Ged, >> >> I did read your message. Note that the header that you quote below is not >> related to my request. I am contacting you regarding the following: >> >> IPs: 142.54.244.[96-110] >> >> Domains: >> mail.paypal.at >> mail.paypal.be >> mail.paypal.ch >> mail.paypal.co.il >> mail.paypal.co.uk >> mail.paypal.de >> mail.paypal.dk >> mail.paypal.es >> mail.paypal.fr >> mail.paypal.it >> mail.paypal.nl >> mail.paypal.no >> mail.paypal.pl >> mail.paypal.se >> mail.paypal.com >> >> Call it "reject", "bounce" or "delivery error" - the bottom line is that >> legitimate mail from our client (including financial communications from >> account holders) is not being delivered and wrongly identified as a phish by >> ClamAv. >> >> These emails are authenticated, they come from a well-respected organization >> - hence there is no reason for them to be rejected with the message "554 >> Your email was rejected because it contains the >> Heuristics.Phishing.Email.SpoofedDomain virus" >> >> >> Many thanks, >> >> >> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA >> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington >> TW11 8QZ, UK epsilon.com >> >> >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Thu, 18 May 2017 17:51:15 +0100 (BST) >> From: "G.W. Haywood" >> To: clamav-users@lists.clamav.net >> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as >> phishing by ClamAv >> Message-ID: >> <alpine.deb.2.11.1705181726340.4...@mail6.jubileegroup.co.uk> >> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII >> >> Hi there, >> >> On Thu, 18 May 2017, Anne-Sophie Marsh wrote: >> >>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv. >> >> No surprise there. >> >>> We get this type of bounce erros: >>> 554 Your email was rejected because it contains the >>> Heuristics.Phishing.Email.SpoofedDomain virus >> >> That's not a bounce, it's a reject. >> >>> Please make the necessary changes to your product ASAP. >> >> Well... the last email I saw from PayPal had this in it, carefully hidden: >> >> 8<-------------------------------------------------------------------- >> -- >> [lefttrianglebracket] >> img height="1" >> width="1" >> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814" >> border="0" >> alt=""/ >> [righttrianglebracket] >> 8<-------------------------------------------------------------------- >> -- >> >> The mail did pass our SPF checks on receipt: >> >> 8<-------------------------------------------------------------------- >> -- >> Received-SPF: pass (mail5: domain of serv...@paypal.co.uk designates >> 173.0.84.226 as permitted sender) receiver=mail5; >> client-ip=173.0.84.226; helo=mx0.slc.paypal.com; >> envelope-from=serv...@paypal.co.uk; >> x-software=spfmilter 0.98-gwh with libspf2-1.2.9; >> 8<-------------------------------------------------------------------- >> -- >> >> but then it went in the bin. >> >> Admittedly this was quite a while ago; we've been rejecting all mail from >> PayPal since 2013. All the same, you aren't helping anybody by doing things >> like that. >> >> I don't suppose you'll actually read this.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml