Dave - you are right! This appears to a matter of poor "labeling" by AVG - and has nothing to do with Declude.
I have since looked through a large sample of held emails and they either are well crafted short "Notices" about a supposed change in SMTP, POP settings - which even lists the person's email address, and a warning to "carefully" read the enclosed "instructions" before making changes. Then there is a link to a ZIP file (which likely will be a virus). The other group of emails deals with a supposed non-deliverable DHL package that one needs to pick up at the post office after printing the attached label (with the link to a zip file). All appears to be emails with links to malicious pages. In that respect, one can't argue that Declude Virus is the appropriate place to catch that (but then it's inconsistent for AVG to detect it with a label "Spam"). You are further correct, that AVG has done a good job catching this one. I ran it past ClamD and the latest McAfee hourly signature - and neither flagged those emails. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, May 12, 2010 12:20 PM To: email@example.com Subject: RE: [Declude.Virus] AVG reports "SPAM" as "VIRUS"! Looks like it is part of their virus signatures, and the only line in the email was: http://glunis.g**glegroups.com/web/setup.zip We could request that they change the name. if not we will have to make an translation in our code to accommodate this. File 45710617.eml received on 2010.05.12 16:16:29 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED http://www.virustotal.com/img/loader.gif Result: 1/41 (2.44%) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.