Re: [Declude.Virus] False Positive ClamAV
Are you sure CLAMAV is hitting on this or is this a hit from the SANE phish database being used with CLAM? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bonno Bloksma To: Declude.Virus@declude.com Sent: Monday, May 21, 2007 7:09 AM Subject: [Declude.Virus] False Positive ClamAV Hi, Some of our mail is getting caught bij ClamAV. I've had two reports on two completely unrelated mails. Body of message generated response: 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it as a false positive report. When I hit Submit I get an error stating this virus is already known and I should fix something in the submission. :-( Can anyone tell me: 1) Whether this is normail behaviour for that page? 2) Where I can report this bug in the webpage? It's not a bug in the program so I don't think the Bugzilla page is the right place. If I need to report it via a mailing list, which one? 3) How I can check whether my report was received? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] False Positive ClamAV
We're seeing the same bounce backs from other mail servers, same error 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net . Haven't heard back from any of the administrators of the other servers yet. Funny thing is, users who send from Eudora, or from our HP-Ux box are both getting caught by this rule. The emails have had pdf attachments, and others have had no attachment. Can't figure out what exactly is getting them marked as phishing mails. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, May 21, 2007 11:15 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] False Positive ClamAV Are you sure CLAMAV is hitting on this or is this a hit from the SANE phish database being used with CLAM? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bonno Bloksma mailto:[EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 21, 2007 7:09 AM Subject: [Declude.Virus] False Positive ClamAV Hi, Some of our mail is getting caught bij ClamAV. I've had two reports on two completely unrelated mails. Body of message generated response: 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it as a false positive report. When I hit Submit I get an error stating this virus is already known and I should fix something in the submission. :-( Can anyone tell me: 1) Whether this is normail behaviour for that page? 2) Where I can report this bug in the webpage? It's not a bug in the program so I don't think the Bugzilla page is the right place. If I need to report it via a mailing list, which one? 3) How I can check whether my report was received? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] / http://www.tio.nl www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] False Positive ClamAV
I saw on another list that a new CLAMAV (possibly windows only) is flagging emails with http:// in the header with the RB-882 Phishing Virus. There is a URL added by default to mail that goes through declude. I'm testing it now, can any one back this up? Robert _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, May 21, 2007 11:15 AM To: declude.virus@declude.com Subject: Re: [Declude.Virus] False Positive ClamAV Are you sure CLAMAV is hitting on this or is this a hit from the SANE phish database being used with CLAM? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bonno Bloksma mailto:[EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Monday, May 21, 2007 7:09 AM Subject: [Declude.Virus] False Positive ClamAV Hi, Some of our mail is getting caught bij ClamAV. I've had two reports on two completely unrelated mails. Body of message generated response: 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it as a false positive report. When I hit Submit I get an error stating this virus is already known and I should fix something in the submission. :-( Can anyone tell me: 1) Whether this is normail behaviour for that page? 2) Where I can report this bug in the webpage? It's not a bug in the program so I don't think the Bugzilla page is the right place. If I need to report it via a mailing list, which one? 3) How I can check whether my report was received? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] / http://www.tio.nl www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] False Positive ClamAV
