Well I certainly have run across several legit detections over the years along with many more FP's, and since it was confusing so many ClamXav users, it's been turned off for by the developer for over a year now. SafeBrowsing has always been disabled (already in use by most all OS X browsers), so that's not an issue for ClamXav, either.

-Al-

On Wed, May 31, 2017 at 01:13 AM, Reindl Harald wrote:
>
> Am 31.05.2017 um 10:05 schrieb Al Varnell:
>> Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.
>
> they don't have to feel anything - they have to fix false positives and if it means remove heuristic phisiing signatures completly when they are provne over years to hit *only* legit mail - until today nobody was able to show me a legit reject based on this
>
>> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.
>> But I am a bit surprised that they haven't commented.
>> -Al-
>> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>>>
>>> Hi,
>>>
>>> I did but never heard anything back unfortunately.
>>>
>>> We still had a lot of mail blocked on the 29/5 because of this issue.
>>>
>>> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>>>
>>> Thanks,
>>>
>>> Anne-Sophie
>>>
>>> -----Original Message-----
>>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
>>> Sent: 31 May 2017 05:05
>>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>>> Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
>>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>>
>>> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>>>
>>> Most of the people that participate on this list are users and can't do anything but give you advice.
>>>
>>> Sent from Janet's iPad
>>>
>>> -Al-
>>>
>>> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>>>> Hi Ged,
>>>>
>>>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>>>
>>>> IPs: 142.54.244.[96-110]
>>>>
>>>> Domains:
>>>> mail.paypal.at
>>>> mail.paypal.be
>>>> mail.paypal.ch
>>>> mail.paypal.co.il
>>>> mail.paypal.co.uk
>>>> mail.paypal.de
>>>> mail.paypal.dk
>>>> mail.paypal.es
>>>> mail.paypal.fr
>>>> mail.paypal.it
>>>> mail.paypal.nl
>>>> mail.paypal.no
>>>> mail.paypal.pl
>>>> mail.paypal.se
>>>> mail.paypal.com
>>>>
>>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>>>
>>>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>>>
>>>>
>>>> Many thanks,
>>>>
>>>>
>>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>>>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>>>>
>>>>
>>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>> Message: 1
>>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>>>> From: "G.W. Haywood"
>>>> To: clamav-***@lists.clamav.net
>>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>>> phishing by ClamAv
>>>> Message-ID:
>>>> <***@mail6.jubileegroup.co.uk>
>>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>>>
>>>> Hi there,
>>>>
>>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>>>
>>>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>>>
>>>> No surprise there.
>>>>
>>>>> We get this type of bounce erros:
>>>>> 554 Your email was rejected because it contains the
>>>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>>>
>>>> That's not a bounce, it's a reject.
>>>>
>>>>> Please make the necessary changes to your product ASAP.
>>>>
>>>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>>>
>>>> 8<--------------------------------------------------------------------
>>>> --
>>>> [lefttrianglebracket]
>>>> img height="1"
>>>> width="1"
>>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>>>> border="0"
>>>> alt=""/
>>>> [righttrianglebracket]
>>>> 8<--------------------------------------------------------------------
>>>> --
>>>>
>>>> The mail did pass our SPF checks on receipt:
>>>>
>>>> 8<--------------------------------------------------------------------
>>>> --
>>>> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
>>>> 173.0.84.226 as permitted sender) receiver=mail5;
>>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>>>> envelope-from=***@paypal.co.uk;
>>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>>>> 8<--------------------------------------------------------------------
>>>> --
>>>>
>>>> but then it went in the bin.
>>>>
>>>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>>>>
>>>> I don't suppose you'll actually read this
>
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA

It's past my bed time, the source has been corrupted with too many =3D, =2E, HEX codes, and without the headers, I can't run it through debug, but a quick check of the whitelist doesn't seem to include:
https://epl.paypal-communication.com.

I see:
paypal-marketing
app.paypal-now.com
www.paypal-gifts.com

for a handful of the domains you listed.

-Al-

On Wed, May 31, 2017 at 01:16 AM, ***@epsilon.com wrote:
>
> Hi Al,
>
> I'm including below the source of an email that was rejected recently. Could you please point out exactly what you feel is the issue with the links?
>
> Many thanks,
>
> Anne-Sophie
>
>
> <!doctype html>
> <html>
> <head>
> <meta charset=3D"utf-8">
> <meta name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=3D1=
> =2E0">
> <meta name=3D"format-detection" content=3D"telephone=3Dno" />
> <title>Your Legal Agreements with PayPal</title>
> <style type=3D"text/css">
> table th { margin:0 !important; padding:0 !important; vertical-align:top; =
> font-weight:normal; }
> body {
> margin:0;
> padding:0;
> font-family:Arial;
> font-size: 16px;
> color:#666666;
> }
> *{
> line-height:normal !important;
> }
> /*Yahoo paragraph fix*/
> p {
> margin: 1em 0;
> }
> /*This resolves the Outlook 07, 10, and Gmail td padding issue fix*/
> table td {
> border-collapse: collapse;
> }
> /*viewport width scaling for all devices*/
> @-ms-viewport {
> width: device-width;
> }
> /*This resolves the issue when iphone puts links on dates, etc=2E*/
> =2EappleLinks {
> color: inherit;
> text-decoration: none;
> }
> =2EappleLinks a {
> color: inherit;
> text-decoration: none;
> }
>
>
> a[href^=3D"x-apple-data-detectors:"] {
> color: inherit;
> text-decoration: inherit;
> }
>
> @media screen and (max-width:480px) {
> /*Do not show in mobiles*/
> *=2Enomobile, *[class~=3D"hide"] {
> display: none !important;
> }
> /*Shows in mobiles*/
> *=2Eshow {
> display: block !important;
> margin: 0 !important;
> padding: 0 !important;
> overflow: visible !important;
> width: auto !important;
> max-height: inherit !important;
> }
> =2Econtainer {
> width:100% !important;
> min-width:100% !important;
> }
> =2Econtent {
> width:91=2E71428571428571% !important;
> }
>
> *[class~=3D"logo"], *[class~=3D"logo_right"] {
> width:40% !important;
> }
> =2Ecoldrop {
> display:block !important;
> width:100% !important;
> }
> =2Eimgfull {
> width:100% !important;
> height:auto !important;
> }
> *[class~=3D"nopad"] {
> padding:0px 0px 0px 0px !important;
> }
> *[class~=3D"dbl_line"] {
> border-top:1px solid #d9d9d9 !important;
> border-bottom:1px solid #FFFFFF !important;
> }
>
>
> /* text styles */
>
> *[class~=3D"heading01"] {
> font-size:25px !important;
> }
>
> =2Etext01 {
> font-size:12px !important;
> }
> =2Etext02 {
> font-size:14px !important;
> }
> =2Etext03 {
> font-size:16px !important;
> }
> =2Etext04 {
> font-size:10px !important;
> }
> =2Earrange_top{
>
> display:table-header-group !important;
> }
> =2Earrange_bottom{
> display:table-footer-group !important;
> }
> =2Eheight20 {
> height:20px !important;
> }
> =2Eheight15 {
> height:15px !important;
> }
> =2Eheight10 {
> height:10px !important;
> }
> =2Eheight5 {
> height:5px !important;
> }
> =2Ewidth20 {
> width:20px !important;
> }
> =2Ewidth15 {
> width:15px !important;
> }
> =2Ewidth10 {
> width:10px !important;
> }
> =2Ewidth5 {
> width:5px !important;
> }
> }
>
> @media screen and (max-width:320px) {
> /* *[class~=3D"logo"], *[class~=3D"logo_right"] {
> width:40% !important;
> } */
> *[class~=3D"align_left320"] {
> float:left !important;
> text-align:left !important;
> }
> *[class~=3D"align_right320"] {
> float:right !important;
> text-align:right !important;
> }
>
> =2Econtent_02 {
> width:98% !important;
> }
> *[class~=3D"logo"], *[class~=3D"logo_right"] {
> width:40% !important;
> }
> }
>
> </style>
> </head>
>
> <body yahoo=3D"fix">
> <!-- preheader -->
> <table bgcolor=3D"#f2f2f2" style=3D"table-layout:fixed;" width=3D"100%" bo=
> rder=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td valign=3D"top" align=3D"center">
> <table bgcolor=3D"#f2f2f2" width=3D"740" class=3D"container" border=3D"0" =
> cellspacing=3D"0" cellpadding=3D"0" style=3D"min-width:740px;">
> <tr>
> <td valign=3D"middle" style=3D"padding:10px 0px 10px 0px;" align=3D"center=
> ">
> <table class=3D"content" bgcolor=3D"#f2f2f2" width=3D"700" border=3D"0" ce=
> llspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td valign=3D"middle" align=3D"left" style=3D"font-family:Arial; font-size=
> :12px; color:#666666;"><b> </b> - We're making a few changes</td>
> <td valign=3D"middle" align=3D"right" style=3D"font-family:Arial; font-siz=
> e:12px; color:#666666;"><a style=3D"font-family:Arial; color:#666666;" href=
> =3D"https://epl=2Epaypal-communication=2Ecom/H/2/v20000015c53387d90b8822cf4=
> bbc782e8/5ac10d12-aef1-4111-b057-9f4d47f20daa/Html" target=3D"_blank">View =
> Online</a></td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> <!-- /preheader -->
>
> <!-- main content -->
> <table bgcolor=3D"#f2f2f2" style=3D"table-layout:fixed;" width=3D"100%" bo=
> rder=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td valign=3D"top" align=3D"center">
> <table bgcolor=3D"#f2f2f2" width=3D"740" class=3D"container" border=3D"0" =
> cellspacing=3D"0" cellpadding=3D"0" style=3D"min-width:740px;">
> <tr>
> <td valign=3D"middle" align=3D"center">
> <table class=3D"container" bgcolor=3D"#FFFFFF" width=3D"700" border=3D"0" =
> cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td class=3D"grey_line" valign=3D"middle" align=3D"left" style=3D"font-fam=
> ily:Arial; font-size:1px; color:#666666;" height=3D"1"><img style=3D"displa=
> y:block; border:none;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalasse=
> ts/c/EMEA/email/1111_rnd_crnr_top=2Ejpg" width=3D"700" height=3D"7" alt=3D"=
> " class=3D"hide"/></td>
> </tr>
> <tr>
> <td valign=3D"middle" class=3D"nopad" bgcolor=3D"#e3e3e3" align=3D"left" s=
> tyle=3D"font-family:Arial; font-size:12px; color:#666666; padding:0px 1px 0=
> px 1px;">
> <table bgcolor=3D"#FFFFFF" width=3D"100%" border=3D"0" cellspacing=3D"0" c=
> ellpadding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"c=
> enter" valign=3D"top">
> <table class=3D"content" width=3D"642" border=3D"0" cellspacing=3D"0" cell=
> padding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" height=3D"=
> 15"></td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;">
> <table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"l=
> eft">
> <table class=3D"logo" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:16px; color:#666666;"><a href=3D=
> "https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc78=
> 2e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d47f20daa" =
> target=3D"_blank"><img class=3D"imgfull" style=3D"display:block; border:non=
> e;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/111=
> 1_logo-paypal=2Epng" width=3D"152" height=3D"38" alt=3D"PayPal"/></a></td>
> </tr>
> </table>
> </td>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"r=
> ight">
> <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:16px; color:#666666;"></td>
> </tr>
> </table>
> </td>
>
>
> </tr>
> </table>
> </td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" height=3D"=
> 25" class=3D"height15"></td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;">
> <table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"l=
> eft">
> <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td class=3D"heading01" style=3D"font-family:Arial; font-size:40px; color:=
> #009cde;">Just to let you know=2E=2E=2E</td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
> 5" class=3D"height15"></td>
> </tr>
> <tr>
> <td align=3D"left" style=3D"font-family:Arial; font-size:13px; color:#6666=
> 66;">We're changing our Legal Agreements=2E We wanted to check it&#82=
> 17;s OK with you=2E<br><br> We're making some changes to our Legal Ag=
> reements; the documents that govern our relationship with you=2E We'v=
> e put details of the changes on our <a style=3D"font-family:Arial; font-siz=
> e:13px; color:#009cde; text-decoration:none; font-weight:bold;" href=3D"htt=
> ps://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/=
> 5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b057-9f4d47f20daa">Poli=
> cy Update web page</a> - you can also find the page at <a style=3D"f=
> ont-family:Arial; font-size:13px; color:#009cde; text-decoration:none; font=
> -weight:bold;" href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015=
> c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc4/5ac10d12-aef1-41=
> 11-b057-9f4d47f20daa">www=2Epaypal=2Ecom</a>, by clicking 'Legal&#821=
> 7; at the bottom of the page, selecting "Other countries (in English)=
> " from the drop-down menu and then selecting 'Policy Updates&#8=
> 217;=2E</td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
> 5" class=3D"height15"></td>
> </tr>
> <tr>
> <td align=3D"left" style=3D"font-family:Arial; font-size:13px; color:#6666=
> 66;"><b>What do I have to do?</b></td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
> 5" class=3D"height15"></td>
> </tr>
>
> <tr>
> <td align=3D"left" style=3D"font-family:Arial; font-size:13px; color:#6666=
> 66;">Take a look at our Policy Update page to ensure you consent to the cha=
> nges=2E If you do, you don't need to do anything=2E If you don'=
> t want to accept the changes you can follow the steps we've set out o=
> n our Policy Update page=2E</td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
> 5" class=3D"height15"></td>
> </tr>
> <tr>
> <td align=3D"left" style=3D"font-family:Arial; font-size:16px; color:#6666=
> 66;" valign=3D"middle">
> <table width=3D"310" class=3D"container" border=3D"0" cellspacing=3D"0" ce=
> llpadding=3D"0">
> <tr>
>
> <!--[if lt IE 9 | mso]>
> <td width=3D"5" style=3D"font-family:Arial; font-size:16px; color:#666666;=
> " valign=3D"middle" bgcolor=3D"#009cde"><img style=3D"display:block; border=
> :none;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email=
> /1111_cta_blue_left=2Ejpg" width=3D"5" height=3D"40" alt=3D""/></td>
> <![endif]-->
> <td bgcolor=3D"#009cde" style=3D"font-family:Arial; font-size:16px; color:=
> #666666; -moz-border-radius: 5px; -webkit-border-radius: 5px; border-radius=
> : 5px;" valign=3D"middle">
> <table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:14px; color:#FFFFFF;" valign=3D"=
> middle" align=3D"center"><a style=3D"display:block; text-decoration:none; c=
> olor:#ffffff; padding:10px 0px 10px 0px; font-weight:bold;" href=3D"https:/=
> /epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac1=
> 0d12aef141110000021ef3a0bcc5/5ac10d12-aef1-4111-b057-9f4d47f20daa" target=
> =3D"_blank">See the Policy Update Page</a></td>
> </tr>
> </table>
>
> </td>
>
> <!--[if lt IE 9 | mso]>
> <td width=3D"5" style=3D"font-family:Arial; font-size:16px; color:#666666;=
> " valign=3D"middle"><img style=3D"display:block; border:none;" src=3D"https=
> ://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/1111_cta_blue_right=
> =2Ejpg" width=3D"5" height=3D"40" alt=3D""/></td>
> <![endif]-->
>
> </tr>
> </table>
>
> </td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
> 5" class=3D"height15"></td>
> </tr>
>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
>
> <tr>
> <td valign=3D"middle" height=3D"1" bgcolor=3D"#e3e3e3" align=3D"left" styl=
> e=3D"font-family:Arial; font-size:1px; color:#666666;"><img style=3D"displa=
> y:block; border:none;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalasse=
> ts/c/EMEA/email/1111_rnd_crnr_bottom=2Ejpg" width=3D"700" height=3D"7" alt=
> =3D"" class=3D"hide"/></td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> <!-- /main content -->
> <!-- footer -->
> <table bgcolor=3D"#f2f2f2" style=3D"table-layout:fixed;" width=3D"100%" bo=
> rder=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td valign=3D"top" align=3D"center">
> <table bgcolor=3D"#f2f2f2" width=3D"740" class=3D"container" border=3D"0" =
> cellspacing=3D"0" cellpadding=3D"0" style=3D"min-width:740px;">
> <tr>
> <td valign=3D"middle" align=3D"center">
> <table class=3D"container" bgcolor=3D"" width=3D"700" border=3D"0" cellspa=
> cing=3D"0" cellpadding=3D"0">
>
> <tr>
> <td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
> 5"></td>
> </tr>
> <tr>
> <td valign=3D"middle" class=3D"" align=3D"left" style=3D"font-family:Arial=
> ; font-size:12px; color:#666666;">
> <table bgcolor=3D"" width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadd=
> ing=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"c=
> enter" valign=3D"top">
> <table class=3D"container" width=3D"642" border=3D"0" cellspacing=3D"0" ce=
> llpadding=3D"0">
>
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;">
> <table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <th style=3D"font-family:Arial; font-size:12px; color:#666666;" class=3D"c=
> oldrop" align=3D"left">
> <table class=3D"container" border=3D"0" cellspacing=3D"0" cellpadding=3D"0=
> ">
> <tr>
> <td style=3D"font-family:Arial; font-size:13px; color:#666666; font-weight=
> :bold;" align=3D"center">
> <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr align=3D"center">
> <td style=3D"font-family:Arial; font-size:13px; color:#666666; font-weight=
> :bold;">
> <a style=3D"text-decoration:none; color:#666666;" href=3D"https://epl=2Epa=
> ypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef14=
> 1110000021ef3a0bcc6/5ac10d12-aef1-4111-b057-9f4d47f20daa" target=3D"_blank"=
>> Help</a></td>
> <td width=3D"10"></td>
> <td style=3D"font-family:Arial; font-size:13px; color:#666666; font-weight=
> :bold;">
> <a style=3D"text-decoration:none; color:#666666;" href=3D"https://epl=2Epa=
> ypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef14=
> 1110000021ef3a0bcc7/5ac10d12-aef1-4111-b057-9f4d47f20daa" target=3D"_blank"=
>> Contact</a></td>
> <td width=3D"10"></td>
> <td style=3D"font-family:Arial; font-size:13px; color:#666666; font-weight=
> :bold;"><a style=3D"text-decoration:none; color:#666666;" href=3D"https://e=
> pl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d=
> 12aef141110000021ef3a0bcc8/5ac10d12-aef1-4111-b057-9f4d47f20daa" target=3D"=
> _blank">Security</a></td><td width=3D"10"></td>
>
>
> </tr>
> </table>
>
> </td>
>
> </tr>
> </table>
> </th>
> </tr>
> </table>
> </td>
> </tr>
>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> <!-- Seperator -->
> <tr>
> <td height=3D"15" style=3D"font-size:1px;"><!--[if gt mso 14]> <![end=
> if]--></td>
> </tr>
> <tr>
> <td height=3D"1" bgcolor=3D"#d9d9d9" style=3D"font-size:1px;"><!--[if gt m=
> so 14]> <![endif]--></td>
> </tr>
> <tr>
> <td height=3D"1" bgcolor=3D"#FFFFFF" style=3D"font-size:1px;"><!--[if gt m=
> so 14]> <![endif]--></td>
> </tr>
> <tr>
> <td height=3D"15" style=3D"font-size:1px;"><!--[if gt mso 14]> <![end=
> if]--></td>
> </tr>
> <!-- Seperator end-->
> <tr>
> <td valign=3D"middle" class=3D"" align=3D"left" style=3D"font-family:Arial=
> ; font-size:12px; color:#666666;">
> <table bgcolor=3D"" width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadd=
> ing=3D"0">
>
>
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"c=
> enter" valign=3D"top">
> <table class=3D"content" width=3D"642" border=3D"0" cellspacing=3D"0" cell=
> padding=3D"0">
>
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;">
> <table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <th style=3D"font-family:Arial; font-size:12px; color:#666666;" class=3D"c=
> oldrop" align=3D"left">
> <table class=3D"container" border=3D"0" cellspacing=3D"0" cellpadding=3D"0=
> ">
> <tr>
> <td style=3D"font-family:Arial; color:#666666;" align=3D"center">
> <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td align=3D"left" style=3D"font-family:Arial; font-size:11px; color:#8c8c=
> 8c; font-weight:normal !important;">
> <b>How do I know this is not a fake email?</b><br><br>
> An email really coming from PayPal will address you by your first and last=
> names or your business name=2E It will not ask you for sensitive informati=
> on like your password, bank account or credit card details=2E Most fake ema=
> ils threaten that your account will be in jeopardy if you do not take actio=
> n immediately=2E An email that urgently requests you to supply sensitive pe=
> rsonal information is usually an attempt at fraud=2E Also, fake emails ofte=
> n contain misspellings and grammatical errors or are written in a language =
> which you did not set as preferred for your PayPal account=2E Remember not =
> to click any links in suspicious looking emails=2E
> <br><br>
> <a href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8=
> 822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc9/5ac10d12-aef1-4111-b057-9f4=
> d47f20daa" target=3D"_blank" style=3D"color:#8c8c8c;">Click here to learn h=
> ow to defend yourself against phishing and spoofing</a>=2E</td></tr>
>
> </table>
> </td>
> </tr>
> </table>
> </th>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> <!-- Seperator -->
> <tr>
> <td height=3D"15" style=3D"font-size:1px;"><!--[if gt mso 14]> <![end=
> if]--></td>
> </tr>
> <tr>
> <td height=3D"1" bgcolor=3D"#d9d9d9" style=3D"font-size:1px;"><!--[if gt m=
> so 14]> <![endif]--></td>
> </tr>
> <tr>
> <td height=3D"1" bgcolor=3D"#FFFFFF" style=3D"font-size:1px;"><!--[if gt m=
> so 14]> <![endif]--></td>
> </tr>
> <tr>
> <td height=3D"15" style=3D"font-size:1px;"><!--[if gt mso 14]> <![end=
> if]--></td>
> </tr>
> <!-- Seperator end -->
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"c=
> enter" valign=3D"top">
> <table class=3D"content" width=3D"642" border=3D"0" cellspacing=3D"0" cell=
> padding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;">
> <table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <th style=3D"font-family:Arial; font-size:12px; color:#666666;" class=3D"c=
> oldrop" align=3D"left">
> <table class=3D"container" border=3D"0" cellspacing=3D"0" cellpadding=3D"0=
> ">
> <tr>
> <td style=3D"font-family:Arial; color:#666666;" align=3D"center">
> <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td align=3D"left" style=3D"font-family:Arial; font-size:11px; color:#8c8c=
> 8c; font-weight:normal !important;">This email was sent to <a style=3D"colo=
> r:#8c8c8c; text-decoration:none;" href=3D"mailto:"></a>=2E
> <br>
> <br>
> Copyright (c) 1999-2017 PayPal=2E PayPal Pte=2E Ltd=2E Address: 5=
> Temasek Boulevard #09-01, Suntec Tower 5, Singapore 038985=2E Registration=
> number 200509725E=2E<br><br> Consumer advisory: PayPal Pte Ltd, the Holder=
> of the PayPal(tm) payment stored value facility, does not require the a=
> pproval of the Monetary Authority of Singapore=2E Consumers (users) are adv=
> ised to read the terms and conditions carefully=2E</td></tr>
>
> </table>
> </td>
> </tr>
> </table>
> </th>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
