Most of your links check out clean. The one that was found to be Possibly Unwanted was this one, apparently regarding Legal Agreements:
> <tr> > <td align="left" style="font-family:Arial; font-size:13px; > color:#666666;">We're changing our Legal Agreements. We wanted to check > it’s OK with you.<br><br> We're making some changes to our Legal > Agreements; the documents that govern our relationship with you. We've put > details of the changes on our <a style="font-family:Arial; font-size:13px; > color:#009cde; text-decoration:none; font-weight:bold;" > href="https://epl.paypal-communication.com/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b057-9f4d47f20daa";>Policy > Update web page</a> - you can also find the page at <a > style="font-family:Arial; font-size:13px; color:#009cde; > text-decoration:none; font-weight:bold;" > href="https://epl.paypal-communication.com/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc4/5ac10d12-aef1-4111-b057-9f4d47f20daa";>www.paypal.com</a>, > by clicking 'Legal’ at the bottom of the page, selecting "Other > countries (in English)" from the drop-down menu and then selecting 'Policy > Updates’.</td> > </tr> The text shown to the user is www.paypal.com but the actual URL being used is https://epl.paypal-communication.com.... If I was to receive this e-mail and wanted to access these new Legal Agreements I would hover over www.paypal.com, see that I was being directed elsewhere and almost certainly conclude that this was a phishing or spam message. I almost never click a link in an e-mail anyway and advise everybody I know not to do so, but instead use my browser to access a firm like PayPal directly, then check whatever it is the message wants me to know. I'm not sure what would cause PayPal to substitute a different URL in this case. Perhaps some sort of tracking mechanism? In any case, I find such behavior very suspicious. I receive spam/phish mail daily that purports to be from a financial institution out to steal my credentials, credit care or bank account information and many of them pretend to be from PayPal. I'm sure I can purchase a domain of "palpal-message.com" to do just that if I wanted to. I don't even have any proof that you are a legitimate PayPal representative and may be here trying to prevent A-V software from blocking your phishing messages. At any rate, I would strongly recommend you use "https://www.paypal.com"; for this link as the safest, most appropriate fix for you, PayPal and message recipients. If that's not acceptable, then work with Joel Esler <jes...@cisco.com> from Cisco and convince him that you have a legitimate need to have them whitelist palpal-communication.com. -Al- On Wed, May 31, 2017 at 03:51 AM, outre...@epsilon.com wrote: > > Hi Al, > > Thank you for your help with this, it's appreciated. > > Not being a ClamAv user myself, this doesn't make much sense to me tough. > Could someone please confirm what this issue is in clear terms? > > Thanks, > > Anne-Sophie > > -----Original Message----- > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf > Of Al Varnell > Sent: 31 May 2017 11:38 > To: ClamAV users ML <clamav-users@lists.clamav.net> > Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19 > > OK, I managed to clean it up enough and added a fake header so I could run > clamscan --debug and it confirmed my suspicions: > >> LibClamAV debug: Phishcheck:host:.epl.paypal-communication.com >> LibClamAV debug: Phishing: looking up in whitelist: >> .epl.paypal-communication.com:.www.paypal.com; host-only:1 LibClamAV >> debug: Looking up in regex_list: >> epl.paypal-communication.com:www.paypal.com/ >> LibClamAV debug: Lookup result: not in regex list LibClamAV debug: >> Phishcheck: Phishing scan result: URLs are way too different LibClamAV >> debug: found Possibly Unwanted: >> Heuristics.Phishing.Email.SpoofedDomain > > -Al- > > On Wed, May 31, 2017 at 02:05 AM, outre...@epsilon.com wrote: >> >> Hi Al, >> >> Could you please confirm exactly what is the issue you see with the links? >> As far as I can see, they use standard link tracking. Here are two examples: >> >> <a style=3D"font-family:Arial; font-siz= e:13px; color:#009cde; >> text-decoration:none; font-weight:bold;" >> href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b >> 8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b0 >> 57-9f4d47f20daa"> <a href=3D= >> "https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4 >> bbc782e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d >> 47f20daa" = target=3D"_blank"> >> >> This is an example of their images URL: >> <img style=3D"display:block; border= :none;" >> src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/11 >> 11_cta_blue_left=2Ejpg" width=3D"5" height=3D"40" alt=3D""/> >> >> Many thanks, >> >> Anne-Sophie >> >> -----Original Message----- >> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On >> Behalf Of Al Varnell >> Sent: 31 May 2017 09:06 >> To: ClamAV users ML <clamav-users@lists.clamav.net> >> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19 >> >> Perhaps they feel the burden is on PayPal to remove the obfuscation being >> used in their links. >> >> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV >> directly to resolve this long standing issue. >> >> But I am a bit surprised that they haven't commented. >> >> -Al- >> >> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote: >>> >>> Hi, >>> >>> I did but never heard anything back unfortunately. >>> >>> We still had a lot of mail blocked on the 29/5 because of this issue. >>> >>> Is there any other way I can submit the samples than via the website? It >>> looks like no-one is following up on this, which is very poor. >>> >>> Thanks, >>> >>> Anne-Sophie >>> >>> -----Original Message----- >>> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On >>> Behalf Of Al Varnell >>> Sent: 31 May 2017 05:05 >>> To: ClamAV users ML <clamav-users@lists.clamav.net> >>> Cc: cla...@jubileegroup.co.uk; clamav-users@lists.clamav.net >>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19 >>> >>> Did I you ever submit those samples as I recommended. It's unlikely that >>> any action will be taken until you do. >>> >>> Most of the people that participate on this list are users and can't do >>> anything but give you advice. >>> >>> Sent from Janet's iPad >>> >>> -Al- >>> >>> On May 19, 2017, at 9:14 AM, "Outreach wrote: >>>> Hi Ged, >>>> >>>> I did read your message. Note that the header that you quote below is not >>>> related to my request. I am contacting you regarding the following: >>>> >>>> IPs: 142.54.244.[96-110] >>>> >>>> Domains: >>>> mail.paypal.at >>>> mail.paypal.be >>>> mail.paypal.ch >>>> mail.paypal.co.il >>>> mail.paypal.co.uk >>>> mail.paypal.de >>>> mail.paypal.dk >>>> mail.paypal.es >>>> mail.paypal.fr >>>> mail.paypal.it >>>> mail.paypal.nl >>>> mail.paypal.no >>>> mail.paypal.pl >>>> mail.paypal.se >>>> mail.paypal.com >>>> >>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that >>>> legitimate mail from our client (including financial communications from >>>> account holders) is not being delivered and wrongly identified as a phish >>>> by ClamAv. >>>> >>>> These emails are authenticated, they come from a well-respected >>>> organization - hence there is no reason for them to be rejected with the >>>> message "554 Your email was rejected because it contains the >>>> Heuristics.Phishing.Email.SpoofedDomain virus" >>>> >>>> >>>> Many thanks, >>>> >>>> >>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA >>>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, >>>> Teddington TW11 8QZ, UK epsilon.com >>>> >>>> >>>> >>>> >>>> -------------------------------------------------------------------- >>>> - >>>> - >>>> >>>> Message: 1 >>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST) >>>> From: "G.W. Haywood" >>>> To: clamav-users@lists.clamav.net >>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as >>>> phishing by ClamAv >>>> Message-ID: >>>> <alpine.deb.2.11.1705181726340.4...@mail6.jubileegroup.co.uk> >>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII >>>> >>>> Hi there, >>>> >>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote: >>>> >>>>> Mail from our client Paypal is being wrongly flagged as phishing by >>>>> ClamAv. >>>> >>>> No surprise there. >>>> >>>>> We get this type of bounce erros: >>>>> 554 Your email was rejected because it contains the >>>>> Heuristics.Phishing.Email.SpoofedDomain virus >>>> >>>> That's not a bounce, it's a reject. >>>> >>>>> Please make the necessary changes to your product ASAP. >>>> >>>> Well... the last email I saw from PayPal had this in it, carefully hidden: >>>> >>>> 8<------------------------------------------------------------------ >>>> - >>>> - >>>> -- >>>> [lefttrianglebracket] >>>> img height="1" >>>> width="1" >>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"; >>>> border="0" >>>> alt=""/ >>>> [righttrianglebracket] >>>> 8<------------------------------------------------------------------ >>>> - >>>> - >>>> -- >>>> >>>> The mail did pass our SPF checks on receipt: >>>> >>>> 8<------------------------------------------------------------------ >>>> - >>>> - >>>> -- >>>> Received-SPF: pass (mail5: domain of serv...@paypal.co.uk designates >>>> 173.0.84.226 as permitted sender) receiver=mail5; >>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com; >>>> envelope-from=serv...@paypal.co.uk; >>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9; >>>> 8<------------------------------------------------------------------ >>>> - >>>> - >>>> -- >>>> >>>> but then it went in the bin. >>>> >>>> Admittedly this was quite a while ago; we've been rejecting all mail from >>>> PayPal since 2013. All the same, you aren't helping anybody by doing >>>> things like that. >>>> >>>> I don't suppose you'll actually read this. >> _______________________________________________ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > > -Al- -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