Interesting http://forums.clamwin.com/viewtopic.php?t=1106highlight=phishing I removed these lines from my global.cfg so at least I don't get flagged. #XINHEADER X-Declude-Note: Scanned by Declude %VERSION% (http://www.declude.com/x-note.htm) for spam. #XOUTHEADER X-Declude-Note: Scanned by Declude %VERSION% (http://www.declude.com/x-note.htm) for spam. Karen M. Mitchell Senior NewMedia Systems Administrator AccuWeather, Inc. 385 Science Park Road State College, PA 16803 814-235-8698 Get the best weather on the web - http://www.accuweather.com Robert Shubert wrote: I saw on another list that a new CLAMAV (possibly windows only) is flagging emails with http:// in the header with the RB-882 Phishing Virus. There is a URL added by default to mail that goes through declude. I’m testing it now, can any one back this up? Robert *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Darrell ([EMAIL PROTECTED]) *Sent:* Monday, May 21, 2007 11:15 AM *To:* declude.virus@declude.com *Subject:* Re: [Declude.Virus] False Positive ClamAV Are you sure CLAMAV is hitting on this or is this a hit from the SANE phish database being used with CLAM? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - *From:* Bonno Bloksma mailto:[EMAIL PROTECTED] *To:* Declude.Virus@declude.com mailto:Declude.Virus@declude.com *Sent:* Monday, May 21, 2007 7:09 AM *Subject:* [Declude.Virus] False Positive ClamAV Hi, Some of our mail is getting caught bij ClamAV. I've had two reports on two completely unrelated mails. Body of message generated response: 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it as a false positive report. When I hit Submit I get an error stating this virus is already known and I should fix something in the submission. :-( Can anyone tell me: 1) Whether this is normail behaviour for that page? 2) Where I can report this bug in the webpage? It's not a bug in the program so// I //don't think the Bugzilla page is the right place. If I need to report it via a mailing list, which one? 3) How I can check whether my report was received? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. -- Insanity: doing the same thing over and over again and expecting different results. Albert Einstein, (attributed) US (German-born) physicist (1879 - 1955) Karen M. Mitchell Senior NewMedia Systems Administrator AccuWeather, Inc. 385 Science Park Road State College, PA 16803 814-235-8698 Get the best weather on the web - http://www.accuweather.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] False Positive ClamAV
Besides the http://www.declude.com/x-note.htm; Declude also adds txt of RBL's that were triggered on an email containing http:// to the best of my knowledge this is not restricted by the RFC's This is an issue with Clam incorrectly identifying phishing using this method. With Declude 4.x AVG is a built in commercial grade AV scanner I would suggest disabling Clam and using the built in scanner until Clam has resolved this. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karen Mitchell Sent: Monday, May 21, 2007 1:55 PM To: declude.virus@declude.com Subject: Re: [Declude.Virus] False Positive ClamAV Interesting http://forums.clamwin.com/viewtopic.php?t=1106highlight=phishing I removed these lines from my global.cfg so at least I don't get flagged. #XINHEADER X-Declude-Note: Scanned by Declude %VERSION% (http://www.declude.com/x-note.htm) for spam. #XOUTHEADER X-Declude-Note: Scanned by Declude %VERSION% (http://www.declude.com/x-note.htm) for spam. Karen M. Mitchell Senior NewMedia Systems Administrator AccuWeather, Inc. 385 Science Park Road State College, PA 16803 814-235-8698 Get the best weather on the web - http://www.accuweather.com Robert Shubert wrote: I saw on another list that a new CLAMAV (possibly windows only) is flagging emails with http:// in the header with the RB-882 Phishing Virus. There is a URL added by default to mail that goes through declude. I'm testing it now, can any one back this up? Robert *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Darrell ([EMAIL PROTECTED]) *Sent:* Monday, May 21, 2007 11:15 AM *To:* declude.virus@declude.com *Subject:* Re: [Declude.Virus] False Positive ClamAV Are you sure CLAMAV is hitting on this or is this a hit from the SANE phish database being used with CLAM? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - *From:* Bonno Bloksma mailto:[EMAIL PROTECTED] *To:* Declude.Virus@declude.com mailto:Declude.Virus@declude.com *Sent:* Monday, May 21, 2007 7:09 AM *Subject:* [Declude.Virus] False Positive ClamAV Hi, Some of our mail is getting caught bij ClamAV. I've had two reports on two completely unrelated mails. Body of message generated response: 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - http://www.clamav.net I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it as a false positive report. When I hit Submit I get an error stating this virus is already known and I should fix something in the submission. :-( Can anyone tell me: 1) Whether this is normail behaviour for that page? 2) Where I can report this bug in the webpage? It's not a bug in the program so// I //don't think the Bugzilla page is the right place. If I need to report it via a mailing list, which one? 3) How I can check whether my report was received? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus. The archives can be found at http://www.mail-archive.com. -- Insanity: doing the same thing over and over again and expecting different results. Albert Einstein, (attributed) US (German-born) physicist (1879 - 1955) Karen M. Mitchell Senior NewMedia Systems Administrator AccuWeather, Inc. 385 Science Park Road State College, PA 16803 814-235-8698 Get the best weather on the web - http://www.accuweather.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL