Well I certainly have run across several legit detections over the years along with many more FP's, and since it was confusing so many ClamXav users, it's been turned off for by the developer for over a year now. SafeBrowsing has always been disabled (already in use by most all OS X browsers), so that's not an issue for ClamXav, either.
-Al- On Wed, May 31, 2017 at 01:13 AM, Reindl Harald wrote: > > Am 31.05.2017 um 10:05 schrieb Al Varnell: >> Perhaps they feel the burden is on PayPal to remove the obfuscation being >> used in their links. > > they don't have to feel anything - they have to fix false positives and if it > means remove heuristic phisiing signatures completly when they are provne > over years to hit *only* legit mail - until today nobody was able to show me > a legit reject based on this > >> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV >> directly to resolve this long standing issue. >> But I am a bit surprised that they haven't commented. >> -Al- >> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote: >>> >>> Hi, >>> >>> I did but never heard anything back unfortunately. >>> >>> We still had a lot of mail blocked on the 29/5 because of this issue. >>> >>> Is there any other way I can submit the samples than via the website? It >>> looks like no-one is following up on this, which is very poor. >>> >>> Thanks, >>> >>> Anne-Sophie >>> >>> -----Original Message----- >>> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf >>> Of Al Varnell >>> Sent: 31 May 2017 05:05 >>> To: ClamAV users ML <clamav-users@lists.clamav.net> >>> Cc: cla...@jubileegroup.co.uk; clamav-users@lists.clamav.net >>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19 >>> >>> Did I you ever submit those samples as I recommended. It's unlikely that >>> any action will be taken until you do. >>> >>> Most of the people that participate on this list are users and can't do >>> anything but give you advice. >>> >>> Sent from Janet's iPad >>> >>> -Al- >>> >>> On May 19, 2017, at 9:14 AM, "Outreach wrote: >>>> Hi Ged, >>>> >>>> I did read your message. Note that the header that you quote below is not >>>> related to my request. I am contacting you regarding the following: >>>> >>>> IPs: 142.54.244.[96-110] >>>> >>>> Domains: >>>> mail.paypal.at >>>> mail.paypal.be >>>> mail.paypal.ch >>>> mail.paypal.co.il >>>> mail.paypal.co.uk >>>> mail.paypal.de >>>> mail.paypal.dk >>>> mail.paypal.es >>>> mail.paypal.fr >>>> mail.paypal.it >>>> mail.paypal.nl >>>> mail.paypal.no >>>> mail.paypal.pl >>>> mail.paypal.se >>>> mail.paypal.com >>>> >>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that >>>> legitimate mail from our client (including financial communications from >>>> account holders) is not being delivered and wrongly identified as a phish >>>> by ClamAv. >>>> >>>> These emails are authenticated, they come from a well-respected >>>> organization - hence there is no reason for them to be rejected with the >>>> message "554 Your email was rejected because it contains the >>>> Heuristics.Phishing.Email.SpoofedDomain virus" >>>> >>>> >>>> Many thanks, >>>> >>>> >>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA >>>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, >>>> Teddington TW11 8QZ, UK epsilon.com >>>> >>>> >>>> >>>> >>>> ---------------------------------------------------------------------- >>>> >>>> Message: 1 >>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST) >>>> From: "G.W. Haywood" >>>> To: clamav-users@lists.clamav.net >>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as >>>> phishing by ClamAv >>>> Message-ID: >>>> <alpine.deb.2.11.1705181726340.4...@mail6.jubileegroup.co.uk> >>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII >>>> >>>> Hi there, >>>> >>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote: >>>> >>>>> Mail from our client Paypal is being wrongly flagged as phishing by >>>>> ClamAv. >>>> >>>> No surprise there. >>>> >>>>> We get this type of bounce erros: >>>>> 554 Your email was rejected because it contains the >>>>> Heuristics.Phishing.Email.SpoofedDomain virus >>>> >>>> That's not a bounce, it's a reject. >>>> >>>>> Please make the necessary changes to your product ASAP. >>>> >>>> Well... the last email I saw from PayPal had this in it, carefully hidden: >>>> >>>> 8<-------------------------------------------------------------------- >>>> -- >>>> [lefttrianglebracket] >>>> img height="1" >>>> width="1" >>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"; >>>> border="0" >>>> alt=""/ >>>> [righttrianglebracket] >>>> 8<-------------------------------------------------------------------- >>>> -- >>>> >>>> The mail did pass our SPF checks on receipt: >>>> >>>> 8<-------------------------------------------------------------------- >>>> -- >>>> Received-SPF: pass (mail5: domain of serv...@paypal.co.uk designates >>>> 173.0.84.226 as permitted sender) receiver=mail5; >>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com; >>>> envelope-from=serv...@paypal.co.uk; >>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9; >>>> 8<-------------------------------------------------------------------- >>>> -- >>>> >>>> but then it went in the bin. >>>> >>>> Admittedly this was quite a while ago; we've been rejecting all mail from >>>> PayPal since 2013. All the same, you aren't helping anybody by doing >>>> things like that. >>>> >>>> I don't suppose you'll actually read this > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
