I made an attempt to determine whether epl.paypal-communication.com was a 
legitimate domain owned by PayPal with very mixed results.

No WhoIs service could identify it directly, but ARIN was able to determine 
that the IP address 159.127.187.100 belongs to Epsilon Data Management LLC 
(PSI1), which does not match owner of paypal.com (PayPal, Inc.),

A lengthy discussion on the PayPal site back in February 
<https://www.paypal-community.com/t5/Access-and-security/epl-paypal-communication-com/td-p/1164823>
isn't much help with reports from PayPal security that it isn't a legitimate 
PayPal message but evidence that the https certificates were issues by the same 
entity.

So at this point I see no reason for ClamAV to do anything about the matter.

-Al-

On Wed, May 31, 2017 at 03:02 PM, Al Varnell wrote:
> 
> Most of your links check out clean. The one that was found to be Possibly 
> Unwanted was this one, apparently regarding Legal Agreements:
> 
>> <tr>
>> <td align="left" style="font-family:Arial; font-size:13px; 
>> color:#666666;">We're changing our Legal Agreements. We wanted to check 
>> it&#8217;s OK with you.<br><br> We're making some changes to our Legal 
>> Agreements; the documents that govern our relationship with you. We've put 
>> details of the changes on our <a style="font-family:Arial; font-size:13px; 
>> color:#009cde; text-decoration:none; font-weight:bold;" 
>> href="https://epl.paypal-communication.com/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b057-9f4d47f20daa";>Policy
>>  Update web page</a> - you can also find the page at  <a 
>> style="font-family:Arial; font-size:13px; color:#009cde; 
>> text-decoration:none; font-weight:bold;" 
>> href="https://epl.paypal-communication.com/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc4/5ac10d12-aef1-4111-b057-9f4d47f20daa";>www.paypal.com</a>,
>>  by clicking 'Legal&#8217; at the bottom of the page, selecting "Other 
>> countries (in English)" from the drop-down menu and then selecting 'Policy 
>> Updates&#8217;.</td>
>> </tr>
> 
> 
> The text shown to the user is www.paypal.com but the actual URL being used is 
> https://epl.paypal-communication.com....
> 
> If I was to receive this e-mail and wanted to access these new Legal 
> Agreements I would hover over www.paypal.com, see that I was being directed 
> elsewhere and almost certainly conclude that this was a phishing or spam 
> message. I almost never click a link in an e-mail anyway and advise everybody 
> I know not to do so, but instead use my browser to access a firm like PayPal 
> directly, then check whatever it is the message wants me to know.
> 
> I'm not sure what would cause PayPal to substitute a different URL in this 
> case. Perhaps some sort of tracking mechanism? In any case, I find such 
> behavior very suspicious. I receive spam/phish mail daily that purports to be 
> from a financial institution out to steal my credentials, credit care or bank 
> account information and many of them pretend to be from PayPal. I'm sure I 
> can purchase a domain of "palpal-message.com" to do just that if I wanted to. 
> I don't even have any proof that you are a legitimate PayPal representative 
> and may be here trying to prevent A-V software from blocking your phishing 
> messages. 
> 
> At any rate, I would strongly recommend you use "https://www.paypal.com"; for 
> this link as the safest, most appropriate fix for you, PayPal and message 
> recipients.  If that's not acceptable, then work with Joel Esler 
> <jes...@cisco.com> from Cisco and convince him that you have a legitimate 
> need to have them whitelist palpal-communication.com.
> 
> -Al-
> 
> On Wed, May 31, 2017 at 03:51 AM, outre...@epsilon.com wrote:
>> 
>> Hi Al,
>> 
>> Thank you for your help with this, it's appreciated.
>> 
>> Not being a ClamAv user myself, this doesn't make much sense to me tough.  
>> Could someone please confirm what this issue is in clear terms?
>> 
>> Thanks,
>> 
>> Anne-Sophie
>> 
>> -----Original Message-----
>> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf 
>> Of Al Varnell
>> Sent: 31 May 2017 11:38
>> To: ClamAV users ML <clamav-users@lists.clamav.net>
>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>> 
>> OK, I managed to clean it up enough and added a fake header so I could run 
>> clamscan --debug and it confirmed my suspicions:
>> 
>>> LibClamAV debug: Phishcheck:host:.epl.paypal-communication.com
>>> LibClamAV debug: Phishing: looking up in whitelist: 
>>> .epl.paypal-communication.com:.www.paypal.com; host-only:1 LibClamAV 
>>> debug: Looking up in regex_list: 
>>> epl.paypal-communication.com:www.paypal.com/
>>> LibClamAV debug: Lookup result: not in regex list LibClamAV debug: 
>>> Phishcheck: Phishing scan result: URLs are way too different LibClamAV 
>>> debug: found Possibly Unwanted: 
>>> Heuristics.Phishing.Email.SpoofedDomain
>> 
>> -Al-
>> 
>> On Wed, May 31, 2017 at 02:05 AM, outre...@epsilon.com wrote:
>>> 
>>> Hi Al,
>>> 
>>> Could you please confirm exactly what is the issue you see with the links? 
>>> As far as I can see, they use standard link tracking. Here are two examples:
>>> 
>>> <a style=3D"font-family:Arial; font-siz= e:13px; color:#009cde; 
>>> text-decoration:none; font-weight:bold;" 
>>> href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b
>>> 8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b0
>>> 57-9f4d47f20daa"> <a href=3D= 
>>> "https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4
>>> bbc782e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d
