Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

I made an attempt to determine whether epl.paypal-communication.com was a legitimate domain owned by PayPal with very mixed results. No WhoIs service could identify it directly, but ARIN was able to determine that the IP address 159.127.187.100 belongs to Epsilon Data Management LLC (PSI1),

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

Most of your links check out clean. The one that was found to be Possibly Unwanted was this one, apparently regarding Legal Agreements: > > We're changing our Legal Agreements. We wanted to check > its OK with you. We're making some changes to our Legal > Agreements; the documents that govern

[clamav-users] More CPU usage

Hi, I have a strange problem. On a machine with 8 core and 32Gb of RAM, and CentOS 6 with EPEL as OS and ClamAV 0.99.2-2.el6, after the 26 of April I noticed an increase of the CPU usage (from 260% to 530%). Only change happened was the update of the databases via freshclam. None in log, or

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

Am 31.05.2017 um 12:41 schrieb Joel Esler (jesler): So is it us that needs to adjust our software for something that PayPal is doing? Or should PayPal adjust what they are doing? you need to adjust when you pretend something is phising while it's legit which can be verified by SPF/DKIM and

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

Hi Al, Thank you for your help with this, it's appreciated. Not being a ClamAv user myself, this doesn't make much sense to me tough. Could someone please confirm what this issue is in clear terms? Thanks, Anne-Sophie -Original Message- From: clamav-users

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

So is it us that needs to adjust our software for something that PayPal is doing? Or should PayPal adjust what they are doing? -- Sent from my iPhone > On May 31, 2017, at 06:38, Al Varnell wrote: > > OK, I managed to clean it up enough and added a fake header so I could

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

OK, I managed to clean it up enough and added a fake header so I could run clamscan --debug and it confirmed my suspicions: > LibClamAV debug: Phishcheck:host:.epl.paypal-communication.com > LibClamAV debug: Phishing: looking up in whitelist: > .epl.paypal-communication.com:.www.paypal.com;

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

Hi Al, Could you please confirm exactly what is the issue you see with the links? As far as I can see, they use standard link tracking. Here are two examples:

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

Well I certainly have run across several legit detections over the years along with many more FP's, and since it was confusing so many ClamXav users, it's been turned off for by the developer for over a year now. SafeBrowsing has always been disabled (already in use by most all OS X browsers),

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

Hi Al, I'm including below the source of an email that was rejected recently. Could you please point out exactly what you feel is the issue with the links? Many thanks, Anne-Sophie Your Legal Agreements with PayPal table th { margin:0 !important; padding:0 !important;

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

Am 31.05.2017 um 10:05 schrieb Al Varnell: Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links. they don't have to feel anything - they have to fix false positives and if it means remove heuristic phisiing signatures completly when they are provne

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links. Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue. But I am a bit surprised that they haven't commented. -Al- On Wed, May 31, 2017

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

Hi, I did but never heard anything back unfortunately. We still had a lot of mail blocked on the 29/5 because of this issue. Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor. Thanks, Anne-Sophie