Besides the "http://www.declude.com/x-note.htm" Declude also adds txt of RBL's that were triggered on an email containing http:// to the best of my knowledge this is not restricted by the RFC's
This is an issue with Clam incorrectly identifying phishing using this method. With Declude 4.x AVG is a built in commercial grade AV scanner I would suggest disabling Clam and using the built in scanner until Clam has resolved this. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karen Mitchell Sent: Monday, May 21, 2007 1:55 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] False Positive ClamAV Interesting http://forums.clamwin.com/viewtopic.php?t=1106&highlight=phishing I removed these lines from my global.cfg so at least I don't get flagged. #XINHEADER X-Declude-Note: Scanned by Declude %VERSION% (http://www.declude.com/x-note.htm) for spam. #XOUTHEADER X-Declude-Note: Scanned by Declude %VERSION% (http://www.declude.com/x-note.htm) for spam. Karen M. Mitchell Senior NewMedia Systems Administrator AccuWeather, Inc. 385 Science Park Road State College, PA 16803 814-235-8698 "Get the best weather on the web" - http://www.accuweather.com Robert Shubert wrote: > I saw on another list that a new CLAMAV (possibly windows only) is > flagging emails with http:// in the header with the RB-882 Phishing > Virus. There is a URL added by default to mail that goes through > declude. I'm testing it now, can any one back this up? Robert > > > > ------------------------------------------------------------------------ > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of > *Darrell ([EMAIL PROTECTED]) > *Sent:* Monday, May 21, 2007 11:15 AM > *To:* declude.virus@declude.com > *Subject:* Re: [Declude.Virus] False Positive ClamAV > > > > Are you sure CLAMAV is hitting on this or is this a hit from the SANE > phish database being used with CLAM? > > > > Darrell > > ------------------------------------------------------------------------ > Check out http://www.invariantsystems.com for utilities for Declude And > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, > MRTG Integration, and Log Parsers. > > ----- Original Message ----- > > *From:* Bonno Bloksma <mailto:[EMAIL PROTECTED]> > > *To:* Declude.Virus@declude.com <mailto:Declude.Virus@declude.com> > > *Sent:* Monday, May 21, 2007 7:09 AM > > *Subject:* [Declude.Virus] False Positive ClamAV > > > > Hi, > > > > Some of our mail is getting caught bij ClamAV. I've had two reports > on two completely unrelated mails. > > > > Body of message generated response: > 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - > http://www.clamav.net > > > > I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it > as a false positive report. When I hit Submit I get an error stating > this virus is already known and I should fix something in the > submission. :-( > > > > Can anyone tell me: > > 1) Whether this is normail behaviour for that page? > > 2) Where I can report this bug in the webpage? It's not a bug in the > program so// I //don't think the Bugzilla page is the right place. > If I need to report it via a mailing list, which one? > > 3) How I can check whether my report was received? > > > > Met vriendelijke groet, > Bonno Bloksma > hoofd systeembeheer > > > > tio hogeschool hotelmanagement en toerisme > > begijnenhof 8-12 / 5611 el eindhoven > t 040 296 28 28 / f 040 237 35 20 > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> / www.tio.nl > <http://www.tio.nl> > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. -- Insanity: doing the same thing over and over again and expecting different results. Albert Einstein, (attributed) US (German-born) physicist (1879 - 1955) Karen M. Mitchell Senior NewMedia Systems Administrator AccuWeather, Inc. 385 Science Park Road State College, PA 16803 814-235-8698 "Get the best weather on the web" - http://www.accuweather.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.