>>> 47f20daa" = target=3D"_blank">
>>> 
>>> This is an example of their images URL:
>>> <img style=3D"display:block; border= :none;" 
>>> src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/11
>>> 11_cta_blue_left=2Ejpg" width=3D"5" height=3D"40" alt=3D""/>
>>> 
>>> Many thanks,
>>> 
>>> Anne-Sophie
>>> 
>>> -----Original Message-----
>>> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On 
>>> Behalf Of Al Varnell
>>> Sent: 31 May 2017 09:06
>>> To: ClamAV users ML <clamav-users@lists.clamav.net>
>>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>> 
>>> Perhaps they feel the burden is on PayPal to remove the obfuscation being 
>>> used in their links.
>>> 
>>> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV 
>>> directly to resolve this long standing issue.
>>> 
>>> But I am a bit surprised that they haven't commented.
>>> 
>>> -Al-
>>> 
>>> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> I did but never heard anything back unfortunately.
>>>> 
>>>> We still had a lot of mail blocked on the 29/5 because of this issue. 
>>>> 
>>>> Is there any other way I can submit the samples than via the website? It 
>>>> looks like no-one is following up on this, which is very poor.
>>>> 
>>>> Thanks,
>>>> 
>>>> Anne-Sophie
>>>> 
>>>> -----Original Message-----
>>>> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On 
>>>> Behalf Of Al Varnell
>>>> Sent: 31 May 2017 05:05
>>>> To: ClamAV users ML <clamav-users@lists.clamav.net>
>>>> Cc: cla...@jubileegroup.co.uk; clamav-users@lists.clamav.net
>>>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>>> 
>>>> Did I you ever submit those samples as I recommended. It's unlikely that 
>>>> any action will be taken until you do.
>>>> 
>>>> Most of the people that participate on this list are users and can't do 
>>>> anything but give you advice.
>>>> 
>>>> Sent from Janet's iPad
>>>> 
>>>> -Al-
>>>> 
>>>> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>>>>> Hi Ged,
>>>>> 
>>>>> I did read your message. Note that the header that you quote below is not 
>>>>> related to my request. I am contacting you regarding the following:
>>>>> 
>>>>> IPs: 142.54.244.[96-110]
>>>>> 
>>>>> Domains: 
>>>>> mail.paypal.at
>>>>> mail.paypal.be
>>>>> mail.paypal.ch
>>>>> mail.paypal.co.il
>>>>> mail.paypal.co.uk
>>>>> mail.paypal.de
>>>>> mail.paypal.dk
>>>>> mail.paypal.es
>>>>> mail.paypal.fr
>>>>> mail.paypal.it
>>>>> mail.paypal.nl
>>>>> mail.paypal.no
>>>>> mail.paypal.pl
>>>>> mail.paypal.se               
>>>>> mail.paypal.com
>>>>> 
>>>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that 
>>>>> legitimate mail from our client (including financial communications from 
>>>>> account holders) is not being delivered and wrongly identified as a phish 
>>>>> by ClamAv. 
>>>>> 
>>>>> These emails are authenticated, they come from a well-respected 
>>>>> organization - hence there is no reason for them to be rejected with the 
>>>>> message "554 Your email was rejected because it contains the 
>>>>> Heuristics.Phishing.Email.SpoofedDomain virus"
>>>>> 
>>>>> 
>>>>> Many thanks,
>>>>> 
>>>>> 
>>>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>>>>> T   +44 2086143219   M +44 7469352383   Epsilon, 67 Broad Street, 
>>>>> Teddington TW11 8QZ, UK  epsilon.com
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>> 
>>>>> Message: 1
>>>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>>>>> From: "G.W. Haywood"
>>>>> To: clamav-users@lists.clamav.net
>>>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>>>> phishing    by ClamAv
>>>>> Message-ID:
>>>>> <alpine.deb.2.11.1705181726340.4...@mail6.jubileegroup.co.uk>
>>>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>>>> 
>>>>> Hi there,
>>>>> 
>>>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>>>> 
>>>>>> Mail from our client Paypal is being wrongly flagged as phishing by 
>>>>>> ClamAv.
>>>>> 
>>>>> No surprise there.
>>>>> 
>>>>>> We get this type of bounce erros:
>>>>>> 554 Your email was rejected because it contains the 
>>>>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>>>> 
>>>>> That's not a bounce, it's a reject.
>>>>> 
>>>>>> Please make the necessary changes to your product ASAP.
>>>>> 
>>>>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>>>> 
>>>>> 8<------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>> --
>>>>> [lefttrianglebracket]
>>>>> img height="1"
>>>>> width="1"
>>>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814";
>>>>> border="0"
>>>>> alt=""/
>>>>> [righttrianglebracket]
>>>>> 8<------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>> --
>>>>> 
>>>>> The mail did pass our SPF checks on receipt:
>>>>> 
>>>>> 8<------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>> --
>>>>> Received-SPF: pass (mail5: domain of serv...@paypal.co.uk designates
>>>>> 173.0.84.226 as permitted sender) receiver=mail5; 
>>>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com; 
>>>>> envelope-from=serv...@paypal.co.uk;
>>>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>>>>> 8<------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>> --
>>>>> 
>>>>> but then it went in the bin.
>>>>> 
>>>>> Admittedly this was quite a while ago; we've been rejecting all mail from 
>>>>> PayPal since 2013.  All the same, you aren't helping anybody by doing 
>>>>> things like that.
>>>>> 
>>>>> I don't suppose you'll actually read this.
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> 
>> -Al-
> 
> -Al-

-Al-
-- 
Al Varnell
Mountain View, CA





Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to