It is also an issue when xyz email server out there gets an email passed through from my server running declude because outgoing email will, by default, have that URL in the header. I've had 2 complaints by clients so far today. Hopefully removing the URL in the X- note will work around the issue. Robert
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, May 21, 2007 2:03 PM To: [email protected] Subject: RE: [Declude.Virus] False Positive ClamAV Besides the "http://www.declude.com/x-note.htm"; Declude also adds txt of RBL's that were triggered on an email containing http:// to the best of my knowledge this is not restricted by the RFC's This is an issue with Clam incorrectly identifying phishing using this method. With Declude 4.x AVG is a built in commercial grade AV scanner I would suggest disabling Clam and using the built in scanner until Clam has resolved this. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karen Mitchell Sent: Monday, May 21, 2007 1:55 PM To: [email protected] Subject: Re: [Declude.Virus] False Positive ClamAV Interesting http://forums.clamwin.com/viewtopic.php?t=1106&highlight=phishing I removed these lines from my global.cfg so at least I don't get flagged. #XINHEADER X-Declude-Note: Scanned by Declude %VERSION% (http://www.declude.com/x-note.htm) for spam. #XOUTHEADER X-Declude-Note: Scanned by Declude %VERSION% (http://www.declude.com/x-note.htm) for spam. Karen M. Mitchell Senior NewMedia Systems Administrator AccuWeather, Inc. 385 Science Park Road State College, PA 16803 814-235-8698 "Get the best weather on the web" - http://www.accuweather.com Robert Shubert wrote: > I saw on another list that a new CLAMAV (possibly windows only) is > flagging emails with http:// in the header with the RB-882 Phishing > Virus. There is a URL added by default to mail that goes through > declude. I'm testing it now, can any one back this up? Robert > > > > ------------------------------------------------------------------------ > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of > *Darrell ([EMAIL PROTECTED]) > *Sent:* Monday, May 21, 2007 11:15 AM > *To:* [email protected] > *Subject:* Re: [Declude.Virus] False Positive ClamAV > > > > Are you sure CLAMAV is hitting on this or is this a hit from the SANE > phish database being used with CLAM? > > > > Darrell > > ------------------------------------------------------------------------ > Check out http://www.invariantsystems.com for utilities for Declude And > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, > MRTG Integration, and Log Parsers. > > ----- Original Message ----- > > *From:* Bonno Bloksma <mailto:[EMAIL PROTECTED]> > > *To:* [email protected] <mailto:[email protected]> > > *Sent:* Monday, May 21, 2007 7:09 AM > > *Subject:* [Declude.Virus] False Positive ClamAV > > > > Hi, > > > > Some of our mail is getting caught bij ClamAV. I've had two reports > on two completely unrelated mails. > > > > Body of message generated response: > 554 5.7.1 virus Email.Phishing.RB-882 detected by ClamAV - > http://www.clamav.net > > > > I submitted a virus http://cgi.clamav.net/sendvirus.cgi tagging it > as a false positive report. When I hit Submit I get an error stating > this virus is already known and I should fix something in the > submission. :-( > > > > Can anyone tell me: > > 1) Whether this is normail behaviour for that page? > > 2) Where I can report this bug in the webpage? It's not a bug in the > program so// I //don't think the Bugzilla page is the right place. > If I need to report it via a mailing list, which one? > > 3) How I can check whether my report was received? > > > > Met vriendelijke groet, > Bonno Bloksma > hoofd systeembeheer > > > > tio hogeschool hotelmanagement en toerisme > > begijnenhof 8-12 / 5611 el eindhoven > t 040 296 28 28 / f 040 237 35 20 > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> / www.tio.nl > <http://www.tio.nl> > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. -- Insanity: doing the same thing over and over again and expecting different results. Albert Einstein, (attributed) US (German-born) physicist (1879 - 1955) Karen M. Mitchell Senior NewMedia Systems Administrator AccuWeather, Inc. 385 Science Park Road State College, PA 16803 814-235-8698 "Get the best weather on the web" - http://www.accuweather.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
