Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

[Dennis Peterson]

If I were to have gotten a suspicious message notice from 
epl.paypal-communication.com and gone through a whois, nslookup, whois (ip 
address), dig txt paypal-communication.com, dig mx paypal-communication.com, dig 
mx epl.paypal-communication.com routine I would have found a very suspicious 
pedigree and I would add the IP and domain name to my blacklist. And that is 
exactly what I did. Businesses that send email that is indistinguishable from 
spam/phishing/obfuscation/cloaking/tracking don't deserve space in my systems. 
And because I'll not remember long that I did all this forensic investigation 
and was dissatisfied with the results, I go with the least-effort option of 
blocking. It is your problem to fix. Be obvious or be blocked. There's too much 
at risk.

And including a link to a one-pixel (spacer1.gif) image, obviously a tracking 
beacon, in already suspect messages always looks more suspicious yet.

dp

On 6/1/17 1:19 AM, outre...@epsilon.com wrote:
Hi Reindl and Al,

Thank you for your feedback.

The domain https://epl.paypal-communication.com is used by Paypal for link 
tracking purposes in their emails. Their sending domains are for example: 
mail.paypal.com, mail.paypal.co.uk, mail.paypal.fr etc.

To clarify, I work for Epsilon which is a major Email Service Provider 
(www.epsilon.com) and Paypal use our platform to deploy their emails, hence me 
contacting you about this delivery issue.

I will pass back your feedback to Paypal so they can make a decision on whether 
or not they will want to make any changes to their emails moving forward.

Best regards,


Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
  T   +44 2086143219   M +44 7469352383   Epsilon, 67 Broad Street, Teddington 
TW11 8QZ, UK  epsilon.com



-----Original Message-----
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Reindl Harald
Sent: 01 June 2017 07:24
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19



Am 01.06.2017 um 03:04 schrieb Al Varnell:
I made an attempt to determine whether epl.paypal-communication.com was a 
legitimate domain owned by PayPal with very mixed results.

No WhoIs service could identify it directly
and here is stop to read - let me guess you entered 
"epl.paypal-communication.com" including the subdomain and/or used some obsucre 
website doing whois requests


[harry@srv-rhsoft:~]$ whois paypal-communication.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered with many 
different competing registrars. Go to http://www.internic.net for detailed 
information.

     Domain Name: PAYPAL-COMMUNICATION.COM
     Registrar: MARKMONITOR INC.
     Sponsoring Registrar IANA ID: 292
     Whois Server: whois.markmonitor.com
     Referral URL: http://www.markmonitor.com
     Name Server: NS1.P57.DYNECT.NET
     Name Server: NS2.P57.DYNECT.NET
     Name Server: PDNS100.ULTRADNS.COM
     Name Server: PDNS100.ULTRADNS.NET
     Status: clientDeleteProhibited
https://icann.org/epp#clientDeleteProhibited
     Status: clientTransferProhibited
https://icann.org/epp#clientTransferProhibited
     Status: clientUpdateProhibited
https://icann.org/epp#clientUpdateProhibited
     Updated Date: 05-mar-2017
     Creation Date: 06-apr-2011
     Expiration Date: 06-apr-2018

  >>> Last update of whois database: Thu, 01 Jun 2017 06:20:04 GMT <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the 
registrar's sponsorship of the domain name registration in the registry is 
currently set to expire. This date does not necessarily reflect the expiration 
date of the domain name registrant's agreement with the sponsoring registrar.  
Users may consult the sponsoring registrar's Whois database to view the 
registrar's reported date of expiration for this registration.

Domain Name: paypal-communication.com
Registry Domain ID: 1649488607_DOMAIN_COM-VRSN Registrar WHOIS Server: 
whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 
2017-03-05T02:14:48-0800 Creation Date: 2011-04-06T05:23:32-0700
  

Registrar Registration Expiration Date: 2018-04-06T00:00:00-0700
  

Registrar: MarkMonitor, Inc.
  

Registrar IANA ID: 292
  

Registrar Abuse Contact Email: abusecomplai...@markmonitor.com
  

Registrar Abuse Contact Phone: +1.2083895740
  

Domain Status: clientUpdateProhibited
(https://www.icann.org/epp#clientUpdateProhibited)
  

Domain Status: clientTransferProhibited
(https://www.icann.org/epp#clientTransferProhibited)
  

Domain Status: clientDeleteProhibited
(https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited
(https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited
(https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited
(https://www.icann.org/epp#serverDeleteProhibited)
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: PayPal Inc.
Registrant Street: 2211 North First Street,
Registrant City: San Jose
Registrant State/Province: CA
Registrant Postal Code: 95131
Registrant Country: US
Registrant Phone: +1.8882211161
Registrant Phone Ext:
Registrant Fax: +1.4025375774
Registrant Fax Ext:
Registrant Email: hostmas...@paypal.com
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: PayPal Inc.
Admin Street: 2211 North First Street,
Admin City: San Jose
Admin State/Province: CA
Admin Postal Code: 95131
Admin Country: US
Admin Phone: +1.8882211161
Admin Phone Ext:
Admin Fax: +1.4025375774
Admin Fax Ext:
Admin Email: hostmas...@paypal.com
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: PayPal Inc.
Tech Street: 2211 North First Street,
Tech City: San Jose
Tech State/Province: CA
Tech Postal Code: 95131
Tech Country: US
Tech Phone: +1.8882211161
Tech Phone Ext:
Tech Fax: +1.4025375774
Tech Fax Ext:
Tech Email: hostmas...@paypal.com
Name Server: ns2.p57.dynect.net
Name Server: pdns100.ultradns.com.
Name Server: ns1.p57.dynect.net
Name Server: pdns100.ultradns.net.
DNSSEC: signedDelegation
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
  >>> Last update of WHOIS database: 2017-05-31T23:20:11-0700 <<<
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml