OK, I managed to clean it up enough and added a fake header so I could run clamscan --debug and it confirmed my suspicions:
> LibClamAV debug: Phishcheck:host:.epl.paypal-communication.com > LibClamAV debug: Phishing: looking up in whitelist: > .epl.paypal-communication.com:.www.paypal.com; host-only:1 > LibClamAV debug: Looking up in regex_list: > epl.paypal-communication.com:www.paypal.com/ > LibClamAV debug: Lookup result: not in regex list > LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different > LibClamAV debug: found Possibly Unwanted: > Heuristics.Phishing.Email.SpoofedDomain -Al- On Wed, May 31, 2017 at 02:05 AM, outre...@epsilon.com wrote: > > Hi Al, > > Could you please confirm exactly what is the issue you see with the links? As > far as I can see, they use standard link tracking. Here are two examples: > > <a style=3D"font-family:Arial; font-siz= e:13px; color:#009cde; > text-decoration:none; font-weight:bold;" > href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b057-9f4d47f20daa";> > <a href=3D= > "https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d47f20daa"; > = target=3D"_blank"> > > This is an example of their images URL: > <img style=3D"display:block; border= :none;" > src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/1111_cta_blue_left=2Ejpg"; > width=3D"5" height=3D"40" alt=3D""/> > > Many thanks, > > Anne-Sophie > > -----Original Message----- > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf > Of Al Varnell > Sent: 31 May 2017 09:06 > To: ClamAV users ML <clamav-users@lists.clamav.net> > Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19 > > Perhaps they feel the burden is on PayPal to remove the obfuscation being > used in their links. > > Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV > directly to resolve this long standing issue. > > But I am a bit surprised that they haven't commented. > > -Al- > > On Wed, May 31, 2017 at 12:53 AM, Outreach wrote: >> >> Hi, >> >> I did but never heard anything back unfortunately. >> >> We still had a lot of mail blocked on the 29/5 because of this issue. >> >> Is there any other way I can submit the samples than via the website? It >> looks like no-one is following up on this, which is very poor. >> >> Thanks, >> >> Anne-Sophie >> >> -----Original Message----- >> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On >> Behalf Of Al Varnell >> Sent: 31 May 2017 05:05 >> To: ClamAV users ML <clamav-users@lists.clamav.net> >> Cc: cla...@jubileegroup.co.uk; clamav-users@lists.clamav.net >> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19 >> >> Did I you ever submit those samples as I recommended. It's unlikely that any >> action will be taken until you do. >> >> Most of the people that participate on this list are users and can't do >> anything but give you advice. >> >> Sent from Janet's iPad >> >> -Al- >> >> On May 19, 2017, at 9:14 AM, "Outreach wrote: >>> Hi Ged, >>> >>> I did read your message. Note that the header that you quote below is not >>> related to my request. I am contacting you regarding the following: >>> >>> IPs: 142.54.244.[96-110] >>> >>> Domains: >>> mail.paypal.at >>> mail.paypal.be >>> mail.paypal.ch >>> mail.paypal.co.il >>> mail.paypal.co.uk >>> mail.paypal.de >>> mail.paypal.dk >>> mail.paypal.es >>> mail.paypal.fr >>> mail.paypal.it >>> mail.paypal.nl >>> mail.paypal.no >>> mail.paypal.pl >>> mail.paypal.se >>> mail.paypal.com >>> >>> Call it "reject", "bounce" or "delivery error" - the bottom line is that >>> legitimate mail from our client (including financial communications from >>> account holders) is not being delivered and wrongly identified as a phish >>> by ClamAv. >>> >>> These emails are authenticated, they come from a well-respected >>> organization - hence there is no reason for them to be rejected with the >>> message "554 Your email was rejected because it contains the >>> Heuristics.Phishing.Email.SpoofedDomain virus" >>> >>> >>> Many thanks, >>> >>> >>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA >>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, >>> Teddington TW11 8QZ, UK epsilon.com >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> - >>> >>> Message: 1 >>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST) >>> From: "G.W. Haywood" >>> To: clamav-users@lists.clamav.net >>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as >>> phishing by ClamAv >>> Message-ID: >>> <alpine.deb.2.11.1705181726340.4...@mail6.jubileegroup.co.uk> >>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII >>> >>> Hi there, >>> >>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote: >>> >>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv. >>> >>> No surprise there. >>> >>>> We get this type of bounce erros: >>>> 554 Your email was rejected because it contains the >>>> Heuristics.Phishing.Email.SpoofedDomain virus >>> >>> That's not a bounce, it's a reject. >>> >>>> Please make the necessary changes to your product ASAP. >>> >>> Well... the last email I saw from PayPal had this in it, carefully hidden: >>> >>> 8<------------------------------------------------------------------- >>> - >>> -- >>> [lefttrianglebracket] >>> img height="1" >>> width="1" >>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"; >>> border="0" >>> alt=""/ >>> [righttrianglebracket] >>> 8<------------------------------------------------------------------- >>> - >>> -- >>> >>> The mail did pass our SPF checks on receipt: >>> >>> 8<------------------------------------------------------------------- >>> - >>> -- >>> Received-SPF: pass (mail5: domain of serv...@paypal.co.uk designates >>> 173.0.84.226 as permitted sender) receiver=mail5; >>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com; >>> envelope-from=serv...@paypal.co.uk; >>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9; >>> 8<------------------------------------------------------------------- >>> - >>> -- >>> >>> but then it went in the bin. >>> >>> Admittedly this was quite a while ago; we've been rejecting all mail from >>> PayPal since 2013. All the same, you aren't helping anybody by doing >>> things like that. >>> >>> I don't suppose you'll actually read this. > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