> 5"></td>
> </tr>
>
> </table>
>
>
> <!-- footer -->
>
>
> <img src=3D'https://epl=2Epaypal-communication=2Ecom/O/v20000015c53387d90b=
> 8822cf4bbc782e8/5ac10d12aef1411100004c5a42963aa1' style=3D"display:none; ma=
> x-height: 0px; font-size: 0px; overflow: hidden; mso-hide: all"/></body>
> </html>
>
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
> Sent: 31 May 2017 09:06
> To: ClamAV users ML <clamav-***@lists.clamav.net>
> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>
> Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.
>
> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.
>
> But I am a bit surprised that they haven't commented.
>
> -Al-
>
> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>>
>> Hi,
>>
>> I did but never heard anything back unfortunately.
>>
>> We still had a lot of mail blocked on the 29/5 because of this issue.
>>
>> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>>
>> Thanks,
>>
>> Anne-Sophie
>>
>> -----Original Message-----
>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On
>> Behalf Of Al Varnell
>> Sent: 31 May 2017 05:05
>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>> Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>
>> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>>
>> Most of the people that participate on this list are users and can't do anything but give you advice.
>>
>> Sent from Janet's iPad
>>
>> -Al-
>>
>> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>>> Hi Ged,
>>>
>>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>>
>>> IPs: 142.54.244.[96-110]
>>>
>>> Domains:
>>> mail.paypal.at
>>> mail.paypal.be
>>> mail.paypal.ch
>>> mail.paypal.co.il
>>> mail.paypal.co.uk
>>> mail.paypal.de
>>> mail.paypal.dk
>>> mail.paypal.es
>>> mail.paypal.fr
>>> mail.paypal.it
>>> mail.paypal.nl
>>> mail.paypal.no
>>> mail.paypal.pl
>>> mail.paypal.se
>>> mail.paypal.com
>>>
>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>>
>>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>>
>>>
>>> Many thanks,
>>>
>>>
>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> -
>>>
>>> Message: 1
>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>>> From: "G.W. Haywood"
>>> To: clamav-***@lists.clamav.net
>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>> phishing by ClamAv
>>> Message-ID:
>>> <***@mail6.jubileegroup.co.uk>
>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>>
>>> Hi there,
>>>
>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>>
>>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>>
>>> No surprise there.
>>>
>>>> We get this type of bounce erros:
>>>> 554 Your email was rejected because it contains the
>>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>>
>>> That's not a bounce, it's a reject.
>>>
>>>> Please make the necessary changes to your product ASAP.
>>>
>>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>>
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>> [lefttrianglebracket]
>>> img height="1"
>>> width="1"
>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>>> border="0"
>>> alt=""/
>>> [righttrianglebracket]
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>>
>>> The mail did pass our SPF checks on receipt:
>>>
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
>>> 173.0.84.226 as permitted sender) receiver=mail5;
>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>>> envelope-from=***@paypal.co.uk;
>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>>
>>> but then it went in the bin.
>>>
>>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>>>
>>> I don't suppose you'll actually read this.
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA

OK, I managed to clean it up enough and added a fake header so I could run clamscan --debug and it confirmed my suspicions:

> LibClamAV debug: Phishcheck:host:.epl.paypal-communication.com
> LibClamAV debug: Phishing: looking up in whitelist: .epl.paypal-communication.com:.www.paypal.com; host-only:1
> LibClamAV debug: Looking up in regex_list: epl.paypal-communication.com:www.paypal.com/
> LibClamAV debug: Lookup result: not in regex list
> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
> LibClamAV debug: found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain

-Al-

On Wed, May 31, 2017 at 02:05 AM, ***@epsilon.com wrote:
>
> Hi Al,
>
> Could you please confirm exactly what is the issue you see with the links? As far as I can see, they use standard link tracking. Here are two examples:
>
> <a style=3D"font-family:Arial; font-siz= e:13px; color:#009cde; text-decoration:none; font-weight:bold;" href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b057-9f4d47f20daa">
> <a href=3D= "https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d47f20daa" = target=3D"_blank">
>
> This is an example of their images URL:
> <img style=3D"display:block; border= :none;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/1111_cta_blue_left=2Ejpg" width=3D"5" height=3D"40" alt=3D""/>
>
> Many thanks,
>
> Anne-Sophie
>
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
> Sent: 31 May 2017 09:06
> To: ClamAV users ML <clamav-***@lists.clamav.net>
> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>
> Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.
>
> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.
>
> But I am a bit surprised that they haven't commented.
>
> -Al-
>
> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>>
>> Hi,
>>
>> I did but never heard anything back unfortunately.
>>
>> We still had a lot of mail blocked on the 29/5 because of this issue.
>>
>> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>>
>> Thanks,
>>
>> Anne-Sophie
>>
>> -----Original Message-----
>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On
>> Behalf Of Al Varnell
>> Sent: 31 May 2017 05:05
>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>> Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>
>> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>>
>> Most of the people that participate on this list are users and can't do anything but give you advice.
>>
>> Sent from Janet's iPad
>>
>> -Al-
>>
>> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>>> Hi Ged,
>>>
>>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>>
>>> IPs: 142.54.244.[96-110]
>>>
>>> Domains:
>>> mail.paypal.at
>>> mail.paypal.be
>>> mail.paypal.ch
>>> mail.paypal.co.il
>>> mail.paypal.co.uk
>>> mail.paypal.de
>>> mail.paypal.dk
>>> mail.paypal.es
>>> mail.paypal.fr
>>> mail.paypal.it
>>> mail.paypal.nl
>>> mail.paypal.no
>>> mail.paypal.pl
>>> mail.paypal.se
>>> mail.paypal.com
>>>
>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>>
>>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>>
>>>
>>> Many thanks,
>>>
>>>
>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> -
>>>
>>> Message: 1
>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>>> From: "G.W. Haywood"
>>> To: clamav-***@lists.clamav.net
>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>> phishing by ClamAv
>>> Message-ID:
>>> <***@mail6.jubileegroup.co.uk>
>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>>
>>> Hi there,
>>>
>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>>
>>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>>
>>> No surprise there.
>>>
>>>> We get this type of bounce erros:
>>>> 554 Your email was rejected because it contains the
>>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>>
>>> That's not a bounce, it's a reject.
>>>
>>>> Please make the necessary changes to your product ASAP.
>>>
>>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>>
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>> [lefttrianglebracket]
>>> img height="1"
>>> width="1"
>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>>> border="0"
>>> alt=""/
>>> [righttrianglebracket]
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>>
>>> The mail did pass our SPF checks on receipt:
>>>
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
>>> 173.0.84.226 as permitted sender) receiver=mail5;
>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>>> envelope-from=***@paypal.co.uk;
>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>>
>>> but then it went in the bin.
>>>
>>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>>>
>>> I don't suppose you'll actually read this.
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA

***@epsilon.com wrote:
> Hi Al,
>
> Could you please confirm exactly what is the issue you see with the links? As far as I can see, they use standard link tracking.
^^^^^^^^^^^^^^^^^^^^^^

In my experience that, in and of itself, is often the problem.

The cases I've whitelisted locally are almost always mismatches between
the visible link text and the actual link target, eg:

<a href="tracker.bigesp/path/to/some/thing/hexstring">example.com/link</a>

All too often, "bigesp" seems to go to great lengths to remain
unidentified, by way of cryptic and ever-multiplying domains which
appear, without time-consuming investigation, to be Just Another Spoof.

I would also suggest that using a complete separate TLD for
click-tracking is a good way to *raise* red flags when a message is
inspected by hand; even worse when the domain looks similar to the main
domain - such as "paypal-communications.com" vs "paypal.com".

Use a subdomain (eg "communication.paypal.com", or
"espname.paypal.com"), which is clearly delegated from the organization
potentially being spoofed, rather than Yet Another Similar But Not
Obviously Associated Domain (because the domain registrars clearly can't
be trusted to prevent *these* from being registered by world+dog, and a
disturbing number don't shut down the real spoofs very quickly either).

In short, stop doing the same things that the scammers do, and do things
that the scammers can't.

-kgd
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml