Discussion:
clamav-users Digest, Vol 150, Issue 19
(too old to reply)
O***@epsilon.com
2017-05-19 16:14:31 UTC
Permalink
Hi Ged,

I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:

IPs: 142.54.244.[96-110]

Domains:
mail.paypal.at
mail.paypal.be
mail.paypal.ch
mail.paypal.co.il
mail.paypal.co.uk
mail.paypal.de
mail.paypal.dk
mail.paypal.es
mail.paypal.fr
mail.paypal.it
mail.paypal.nl
mail.paypal.no
mail.paypal.pl
mail.paypal.se
mail.paypal.com

Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.

These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"


Many thanks,


Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
 T   +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK  epsilon.com




----------------------------------------------------------------------

Message: 1
Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
From: "G.W. Haywood" <***@jubileegroup.co.uk>
To: clamav-***@lists.clamav.net
Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
phishing by ClamAv
Message-ID:
<***@mail6.jubileegroup.co.uk>
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII

Hi there,

On Thu, 18 May 2017, Anne-Sophie Marsh wrote:

> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.

No surprise there.

> We get this type of bounce erros:
> 554 Your email was rejected because it contains the
> Heuristics.Phishing.Email.SpoofedDomain virus

That's not a bounce, it's a reject.

> Please make the necessary changes to your product ASAP.

Well... the last email I saw from PayPal had this in it, carefully hidden:

8<----------------------------------------------------------------------
[lefttrianglebracket]
img height="1"
width="1"
src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
border="0"
alt=""/
[righttrianglebracket]
8<----------------------------------------------------------------------

The mail did pass our SPF checks on receipt:

8<----------------------------------------------------------------------
Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates 173.0.84.226 as permitted sender) receiver=mail5; client-ip=173.0.84.226; helo=mx0.slc.paypal.com; envelope-from=***@paypal.co.uk;
x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
8<----------------------------------------------------------------------

but then it went in the bin.

Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.

I don't suppose you'll actually read this.

--

73,
Ged.



_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2017-05-31 04:04:52 UTC
Permalink
Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.

Most of the people that participate on this list are users and can't do anything but give you advice.

Sent from Janet's iPad

-Al-

On May 19, 2017, at 9:14 AM, "Outreach wrote:
> Hi Ged,
>
> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>
> IPs: 142.54.244.[96-110]
>
> Domains:
> mail.paypal.at
> mail.paypal.be
> mail.paypal.ch
> mail.paypal.co.il
> mail.paypal.co.uk
> mail.paypal.de
> mail.paypal.dk
> mail.paypal.es
> mail.paypal.fr
> mail.paypal.it
> mail.paypal.nl
> mail.paypal.no
> mail.paypal.pl
> mail.paypal.se
> mail.paypal.com
>
> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>
> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>
>
> Many thanks,
>
>
> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>
>
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
> From: "G.W. Haywood"
> To: clamav-***@lists.clamav.net
> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
> phishing by ClamAv
> Message-ID:
> <***@mail6.jubileegroup.co.uk>
> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>
> Hi there,
>
> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>
>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>
> No surprise there.
>
>> We get this type of bounce erros:
>> 554 Your email was rejected because it contains the
>> Heuristics.Phishing.Email.SpoofedDomain virus
>
> That's not a bounce, it's a reject.
>
>> Please make the necessary changes to your product ASAP.
>
> Well... the last email I saw from PayPal had this in it, carefully hidden:
>
> 8<----------------------------------------------------------------------
> [lefttrianglebracket]
> img height="1"
> width="1"
> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
> border="0"
> alt=""/
> [righttrianglebracket]
> 8<----------------------------------------------------------------------
>
> The mail did pass our SPF checks on receipt:
>
> 8<----------------------------------------------------------------------
> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates 173.0.84.226 as permitted sender) receiver=mail5; client-ip=173.0.84.226; helo=mx0.slc.paypal.com; envelope-from=***@paypal.co.uk;
> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
> 8<----------------------------------------------------------------------
>
> but then it went in the bin.
>
> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>
> I don't suppose you'll actually read this.
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
O***@epsilon.com
2017-05-31 07:53:44 UTC
Permalink
Hi,

I did but never heard anything back unfortunately.

We still had a lot of mail blocked on the 29/5 because of this issue.

Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.

Thanks,

Anne-Sophie

-----Original Message-----
From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
Sent: 31 May 2017 05:05
To: ClamAV users ML <clamav-***@lists.clamav.net>
Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.

Most of the people that participate on this list are users and can't do anything but give you advice.

Sent from Janet's iPad

-Al-

On May 19, 2017, at 9:14 AM, "Outreach wrote:
> Hi Ged,
>
> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>
> IPs: 142.54.244.[96-110]
>
> Domains:
> mail.paypal.at
> mail.paypal.be
> mail.paypal.ch
> mail.paypal.co.il
> mail.paypal.co.uk
> mail.paypal.de
> mail.paypal.dk
> mail.paypal.es
> mail.paypal.fr
> mail.paypal.it
> mail.paypal.nl
> mail.paypal.no
> mail.paypal.pl
> mail.paypal.se
> mail.paypal.com
>
> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>
> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>
>
> Many thanks,
>
>
> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>
>
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
> From: "G.W. Haywood"
> To: clamav-***@lists.clamav.net
> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
> phishing by ClamAv
> Message-ID:
> <***@mail6.jubileegroup.co.uk>
> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>
> Hi there,
>
> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>
>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>
> No surprise there.
>
>> We get this type of bounce erros:
>> 554 Your email was rejected because it contains the
>> Heuristics.Phishing.Email.SpoofedDomain virus
>
> That's not a bounce, it's a reject.
>
>> Please make the necessary changes to your product ASAP.
>
> Well... the last email I saw from PayPal had this in it, carefully hidden:
>
> 8<--------------------------------------------------------------------
> --
> [lefttrianglebracket]
> img height="1"
> width="1"
> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
> border="0"
> alt=""/
> [righttrianglebracket]
> 8<--------------------------------------------------------------------
> --
>
> The mail did pass our SPF checks on receipt:
>
> 8<--------------------------------------------------------------------
> --
> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
> 173.0.84.226 as permitted sender) receiver=mail5;
> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
> envelope-from=***@paypal.co.uk;
> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
> 8<--------------------------------------------------------------------
> --
>
> but then it went in the bin.
>
> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>
> I don't suppose you'll actually read this.
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2017-05-31 08:05:42 UTC
Permalink
Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.

Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.

But I am a bit surprised that they haven't commented.

-Al-

On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>
> Hi,
>
> I did but never heard anything back unfortunately.
>
> We still had a lot of mail blocked on the 29/5 because of this issue.
>
> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>
> Thanks,
>
> Anne-Sophie
>
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
> Sent: 31 May 2017 05:05
> To: ClamAV users ML <clamav-***@lists.clamav.net>
> Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>
> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>
> Most of the people that participate on this list are users and can't do anything but give you advice.
>
> Sent from Janet's iPad
>
> -Al-
>
> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>> Hi Ged,
>>
>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>
>> IPs: 142.54.244.[96-110]
>>
>> Domains:
>> mail.paypal.at
>> mail.paypal.be
>> mail.paypal.ch
>> mail.paypal.co.il
>> mail.paypal.co.uk
>> mail.paypal.de
>> mail.paypal.dk
>> mail.paypal.es
>> mail.paypal.fr
>> mail.paypal.it
>> mail.paypal.nl
>> mail.paypal.no
>> mail.paypal.pl
>> mail.paypal.se
>> mail.paypal.com
>>
>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>
>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>
>>
>> Many thanks,
>>
>>
>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>>
>>
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>> From: "G.W. Haywood"
>> To: clamav-***@lists.clamav.net
>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>> phishing by ClamAv
>> Message-ID:
>> <***@mail6.jubileegroup.co.uk>
>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>
>> Hi there,
>>
>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>
>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>
>> No surprise there.
>>
>>> We get this type of bounce erros:
>>> 554 Your email was rejected because it contains the
>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>
>> That's not a bounce, it's a reject.
>>
>>> Please make the necessary changes to your product ASAP.
>>
>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>
>> 8<--------------------------------------------------------------------
>> --
>> [lefttrianglebracket]
>> img height="1"
>> width="1"
>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>> border="0"
>> alt=""/
>> [righttrianglebracket]
>> 8<--------------------------------------------------------------------
>> --
>>
>> The mail did pass our SPF checks on receipt:
>>
>> 8<--------------------------------------------------------------------
>> --
>> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
>> 173.0.84.226 as permitted sender) receiver=mail5;
>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>> envelope-from=***@paypal.co.uk;
>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>> 8<--------------------------------------------------------------------
>> --
>>
>> but then it went in the bin.
>>
>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>>
>> I don't suppose you'll actually read this.
Reindl Harald
2017-05-31 08:13:59 UTC
Permalink
Am 31.05.2017 um 10:05 schrieb Al Varnell:
> Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.

they don't have to feel anything - they have to fix false positives and
if it means remove heuristic phisiing signatures completly when they are
provne over years to hit *only* legit mail - until today nobody was able
to show me a legit reject based on this

> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.
>
> But I am a bit surprised that they haven't commented.
>
> -Al-
>
> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>>
>> Hi,
>>
>> I did but never heard anything back unfortunately.
>>
>> We still had a lot of mail blocked on the 29/5 because of this issue.
>>
>> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>>
>> Thanks,
>>
>> Anne-Sophie
>>
>> -----Original Message-----
>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
>> Sent: 31 May 2017 05:05
>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>> Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>
>> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>>
>> Most of the people that participate on this list are users and can't do anything but give you advice.
>>
>> Sent from Janet's iPad
>>
>> -Al-
>>
>> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>>> Hi Ged,
>>>
>>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>>
>>> IPs: 142.54.244.[96-110]
>>>
>>> Domains:
>>> mail.paypal.at
>>> mail.paypal.be
>>> mail.paypal.ch
>>> mail.paypal.co.il
>>> mail.paypal.co.uk
>>> mail.paypal.de
>>> mail.paypal.dk
>>> mail.paypal.es
>>> mail.paypal.fr
>>> mail.paypal.it
>>> mail.paypal.nl
>>> mail.paypal.no
>>> mail.paypal.pl
>>> mail.paypal.se
>>> mail.paypal.com
>>>
>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>>
>>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>>
>>>
>>> Many thanks,
>>>
>>>
>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>>>
>>>
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>>> From: "G.W. Haywood"
>>> To: clamav-***@lists.clamav.net
>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>> phishing by ClamAv
>>> Message-ID:
>>> <***@mail6.jubileegroup.co.uk>
>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>>
>>> Hi there,
>>>
>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>>
>>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>>
>>> No surprise there.
>>>
>>>> We get this type of bounce erros:
>>>> 554 Your email was rejected because it contains the
>>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>>
>>> That's not a bounce, it's a reject.
>>>
>>>> Please make the necessary changes to your product ASAP.
>>>
>>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>>
>>> 8<--------------------------------------------------------------------
>>> --
>>> [lefttrianglebracket]
>>> img height="1"
>>> width="1"
>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>>> border="0"
>>> alt=""/
>>> [righttrianglebracket]
>>> 8<--------------------------------------------------------------------
>>> --
>>>
>>> The mail did pass our SPF checks on receipt:
>>>
>>> 8<--------------------------------------------------------------------
>>> --
>>> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
>>> 173.0.84.226 as permitted sender) receiver=mail5;
>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>>> envelope-from=***@paypal.co.uk;
>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>>> 8<--------------------------------------------------------------------
>>> --
>>>
>>> but then it went in the bin.
>>>
>>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>>>
>>> I don't suppose you'll actually read this

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2017-05-31 08:23:57 UTC
Permalink
Well I certainly have run across several legit detections over the years along with many more FP's, and since it was confusing so many ClamXav users, it's been turned off for by the developer for over a year now. SafeBrowsing has always been disabled (already in use by most all OS X browsers), so that's not an issue for ClamXav, either.

-Al-

On Wed, May 31, 2017 at 01:13 AM, Reindl Harald wrote:
>
> Am 31.05.2017 um 10:05 schrieb Al Varnell:
>> Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.
>
> they don't have to feel anything - they have to fix false positives and if it means remove heuristic phisiing signatures completly when they are provne over years to hit *only* legit mail - until today nobody was able to show me a legit reject based on this
>
>> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.
>> But I am a bit surprised that they haven't commented.
>> -Al-
>> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>>>
>>> Hi,
>>>
>>> I did but never heard anything back unfortunately.
>>>
>>> We still had a lot of mail blocked on the 29/5 because of this issue.
>>>
>>> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>>>
>>> Thanks,
>>>
>>> Anne-Sophie
>>>
>>> -----Original Message-----
>>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
>>> Sent: 31 May 2017 05:05
>>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>>> Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
>>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>>
>>> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>>>
>>> Most of the people that participate on this list are users and can't do anything but give you advice.
>>>
>>> Sent from Janet's iPad
>>>
>>> -Al-
>>>
>>> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>>>> Hi Ged,
>>>>
>>>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>>>
>>>> IPs: 142.54.244.[96-110]
>>>>
>>>> Domains:
>>>> mail.paypal.at
>>>> mail.paypal.be
>>>> mail.paypal.ch
>>>> mail.paypal.co.il
>>>> mail.paypal.co.uk
>>>> mail.paypal.de
>>>> mail.paypal.dk
>>>> mail.paypal.es
>>>> mail.paypal.fr
>>>> mail.paypal.it
>>>> mail.paypal.nl
>>>> mail.paypal.no
>>>> mail.paypal.pl
>>>> mail.paypal.se
>>>> mail.paypal.com
>>>>
>>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>>>
>>>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>>>
>>>>
>>>> Many thanks,
>>>>
>>>>
>>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>>>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>>>>
>>>>
>>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>> Message: 1
>>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>>>> From: "G.W. Haywood"
>>>> To: clamav-***@lists.clamav.net
>>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>>> phishing by ClamAv
>>>> Message-ID:
>>>> <***@mail6.jubileegroup.co.uk>
>>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>>>
>>>> Hi there,
>>>>
>>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>>>
>>>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>>>
>>>> No surprise there.
>>>>
>>>>> We get this type of bounce erros:
>>>>> 554 Your email was rejected because it contains the
>>>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>>>
>>>> That's not a bounce, it's a reject.
>>>>
>>>>> Please make the necessary changes to your product ASAP.
>>>>
>>>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>>>
>>>> 8<--------------------------------------------------------------------
>>>> --
>>>> [lefttrianglebracket]
>>>> img height="1"
>>>> width="1"
>>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>>>> border="0"
>>>> alt=""/
>>>> [righttrianglebracket]
>>>> 8<--------------------------------------------------------------------
>>>> --
>>>>
>>>> The mail did pass our SPF checks on receipt:
>>>>
>>>> 8<--------------------------------------------------------------------
>>>> --
>>>> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
>>>> 173.0.84.226 as permitted sender) receiver=mail5;
>>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>>>> envelope-from=***@paypal.co.uk;
>>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>>>> 8<--------------------------------------------------------------------
>>>> --
>>>>
>>>> but then it went in the bin.
>>>>
>>>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>>>>
>>>> I don't suppose you'll actually read this
>
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA
O***@epsilon.com
2017-05-31 08:16:26 UTC
Permalink
Hi Al,

I'm including below the source of an email that was rejected recently. Could you please point out exactly what you feel is the issue with the links?

Many thanks,

Anne-Sophie


<!doctype html>
<html>
<head>
<meta charset=3D"utf-8">
<meta name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=3D1=
=2E0">
<meta name=3D"format-detection" content=3D"telephone=3Dno" />
<title>Your Legal Agreements with PayPal</title>
<style type=3D"text/css">
table th { margin:0 !important; padding:0 !important; vertical-align:top; =
font-weight:normal; }
body {
margin:0;
padding:0;
font-family:Arial;
font-size: 16px;
color:#666666;
}
*{
line-height:normal !important;
}
/*Yahoo paragraph fix*/
p {
margin: 1em 0;
}
/*This resolves the Outlook 07, 10, and Gmail td padding issue fix*/
table td {
border-collapse: collapse;
}
/*viewport width scaling for all devices*/
@-ms-viewport {
width: device-width;
}
/*This resolves the issue when iphone puts links on dates, etc=2E*/
=2EappleLinks {
color: inherit;
text-decoration: none;
}
=2EappleLinks a {
color: inherit;
text-decoration: none;
}


a[href^=3D"x-apple-data-detectors:"] {
color: inherit;
text-decoration: inherit;
}

@media screen and (max-width:480px) {
/*Do not show in mobiles*/
*=2Enomobile, *[class~=3D"hide"] {
display: none !important;
}
/*Shows in mobiles*/
*=2Eshow {
display: block !important;
margin: 0 !important;
padding: 0 !important;
overflow: visible !important;
width: auto !important;
max-height: inherit !important;
}
=2Econtainer {
width:100% !important;
min-width:100% !important;
}
=2Econtent {
width:91=2E71428571428571% !important;
}

*[class~=3D"logo"], *[class~=3D"logo_right"] {
width:40% !important;
}
=2Ecoldrop {
display:block !important;
width:100% !important;
}
=2Eimgfull {
width:100% !important;
height:auto !important;
}
*[class~=3D"nopad"] {
padding:0px 0px 0px 0px !important;
}
*[class~=3D"dbl_line"] {
border-top:1px solid #d9d9d9 !important;
border-bottom:1px solid #FFFFFF !important;
}


/* text styles */

*[class~=3D"heading01"] {
font-size:25px !important;
}

=2Etext01 {
font-size:12px !important;
}
=2Etext02 {
font-size:14px !important;
}
=2Etext03 {
font-size:16px !important;
}
=2Etext04 {
font-size:10px !important;
}
=2Earrange_top{

display:table-header-group !important;
}
=2Earrange_bottom{
display:table-footer-group !important;
}
=2Eheight20 {
height:20px !important;
}
=2Eheight15 {
height:15px !important;
}
=2Eheight10 {
height:10px !important;
}
=2Eheight5 {
height:5px !important;
}
=2Ewidth20 {
width:20px !important;
}
=2Ewidth15 {
width:15px !important;
}
=2Ewidth10 {
width:10px !important;
}
=2Ewidth5 {
width:5px !important;
}
}

@media screen and (max-width:320px) {
/* *[class~=3D"logo"], *[class~=3D"logo_right"] {
width:40% !important;
} */
*[class~=3D"align_left320"] {
float:left !important;
text-align:left !important;
}
*[class~=3D"align_right320"] {
float:right !important;
text-align:right !important;
}

=2Econtent_02 {
width:98% !important;
}
*[class~=3D"logo"], *[class~=3D"logo_right"] {
width:40% !important;
}
}

</style>
</head>

<body yahoo=3D"fix">
<!-- preheader -->
<table bgcolor=3D"#f2f2f2" style=3D"table-layout:fixed;" width=3D"100%" bo=
rder=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr>
<td valign=3D"top" align=3D"center">
<table bgcolor=3D"#f2f2f2" width=3D"740" class=3D"container" border=3D"0" =
cellspacing=3D"0" cellpadding=3D"0" style=3D"min-width:740px;">
<tr>
<td valign=3D"middle" style=3D"padding:10px 0px 10px 0px;" align=3D"center=
">
<table class=3D"content" bgcolor=3D"#f2f2f2" width=3D"700" border=3D"0" ce=
llspacing=3D"0" cellpadding=3D"0">
<tr>
<td valign=3D"middle" align=3D"left" style=3D"font-family:Arial; font-size=
:12px; color:#666666;"><b> </b> - We're making a few changes</td>
<td valign=3D"middle" align=3D"right" style=3D"font-family:Arial; font-siz=
e:12px; color:#666666;"><a style=3D"font-family:Arial; color:#666666;" href=
=3D"https://epl=2Epaypal-communication=2Ecom/H/2/v20000015c53387d90b8822cf4=
bbc782e8/5ac10d12-aef1-4111-b057-9f4d47f20daa/Html" target=3D"_blank">View =
Online</a></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<!-- /preheader -->

<!-- main content -->
<table bgcolor=3D"#f2f2f2" style=3D"table-layout:fixed;" width=3D"100%" bo=
rder=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr>
<td valign=3D"top" align=3D"center">
<table bgcolor=3D"#f2f2f2" width=3D"740" class=3D"container" border=3D"0" =
cellspacing=3D"0" cellpadding=3D"0" style=3D"min-width:740px;">
<tr>
<td valign=3D"middle" align=3D"center">
<table class=3D"container" bgcolor=3D"#FFFFFF" width=3D"700" border=3D"0" =
cellspacing=3D"0" cellpadding=3D"0">
<tr>
<td class=3D"grey_line" valign=3D"middle" align=3D"left" style=3D"font-fam=
ily:Arial; font-size:1px; color:#666666;" height=3D"1"><img style=3D"displa=
y:block; border:none;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalasse=
ts/c/EMEA/email/1111_rnd_crnr_top=2Ejpg" width=3D"700" height=3D"7" alt=3D"=
" class=3D"hide"/></td>
</tr>
<tr>
<td valign=3D"middle" class=3D"nopad" bgcolor=3D"#e3e3e3" align=3D"left" s=
tyle=3D"font-family:Arial; font-size:12px; color:#666666; padding:0px 1px 0=
px 1px;">
<table bgcolor=3D"#FFFFFF" width=3D"100%" border=3D"0" cellspacing=3D"0" c=
ellpadding=3D"0">
<tr>
<td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"c=
enter" valign=3D"top">
<table class=3D"content" width=3D"642" border=3D"0" cellspacing=3D"0" cell=
padding=3D"0">
<tr>
<td style=3D"font-family:Arial; font-size:12px; color:#666666;" height=3D"=
15"></td>
</tr>
<tr>
<td style=3D"font-family:Arial; font-size:12px; color:#666666;">
<table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr>
<td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"l=
eft">
<table class=3D"logo" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr>
<td style=3D"font-family:Arial; font-size:16px; color:#666666;"><a href=3D=
"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc78=
2e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d47f20daa" =
target=3D"_blank"><img class=3D"imgfull" style=3D"display:block; border:non=
e;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/111=
1_logo-paypal=2Epng" width=3D"152" height=3D"38" alt=3D"PayPal"/></a></td>
</tr>
</table>
</td>
<td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"r=
ight">
<table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr>
<td style=3D"font-family:Arial; font-size:16px; color:#666666;"></td>
</tr>
</table>
</td>


</tr>
</table>
</td>
</tr>
<tr>
<td style=3D"font-family:Arial; font-size:12px; color:#666666;" height=3D"=
25" class=3D"height15"></td>
</tr>
<tr>
<td style=3D"font-family:Arial; font-size:12px; color:#666666;">
<table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr>
<td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"l=
eft">
<table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr>
<td class=3D"heading01" style=3D"font-family:Arial; font-size:40px; color:=
#009cde;">Just to let you know=2E=2E=2E</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
5" class=3D"height15"></td>
</tr>
<tr>
<td align=3D"left" style=3D"font-family:Arial; font-size:13px; color:#6666=
66;">We're changing our Legal Agreements=2E We wanted to check it&#82=
17;s OK with you=2E<br><br> We're making some changes to our Legal Ag=
reements; the documents that govern our relationship with you=2E We'v=
e put details of the changes on our <a style=3D"font-family:Arial; font-siz=
e:13px; color:#009cde; text-decoration:none; font-weight:bold;" href=3D"htt=
ps://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/=
5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b057-9f4d47f20daa">Poli=
cy Update web page</a> - you can also find the page at <a style=3D"f=
ont-family:Arial; font-size:13px; color:#009cde; text-decoration:none; font=
-weight:bold;" href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015=
c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc4/5ac10d12-aef1-41=
11-b057-9f4d47f20daa">www=2Epaypal=2Ecom</a>, by clicking 'Legal&#821=
7; at the bottom of the page, selecting "Other countries (in English)=
" from the drop-down menu and then selecting 'Policy Updates&#8=
217;=2E</td>
</tr>
<tr>
<td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
5" class=3D"height15"></td>
</tr>
<tr>
<td align=3D"left" style=3D"font-family:Arial; font-size:13px; color:#6666=
66;"><b>What do I have to do?</b></td>
</tr>
<tr>
<td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
5" class=3D"height15"></td>
</tr>

<tr>
<td align=3D"left" style=3D"font-family:Arial; font-size:13px; color:#6666=
66;">Take a look at our Policy Update page to ensure you consent to the cha=
nges=2E If you do, you don't need to do anything=2E If you don'=
t want to accept the changes you can follow the steps we've set out o=
n our Policy Update page=2E</td>
</tr>
<tr>
<td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
5" class=3D"height15"></td>
</tr>
<tr>
<td align=3D"left" style=3D"font-family:Arial; font-size:16px; color:#6666=
66;" valign=3D"middle">
<table width=3D"310" class=3D"container" border=3D"0" cellspacing=3D"0" ce=
llpadding=3D"0">
<tr>

<!--[if lt IE 9 | mso]>
<td width=3D"5" style=3D"font-family:Arial; font-size:16px; color:#666666;=
" valign=3D"middle" bgcolor=3D"#009cde"><img style=3D"display:block; border=
:none;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email=
/1111_cta_blue_left=2Ejpg" width=3D"5" height=3D"40" alt=3D""/></td>
<![endif]-->
<td bgcolor=3D"#009cde" style=3D"font-family:Arial; font-size:16px; color:=
#666666; -moz-border-radius: 5px; -webkit-border-radius: 5px; border-radius=
: 5px;" valign=3D"middle">
<table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr>
<td style=3D"font-family:Arial; font-size:14px; color:#FFFFFF;" valign=3D"=
middle" align=3D"center"><a style=3D"display:block; text-decoration:none; c=
olor:#ffffff; padding:10px 0px 10px 0px; font-weight:bold;" href=3D"https:/=
/epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac1=
0d12aef141110000021ef3a0bcc5/5ac10d12-aef1-4111-b057-9f4d47f20daa" target=
=3D"_blank">See the Policy Update Page</a></td>
</tr>
</table>

</td>

<!--[if lt IE 9 | mso]>
<td width=3D"5" style=3D"font-family:Arial; font-size:16px; color:#666666;=
" valign=3D"middle"><img style=3D"display:block; border:none;" src=3D"https=
://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/1111_cta_blue_right=
=2Ejpg" width=3D"5" height=3D"40" alt=3D""/></td>
<![endif]-->

</tr>
</table>

</td>
</tr>
<tr>
<td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
5" class=3D"height15"></td>
</tr>

</table>
</td>
</tr>
</table>
</td>
</tr>

<tr>
<td valign=3D"middle" height=3D"1" bgcolor=3D"#e3e3e3" align=3D"left" styl=
e=3D"font-family:Arial; font-size:1px; color:#666666;"><img style=3D"displa=
y:block; border:none;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalasse=
ts/c/EMEA/email/1111_rnd_crnr_bottom=2Ejpg" width=3D"700" height=3D"7" alt=
=3D"" class=3D"hide"/></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<!-- /main content -->
<!-- footer -->
<table bgcolor=3D"#f2f2f2" style=3D"table-layout:fixed;" width=3D"100%" bo=
rder=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr>
<td valign=3D"top" align=3D"center">
<table bgcolor=3D"#f2f2f2" width=3D"740" class=3D"container" border=3D"0" =
cellspacing=3D"0" cellpadding=3D"0" style=3D"min-width:740px;">
<tr>
<td valign=3D"middle" align=3D"center">
<table class=3D"container" bgcolor=3D"" width=3D"700" border=3D"0" cellspa=
cing=3D"0" cellpadding=3D"0">

<tr>
<td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
5"></td>
</tr>
<tr>
<td valign=3D"middle" class=3D"" align=3D"left" style=3D"font-family:Arial=
; font-size:12px; color:#666666;">
<table bgcolor=3D"" width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadd=
ing=3D"0">
<tr>
<td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"c=
enter" valign=3D"top">
<table class=3D"container" width=3D"642" border=3D"0" cellspacing=3D"0" ce=
llpadding=3D"0">

<tr>
<td style=3D"font-family:Arial; font-size:12px; color:#666666;">
<table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr>
<th style=3D"font-family:Arial; font-size:12px; color:#666666;" class=3D"c=
oldrop" align=3D"left">
<table class=3D"container" border=3D"0" cellspacing=3D"0" cellpadding=3D"0=
">
<tr>
<td style=3D"font-family:Arial; font-size:13px; color:#666666; font-weight=
:bold;" align=3D"center">
<table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr align=3D"center">
<td style=3D"font-family:Arial; font-size:13px; color:#666666; font-weight=
:bold;">
<a style=3D"text-decoration:none; color:#666666;" href=3D"https://epl=2Epa=
ypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef14=
1110000021ef3a0bcc6/5ac10d12-aef1-4111-b057-9f4d47f20daa" target=3D"_blank"=
>Help</a></td>
<td width=3D"10"></td>
<td style=3D"font-family:Arial; font-size:13px; color:#666666; font-weight=
:bold;">
<a style=3D"text-decoration:none; color:#666666;" href=3D"https://epl=2Epa=
ypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef14=
1110000021ef3a0bcc7/5ac10d12-aef1-4111-b057-9f4d47f20daa" target=3D"_blank"=
>Contact</a></td>
<td width=3D"10"></td>
<td style=3D"font-family:Arial; font-size:13px; color:#666666; font-weight=
:bold;"><a style=3D"text-decoration:none; color:#666666;" href=3D"https://e=
pl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d=
12aef141110000021ef3a0bcc8/5ac10d12-aef1-4111-b057-9f4d47f20daa" target=3D"=
_blank">Security</a></td><td width=3D"10"></td>


</tr>
</table>

</td>

</tr>
</table>
</th>
</tr>
</table>
</td>
</tr>

</table>
</td>
</tr>
</table>
</td>
</tr>
<!-- Seperator -->
<tr>
<td height=3D"15" style=3D"font-size:1px;"><!--[if gt mso 14]> <![end=
if]--></td>
</tr>
<tr>
<td height=3D"1" bgcolor=3D"#d9d9d9" style=3D"font-size:1px;"><!--[if gt m=
so 14]> <![endif]--></td>
</tr>
<tr>
<td height=3D"1" bgcolor=3D"#FFFFFF" style=3D"font-size:1px;"><!--[if gt m=
so 14]> <![endif]--></td>
</tr>
<tr>
<td height=3D"15" style=3D"font-size:1px;"><!--[if gt mso 14]> <![end=
if]--></td>
</tr>
<!-- Seperator end-->
<tr>
<td valign=3D"middle" class=3D"" align=3D"left" style=3D"font-family:Arial=
; font-size:12px; color:#666666;">
<table bgcolor=3D"" width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadd=
ing=3D"0">


<tr>
<td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"c=
enter" valign=3D"top">
<table class=3D"content" width=3D"642" border=3D"0" cellspacing=3D"0" cell=
padding=3D"0">

<tr>
<td style=3D"font-family:Arial; font-size:12px; color:#666666;">
<table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr>
<th style=3D"font-family:Arial; font-size:12px; color:#666666;" class=3D"c=
oldrop" align=3D"left">
<table class=3D"container" border=3D"0" cellspacing=3D"0" cellpadding=3D"0=
">
<tr>
<td style=3D"font-family:Arial; color:#666666;" align=3D"center">
<table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr>
<td align=3D"left" style=3D"font-family:Arial; font-size:11px; color:#8c8c=
8c; font-weight:normal !important;">
<b>How do I know this is not a fake email?</b><br><br>
An email really coming from PayPal will address you by your first and last=
names or your business name=2E It will not ask you for sensitive informati=
on like your password, bank account or credit card details=2E Most fake ema=
ils threaten that your account will be in jeopardy if you do not take actio=
n immediately=2E An email that urgently requests you to supply sensitive pe=
rsonal information is usually an attempt at fraud=2E Also, fake emails ofte=
n contain misspellings and grammatical errors or are written in a language =
which you did not set as preferred for your PayPal account=2E Remember not =
to click any links in suspicious looking emails=2E
<br><br>
<a href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8=
822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc9/5ac10d12-aef1-4111-b057-9f4=
d47f20daa" target=3D"_blank" style=3D"color:#8c8c8c;">Click here to learn h=
ow to defend yourself against phishing and spoofing</a>=2E</td></tr>

</table>
</td>
</tr>
</table>
</th>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
<!-- Seperator -->
<tr>
<td height=3D"15" style=3D"font-size:1px;"><!--[if gt mso 14]> <![end=
if]--></td>
</tr>
<tr>
<td height=3D"1" bgcolor=3D"#d9d9d9" style=3D"font-size:1px;"><!--[if gt m=
so 14]> <![endif]--></td>
</tr>
<tr>
<td height=3D"1" bgcolor=3D"#FFFFFF" style=3D"font-size:1px;"><!--[if gt m=
so 14]> <![endif]--></td>
</tr>
<tr>
<td height=3D"15" style=3D"font-size:1px;"><!--[if gt mso 14]> <![end=
if]--></td>
</tr>
<!-- Seperator end -->
<tr>
<td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"c=
enter" valign=3D"top">
<table class=3D"content" width=3D"642" border=3D"0" cellspacing=3D"0" cell=
padding=3D"0">
<tr>
<td style=3D"font-family:Arial; font-size:12px; color:#666666;">
<table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr>
<th style=3D"font-family:Arial; font-size:12px; color:#666666;" class=3D"c=
oldrop" align=3D"left">
<table class=3D"container" border=3D"0" cellspacing=3D"0" cellpadding=3D"0=
">
<tr>
<td style=3D"font-family:Arial; color:#666666;" align=3D"center">
<table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
<tr>
<td align=3D"left" style=3D"font-family:Arial; font-size:11px; color:#8c8c=
8c; font-weight:normal !important;">This email was sent to <a style=3D"colo=
r:#8c8c8c; text-decoration:none;" href=3D"mailto:"></a>=2E
<br>
<br>
Copyright (c) 1999-2017 PayPal=2E PayPal Pte=2E Ltd=2E Address: 5=
Temasek Boulevard #09-01, Suntec Tower 5, Singapore 038985=2E Registration=
number 200509725E=2E<br><br> Consumer advisory: PayPal Pte Ltd, the Holder=
of the PayPal(tm) payment stored value facility, does not require the a=
pproval of the Monetary Authority of Singapore=2E Consumers (users) are adv=
ised to read the terms and conditions carefully=2E</td></tr>

</table>
</td>
</tr>
</table>
</th>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
5"></td>
</tr>

</table>


<!-- footer -->


<img src=3D'https://epl=2Epaypal-communication=2Ecom/O/v20000015c53387d90b=
8822cf4bbc782e8/5ac10d12aef1411100004c5a42963aa1' style=3D"display:none; ma=
x-height: 0px; font-size: 0px; overflow: hidden; mso-hide: all"/></body>
</html>

-----Original Message-----
From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
Sent: 31 May 2017 09:06
To: ClamAV users ML <clamav-***@lists.clamav.net>
Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.

Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.

But I am a bit surprised that they haven't commented.

-Al-

On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>
> Hi,
>
> I did but never heard anything back unfortunately.
>
> We still had a lot of mail blocked on the 29/5 because of this issue.
>
> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>
> Thanks,
>
> Anne-Sophie
>
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On
> Behalf Of Al Varnell
> Sent: 31 May 2017 05:05
> To: ClamAV users ML <clamav-***@lists.clamav.net>
> Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>
> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>
> Most of the people that participate on this list are users and can't do anything but give you advice.
>
> Sent from Janet's iPad
>
> -Al-
>
> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>> Hi Ged,
>>
>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>
>> IPs: 142.54.244.[96-110]
>>
>> Domains:
>> mail.paypal.at
>> mail.paypal.be
>> mail.paypal.ch
>> mail.paypal.co.il
>> mail.paypal.co.uk
>> mail.paypal.de
>> mail.paypal.dk
>> mail.paypal.es
>> mail.paypal.fr
>> mail.paypal.it
>> mail.paypal.nl
>> mail.paypal.no
>> mail.paypal.pl
>> mail.paypal.se
>> mail.paypal.com
>>
>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>
>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>
>>
>> Many thanks,
>>
>>
>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> -
>>
>> Message: 1
>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>> From: "G.W. Haywood"
>> To: clamav-***@lists.clamav.net
>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>> phishing by ClamAv
>> Message-ID:
>> <***@mail6.jubileegroup.co.uk>
>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>
>> Hi there,
>>
>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>
>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>
>> No surprise there.
>>
>>> We get this type of bounce erros:
>>> 554 Your email was rejected because it contains the
>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>
>> That's not a bounce, it's a reject.
>>
>>> Please make the necessary changes to your product ASAP.
>>
>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>
>> 8<-------------------------------------------------------------------
>> -
>> --
>> [lefttrianglebracket]
>> img height="1"
>> width="1"
>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>> border="0"
>> alt=""/
>> [righttrianglebracket]
>> 8<-------------------------------------------------------------------
>> -
>> --
>>
>> The mail did pass our SPF checks on receipt:
>>
>> 8<-------------------------------------------------------------------
>> -
>> --
>> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
>> 173.0.84.226 as permitted sender) receiver=mail5;
>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>> envelope-from=***@paypal.co.uk;
>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>> 8<-------------------------------------------------------------------
>> -
>> --
>>
>> but then it went in the bin.
>>
>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>>
>> I don't suppose you'll actually read this.
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2017-05-31 09:08:31 UTC
Permalink
It's past my bed time, the source has been corrupted with too many =3D, =2E, HEX codes, and without the headers, I can't run it through debug, but a quick check of the whitelist doesn't seem to include:
https://epl.paypal-communication.com.

I see:
paypal-marketing
app.paypal-now.com
www.paypal-gifts.com

for a handful of the domains you listed.

-Al-

On Wed, May 31, 2017 at 01:16 AM, ***@epsilon.com wrote:
>
> Hi Al,
>
> I'm including below the source of an email that was rejected recently. Could you please point out exactly what you feel is the issue with the links?
>
> Many thanks,
>
> Anne-Sophie
>
>
> <!doctype html>
> <html>
> <head>
> <meta charset=3D"utf-8">
> <meta name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=3D1=
> =2E0">
> <meta name=3D"format-detection" content=3D"telephone=3Dno" />
> <title>Your Legal Agreements with PayPal</title>
> <style type=3D"text/css">
> table th { margin:0 !important; padding:0 !important; vertical-align:top; =
> font-weight:normal; }
> body {
> margin:0;
> padding:0;
> font-family:Arial;
> font-size: 16px;
> color:#666666;
> }
> *{
> line-height:normal !important;
> }
> /*Yahoo paragraph fix*/
> p {
> margin: 1em 0;
> }
> /*This resolves the Outlook 07, 10, and Gmail td padding issue fix*/
> table td {
> border-collapse: collapse;
> }
> /*viewport width scaling for all devices*/
> @-ms-viewport {
> width: device-width;
> }
> /*This resolves the issue when iphone puts links on dates, etc=2E*/
> =2EappleLinks {
> color: inherit;
> text-decoration: none;
> }
> =2EappleLinks a {
> color: inherit;
> text-decoration: none;
> }
>
>
> a[href^=3D"x-apple-data-detectors:"] {
> color: inherit;
> text-decoration: inherit;
> }
>
> @media screen and (max-width:480px) {
> /*Do not show in mobiles*/
> *=2Enomobile, *[class~=3D"hide"] {
> display: none !important;
> }
> /*Shows in mobiles*/
> *=2Eshow {
> display: block !important;
> margin: 0 !important;
> padding: 0 !important;
> overflow: visible !important;
> width: auto !important;
> max-height: inherit !important;
> }
> =2Econtainer {
> width:100% !important;
> min-width:100% !important;
> }
> =2Econtent {
> width:91=2E71428571428571% !important;
> }
>
> *[class~=3D"logo"], *[class~=3D"logo_right"] {
> width:40% !important;
> }
> =2Ecoldrop {
> display:block !important;
> width:100% !important;
> }
> =2Eimgfull {
> width:100% !important;
> height:auto !important;
> }
> *[class~=3D"nopad"] {
> padding:0px 0px 0px 0px !important;
> }
> *[class~=3D"dbl_line"] {
> border-top:1px solid #d9d9d9 !important;
> border-bottom:1px solid #FFFFFF !important;
> }
>
>
> /* text styles */
>
> *[class~=3D"heading01"] {
> font-size:25px !important;
> }
>
> =2Etext01 {
> font-size:12px !important;
> }
> =2Etext02 {
> font-size:14px !important;
> }
> =2Etext03 {
> font-size:16px !important;
> }
> =2Etext04 {
> font-size:10px !important;
> }
> =2Earrange_top{
>
> display:table-header-group !important;
> }
> =2Earrange_bottom{
> display:table-footer-group !important;
> }
> =2Eheight20 {
> height:20px !important;
> }
> =2Eheight15 {
> height:15px !important;
> }
> =2Eheight10 {
> height:10px !important;
> }
> =2Eheight5 {
> height:5px !important;
> }
> =2Ewidth20 {
> width:20px !important;
> }
> =2Ewidth15 {
> width:15px !important;
> }
> =2Ewidth10 {
> width:10px !important;
> }
> =2Ewidth5 {
> width:5px !important;
> }
> }
>
> @media screen and (max-width:320px) {
> /* *[class~=3D"logo"], *[class~=3D"logo_right"] {
> width:40% !important;
> } */
> *[class~=3D"align_left320"] {
> float:left !important;
> text-align:left !important;
> }
> *[class~=3D"align_right320"] {
> float:right !important;
> text-align:right !important;
> }
>
> =2Econtent_02 {
> width:98% !important;
> }
> *[class~=3D"logo"], *[class~=3D"logo_right"] {
> width:40% !important;
> }
> }
>
> </style>
> </head>
>
> <body yahoo=3D"fix">
> <!-- preheader -->
> <table bgcolor=3D"#f2f2f2" style=3D"table-layout:fixed;" width=3D"100%" bo=
> rder=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td valign=3D"top" align=3D"center">
> <table bgcolor=3D"#f2f2f2" width=3D"740" class=3D"container" border=3D"0" =
> cellspacing=3D"0" cellpadding=3D"0" style=3D"min-width:740px;">
> <tr>
> <td valign=3D"middle" style=3D"padding:10px 0px 10px 0px;" align=3D"center=
> ">
> <table class=3D"content" bgcolor=3D"#f2f2f2" width=3D"700" border=3D"0" ce=
> llspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td valign=3D"middle" align=3D"left" style=3D"font-family:Arial; font-size=
> :12px; color:#666666;"><b> </b> - We're making a few changes</td>
> <td valign=3D"middle" align=3D"right" style=3D"font-family:Arial; font-siz=
> e:12px; color:#666666;"><a style=3D"font-family:Arial; color:#666666;" href=
> =3D"https://epl=2Epaypal-communication=2Ecom/H/2/v20000015c53387d90b8822cf4=
> bbc782e8/5ac10d12-aef1-4111-b057-9f4d47f20daa/Html" target=3D"_blank">View =
> Online</a></td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> <!-- /preheader -->
>
> <!-- main content -->
> <table bgcolor=3D"#f2f2f2" style=3D"table-layout:fixed;" width=3D"100%" bo=
> rder=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td valign=3D"top" align=3D"center">
> <table bgcolor=3D"#f2f2f2" width=3D"740" class=3D"container" border=3D"0" =
> cellspacing=3D"0" cellpadding=3D"0" style=3D"min-width:740px;">
> <tr>
> <td valign=3D"middle" align=3D"center">
> <table class=3D"container" bgcolor=3D"#FFFFFF" width=3D"700" border=3D"0" =
> cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td class=3D"grey_line" valign=3D"middle" align=3D"left" style=3D"font-fam=
> ily:Arial; font-size:1px; color:#666666;" height=3D"1"><img style=3D"displa=
> y:block; border:none;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalasse=
> ts/c/EMEA/email/1111_rnd_crnr_top=2Ejpg" width=3D"700" height=3D"7" alt=3D"=
> " class=3D"hide"/></td>
> </tr>
> <tr>
> <td valign=3D"middle" class=3D"nopad" bgcolor=3D"#e3e3e3" align=3D"left" s=
> tyle=3D"font-family:Arial; font-size:12px; color:#666666; padding:0px 1px 0=
> px 1px;">
> <table bgcolor=3D"#FFFFFF" width=3D"100%" border=3D"0" cellspacing=3D"0" c=
> ellpadding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"c=
> enter" valign=3D"top">
> <table class=3D"content" width=3D"642" border=3D"0" cellspacing=3D"0" cell=
> padding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" height=3D"=
> 15"></td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;">
> <table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"l=
> eft">
> <table class=3D"logo" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:16px; color:#666666;"><a href=3D=
> "https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc78=
> 2e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d47f20daa" =
> target=3D"_blank"><img class=3D"imgfull" style=3D"display:block; border:non=
> e;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/111=
> 1_logo-paypal=2Epng" width=3D"152" height=3D"38" alt=3D"PayPal"/></a></td>
> </tr>
> </table>
> </td>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"r=
> ight">
> <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:16px; color:#666666;"></td>
> </tr>
> </table>
> </td>
>
>
> </tr>
> </table>
> </td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" height=3D"=
> 25" class=3D"height15"></td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;">
> <table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"l=
> eft">
> <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td class=3D"heading01" style=3D"font-family:Arial; font-size:40px; color:=
> #009cde;">Just to let you know=2E=2E=2E</td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
> 5" class=3D"height15"></td>
> </tr>
> <tr>
> <td align=3D"left" style=3D"font-family:Arial; font-size:13px; color:#6666=
> 66;">We're changing our Legal Agreements=2E We wanted to check it&#82=
> 17;s OK with you=2E<br><br> We're making some changes to our Legal Ag=
> reements; the documents that govern our relationship with you=2E We'v=
> e put details of the changes on our <a style=3D"font-family:Arial; font-siz=
> e:13px; color:#009cde; text-decoration:none; font-weight:bold;" href=3D"htt=
> ps://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/=
> 5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b057-9f4d47f20daa">Poli=
> cy Update web page</a> - you can also find the page at <a style=3D"f=
> ont-family:Arial; font-size:13px; color:#009cde; text-decoration:none; font=
> -weight:bold;" href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015=
> c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc4/5ac10d12-aef1-41=
> 11-b057-9f4d47f20daa">www=2Epaypal=2Ecom</a>, by clicking 'Legal&#821=
> 7; at the bottom of the page, selecting "Other countries (in English)=
> " from the drop-down menu and then selecting 'Policy Updates&#8=
> 217;=2E</td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
> 5" class=3D"height15"></td>
> </tr>
> <tr>
> <td align=3D"left" style=3D"font-family:Arial; font-size:13px; color:#6666=
> 66;"><b>What do I have to do?</b></td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
> 5" class=3D"height15"></td>
> </tr>
>
> <tr>
> <td align=3D"left" style=3D"font-family:Arial; font-size:13px; color:#6666=
> 66;">Take a look at our Policy Update page to ensure you consent to the cha=
> nges=2E If you do, you don't need to do anything=2E If you don'=
> t want to accept the changes you can follow the steps we've set out o=
> n our Policy Update page=2E</td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
> 5" class=3D"height15"></td>
> </tr>
> <tr>
> <td align=3D"left" style=3D"font-family:Arial; font-size:16px; color:#6666=
> 66;" valign=3D"middle">
> <table width=3D"310" class=3D"container" border=3D"0" cellspacing=3D"0" ce=
> llpadding=3D"0">
> <tr>
>
> <!--[if lt IE 9 | mso]>
> <td width=3D"5" style=3D"font-family:Arial; font-size:16px; color:#666666;=
> " valign=3D"middle" bgcolor=3D"#009cde"><img style=3D"display:block; border=
> :none;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email=
> /1111_cta_blue_left=2Ejpg" width=3D"5" height=3D"40" alt=3D""/></td>
> <![endif]-->
> <td bgcolor=3D"#009cde" style=3D"font-family:Arial; font-size:16px; color:=
> #666666; -moz-border-radius: 5px; -webkit-border-radius: 5px; border-radius=
> : 5px;" valign=3D"middle">
> <table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:14px; color:#FFFFFF;" valign=3D"=
> middle" align=3D"center"><a style=3D"display:block; text-decoration:none; c=
> olor:#ffffff; padding:10px 0px 10px 0px; font-weight:bold;" href=3D"https:/=
> /epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac1=
> 0d12aef141110000021ef3a0bcc5/5ac10d12-aef1-4111-b057-9f4d47f20daa" target=
> =3D"_blank">See the Policy Update Page</a></td>
> </tr>
> </table>
>
> </td>
>
> <!--[if lt IE 9 | mso]>
> <td width=3D"5" style=3D"font-family:Arial; font-size:16px; color:#666666;=
> " valign=3D"middle"><img style=3D"display:block; border:none;" src=3D"https=
> ://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/1111_cta_blue_right=
> =2Ejpg" width=3D"5" height=3D"40" alt=3D""/></td>
> <![endif]-->
>
> </tr>
> </table>
>
> </td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
> 5" class=3D"height15"></td>
> </tr>
>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
>
> <tr>
> <td valign=3D"middle" height=3D"1" bgcolor=3D"#e3e3e3" align=3D"left" styl=
> e=3D"font-family:Arial; font-size:1px; color:#666666;"><img style=3D"displa=
> y:block; border:none;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalasse=
> ts/c/EMEA/email/1111_rnd_crnr_bottom=2Ejpg" width=3D"700" height=3D"7" alt=
> =3D"" class=3D"hide"/></td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> <!-- /main content -->
> <!-- footer -->
> <table bgcolor=3D"#f2f2f2" style=3D"table-layout:fixed;" width=3D"100%" bo=
> rder=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td valign=3D"top" align=3D"center">
> <table bgcolor=3D"#f2f2f2" width=3D"740" class=3D"container" border=3D"0" =
> cellspacing=3D"0" cellpadding=3D"0" style=3D"min-width:740px;">
> <tr>
> <td valign=3D"middle" align=3D"center">
> <table class=3D"container" bgcolor=3D"" width=3D"700" border=3D"0" cellspa=
> cing=3D"0" cellpadding=3D"0">
>
> <tr>
> <td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
> 5"></td>
> </tr>
> <tr>
> <td valign=3D"middle" class=3D"" align=3D"left" style=3D"font-family:Arial=
> ; font-size:12px; color:#666666;">
> <table bgcolor=3D"" width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadd=
> ing=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"c=
> enter" valign=3D"top">
> <table class=3D"container" width=3D"642" border=3D"0" cellspacing=3D"0" ce=
> llpadding=3D"0">
>
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;">
> <table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <th style=3D"font-family:Arial; font-size:12px; color:#666666;" class=3D"c=
> oldrop" align=3D"left">
> <table class=3D"container" border=3D"0" cellspacing=3D"0" cellpadding=3D"0=
> ">
> <tr>
> <td style=3D"font-family:Arial; font-size:13px; color:#666666; font-weight=
> :bold;" align=3D"center">
> <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr align=3D"center">
> <td style=3D"font-family:Arial; font-size:13px; color:#666666; font-weight=
> :bold;">
> <a style=3D"text-decoration:none; color:#666666;" href=3D"https://epl=2Epa=
> ypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef14=
> 1110000021ef3a0bcc6/5ac10d12-aef1-4111-b057-9f4d47f20daa" target=3D"_blank"=
>> Help</a></td>
> <td width=3D"10"></td>
> <td style=3D"font-family:Arial; font-size:13px; color:#666666; font-weight=
> :bold;">
> <a style=3D"text-decoration:none; color:#666666;" href=3D"https://epl=2Epa=
> ypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef14=
> 1110000021ef3a0bcc7/5ac10d12-aef1-4111-b057-9f4d47f20daa" target=3D"_blank"=
>> Contact</a></td>
> <td width=3D"10"></td>
> <td style=3D"font-family:Arial; font-size:13px; color:#666666; font-weight=
> :bold;"><a style=3D"text-decoration:none; color:#666666;" href=3D"https://e=
> pl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d=
> 12aef141110000021ef3a0bcc8/5ac10d12-aef1-4111-b057-9f4d47f20daa" target=3D"=
> _blank">Security</a></td><td width=3D"10"></td>
>
>
> </tr>
> </table>
>
> </td>
>
> </tr>
> </table>
> </th>
> </tr>
> </table>
> </td>
> </tr>
>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> <!-- Seperator -->
> <tr>
> <td height=3D"15" style=3D"font-size:1px;"><!--[if gt mso 14]> <![end=
> if]--></td>
> </tr>
> <tr>
> <td height=3D"1" bgcolor=3D"#d9d9d9" style=3D"font-size:1px;"><!--[if gt m=
> so 14]> <![endif]--></td>
> </tr>
> <tr>
> <td height=3D"1" bgcolor=3D"#FFFFFF" style=3D"font-size:1px;"><!--[if gt m=
> so 14]> <![endif]--></td>
> </tr>
> <tr>
> <td height=3D"15" style=3D"font-size:1px;"><!--[if gt mso 14]> <![end=
> if]--></td>
> </tr>
> <!-- Seperator end-->
> <tr>
> <td valign=3D"middle" class=3D"" align=3D"left" style=3D"font-family:Arial=
> ; font-size:12px; color:#666666;">
> <table bgcolor=3D"" width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadd=
> ing=3D"0">
>
>
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"c=
> enter" valign=3D"top">
> <table class=3D"content" width=3D"642" border=3D"0" cellspacing=3D"0" cell=
> padding=3D"0">
>
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;">
> <table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <th style=3D"font-family:Arial; font-size:12px; color:#666666;" class=3D"c=
> oldrop" align=3D"left">
> <table class=3D"container" border=3D"0" cellspacing=3D"0" cellpadding=3D"0=
> ">
> <tr>
> <td style=3D"font-family:Arial; color:#666666;" align=3D"center">
> <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td align=3D"left" style=3D"font-family:Arial; font-size:11px; color:#8c8c=
> 8c; font-weight:normal !important;">
> <b>How do I know this is not a fake email?</b><br><br>
> An email really coming from PayPal will address you by your first and last=
> names or your business name=2E It will not ask you for sensitive informati=
> on like your password, bank account or credit card details=2E Most fake ema=
> ils threaten that your account will be in jeopardy if you do not take actio=
> n immediately=2E An email that urgently requests you to supply sensitive pe=
> rsonal information is usually an attempt at fraud=2E Also, fake emails ofte=
> n contain misspellings and grammatical errors or are written in a language =
> which you did not set as preferred for your PayPal account=2E Remember not =
> to click any links in suspicious looking emails=2E
> <br><br>
> <a href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8=
> 822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc9/5ac10d12-aef1-4111-b057-9f4=
> d47f20daa" target=3D"_blank" style=3D"color:#8c8c8c;">Click here to learn h=
> ow to defend yourself against phishing and spoofing</a>=2E</td></tr>
>
> </table>
> </td>
> </tr>
> </table>
> </th>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> <!-- Seperator -->
> <tr>
> <td height=3D"15" style=3D"font-size:1px;"><!--[if gt mso 14]> <![end=
> if]--></td>
> </tr>
> <tr>
> <td height=3D"1" bgcolor=3D"#d9d9d9" style=3D"font-size:1px;"><!--[if gt m=
> so 14]> <![endif]--></td>
> </tr>
> <tr>
> <td height=3D"1" bgcolor=3D"#FFFFFF" style=3D"font-size:1px;"><!--[if gt m=
> so 14]> <![endif]--></td>
> </tr>
> <tr>
> <td height=3D"15" style=3D"font-size:1px;"><!--[if gt mso 14]> <![end=
> if]--></td>
> </tr>
> <!-- Seperator end -->
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;" align=3D"c=
> enter" valign=3D"top">
> <table class=3D"content" width=3D"642" border=3D"0" cellspacing=3D"0" cell=
> padding=3D"0">
> <tr>
> <td style=3D"font-family:Arial; font-size:12px; color:#666666;">
> <table width=3D"100%" border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <th style=3D"font-family:Arial; font-size:12px; color:#666666;" class=3D"c=
> oldrop" align=3D"left">
> <table class=3D"container" border=3D"0" cellspacing=3D"0" cellpadding=3D"0=
> ">
> <tr>
> <td style=3D"font-family:Arial; color:#666666;" align=3D"center">
> <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">
> <tr>
> <td align=3D"left" style=3D"font-family:Arial; font-size:11px; color:#8c8c=
> 8c; font-weight:normal !important;">This email was sent to <a style=3D"colo=
> r:#8c8c8c; text-decoration:none;" href=3D"mailto:"></a>=2E
> <br>
> <br>
> Copyright (c) 1999-2017 PayPal=2E PayPal Pte=2E Ltd=2E Address: 5=
> Temasek Boulevard #09-01, Suntec Tower 5, Singapore 038985=2E Registration=
> number 200509725E=2E<br><br> Consumer advisory: PayPal Pte Ltd, the Holder=
> of the PayPal(tm) payment stored value facility, does not require the a=
> pproval of the Monetary Authority of Singapore=2E Consumers (users) are adv=
> ised to read the terms and conditions carefully=2E</td></tr>
>
> </table>
> </td>
> </tr>
> </table>
> </th>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> </table>
> </td>
> </tr>
> <tr>
> <td style=3D"font-family:Arial; font-size:1px; color:#666666;" height=3D"1=
> 5"></td>
> </tr>
>
> </table>
>
>
> <!-- footer -->
>
>
> <img src=3D'https://epl=2Epaypal-communication=2Ecom/O/v20000015c53387d90b=
> 8822cf4bbc782e8/5ac10d12aef1411100004c5a42963aa1' style=3D"display:none; ma=
> x-height: 0px; font-size: 0px; overflow: hidden; mso-hide: all"/></body>
> </html>
>
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
> Sent: 31 May 2017 09:06
> To: ClamAV users ML <clamav-***@lists.clamav.net>
> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>
> Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.
>
> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.
>
> But I am a bit surprised that they haven't commented.
>
> -Al-
>
> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>>
>> Hi,
>>
>> I did but never heard anything back unfortunately.
>>
>> We still had a lot of mail blocked on the 29/5 because of this issue.
>>
>> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>>
>> Thanks,
>>
>> Anne-Sophie
>>
>> -----Original Message-----
>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On
>> Behalf Of Al Varnell
>> Sent: 31 May 2017 05:05
>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>> Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>
>> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>>
>> Most of the people that participate on this list are users and can't do anything but give you advice.
>>
>> Sent from Janet's iPad
>>
>> -Al-
>>
>> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>>> Hi Ged,
>>>
>>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>>
>>> IPs: 142.54.244.[96-110]
>>>
>>> Domains:
>>> mail.paypal.at
>>> mail.paypal.be
>>> mail.paypal.ch
>>> mail.paypal.co.il
>>> mail.paypal.co.uk
>>> mail.paypal.de
>>> mail.paypal.dk
>>> mail.paypal.es
>>> mail.paypal.fr
>>> mail.paypal.it
>>> mail.paypal.nl
>>> mail.paypal.no
>>> mail.paypal.pl
>>> mail.paypal.se
>>> mail.paypal.com
>>>
>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>>
>>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>>
>>>
>>> Many thanks,
>>>
>>>
>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> -
>>>
>>> Message: 1
>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>>> From: "G.W. Haywood"
>>> To: clamav-***@lists.clamav.net
>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>> phishing by ClamAv
>>> Message-ID:
>>> <***@mail6.jubileegroup.co.uk>
>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>>
>>> Hi there,
>>>
>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>>
>>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>>
>>> No surprise there.
>>>
>>>> We get this type of bounce erros:
>>>> 554 Your email was rejected because it contains the
>>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>>
>>> That's not a bounce, it's a reject.
>>>
>>>> Please make the necessary changes to your product ASAP.
>>>
>>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>>
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>> [lefttrianglebracket]
>>> img height="1"
>>> width="1"
>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>>> border="0"
>>> alt=""/
>>> [righttrianglebracket]
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>>
>>> The mail did pass our SPF checks on receipt:
>>>
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
>>> 173.0.84.226 as permitted sender) receiver=mail5;
>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>>> envelope-from=***@paypal.co.uk;
>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>>
>>> but then it went in the bin.
>>>
>>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>>>
>>> I don't suppose you'll actually read this.
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA
O***@epsilon.com
2017-05-31 09:05:45 UTC
Permalink
Hi Al,

Could you please confirm exactly what is the issue you see with the links? As far as I can see, they use standard link tracking. Here are two examples:

<a style=3D"font-family:Arial; font-siz= e:13px; color:#009cde; text-decoration:none; font-weight:bold;" href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b057-9f4d47f20daa">
<a href=3D= "https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d47f20daa" = target=3D"_blank">

This is an example of their images URL:
<img style=3D"display:block; border= :none;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/1111_cta_blue_left=2Ejpg" width=3D"5" height=3D"40" alt=3D""/>

Many thanks,

Anne-Sophie

-----Original Message-----
From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
Sent: 31 May 2017 09:06
To: ClamAV users ML <clamav-***@lists.clamav.net>
Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.

Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.

But I am a bit surprised that they haven't commented.

-Al-

On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>
> Hi,
>
> I did but never heard anything back unfortunately.
>
> We still had a lot of mail blocked on the 29/5 because of this issue.
>
> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>
> Thanks,
>
> Anne-Sophie
>
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On
> Behalf Of Al Varnell
> Sent: 31 May 2017 05:05
> To: ClamAV users ML <clamav-***@lists.clamav.net>
> Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>
> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>
> Most of the people that participate on this list are users and can't do anything but give you advice.
>
> Sent from Janet's iPad
>
> -Al-
>
> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>> Hi Ged,
>>
>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>
>> IPs: 142.54.244.[96-110]
>>
>> Domains:
>> mail.paypal.at
>> mail.paypal.be
>> mail.paypal.ch
>> mail.paypal.co.il
>> mail.paypal.co.uk
>> mail.paypal.de
>> mail.paypal.dk
>> mail.paypal.es
>> mail.paypal.fr
>> mail.paypal.it
>> mail.paypal.nl
>> mail.paypal.no
>> mail.paypal.pl
>> mail.paypal.se
>> mail.paypal.com
>>
>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>
>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>
>>
>> Many thanks,
>>
>>
>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> -
>>
>> Message: 1
>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>> From: "G.W. Haywood"
>> To: clamav-***@lists.clamav.net
>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>> phishing by ClamAv
>> Message-ID:
>> <***@mail6.jubileegroup.co.uk>
>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>
>> Hi there,
>>
>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>
>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>
>> No surprise there.
>>
>>> We get this type of bounce erros:
>>> 554 Your email was rejected because it contains the
>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>
>> That's not a bounce, it's a reject.
>>
>>> Please make the necessary changes to your product ASAP.
>>
>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>
>> 8<-------------------------------------------------------------------
>> -
>> --
>> [lefttrianglebracket]
>> img height="1"
>> width="1"
>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>> border="0"
>> alt=""/
>> [righttrianglebracket]
>> 8<-------------------------------------------------------------------
>> -
>> --
>>
>> The mail did pass our SPF checks on receipt:
>>
>> 8<-------------------------------------------------------------------
>> -
>> --
>> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
>> 173.0.84.226 as permitted sender) receiver=mail5;
>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>> envelope-from=***@paypal.co.uk;
>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>> 8<-------------------------------------------------------------------
>> -
>> --
>>
>> but then it went in the bin.
>>
>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>>
>> I don't suppose you'll actually read this.
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2017-05-31 10:38:06 UTC
Permalink
OK, I managed to clean it up enough and added a fake header so I could run clamscan --debug and it confirmed my suspicions:

> LibClamAV debug: Phishcheck:host:.epl.paypal-communication.com
> LibClamAV debug: Phishing: looking up in whitelist: .epl.paypal-communication.com:.www.paypal.com; host-only:1
> LibClamAV debug: Looking up in regex_list: epl.paypal-communication.com:www.paypal.com/
> LibClamAV debug: Lookup result: not in regex list
> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
> LibClamAV debug: found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain

-Al-

On Wed, May 31, 2017 at 02:05 AM, ***@epsilon.com wrote:
>
> Hi Al,
>
> Could you please confirm exactly what is the issue you see with the links? As far as I can see, they use standard link tracking. Here are two examples:
>
> <a style=3D"font-family:Arial; font-siz= e:13px; color:#009cde; text-decoration:none; font-weight:bold;" href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b057-9f4d47f20daa">
> <a href=3D= "https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d47f20daa" = target=3D"_blank">
>
> This is an example of their images URL:
> <img style=3D"display:block; border= :none;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/1111_cta_blue_left=2Ejpg" width=3D"5" height=3D"40" alt=3D""/>
>
> Many thanks,
>
> Anne-Sophie
>
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
> Sent: 31 May 2017 09:06
> To: ClamAV users ML <clamav-***@lists.clamav.net>
> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>
> Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.
>
> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.
>
> But I am a bit surprised that they haven't commented.
>
> -Al-
>
> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>>
>> Hi,
>>
>> I did but never heard anything back unfortunately.
>>
>> We still had a lot of mail blocked on the 29/5 because of this issue.
>>
>> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>>
>> Thanks,
>>
>> Anne-Sophie
>>
>> -----Original Message-----
>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On
>> Behalf Of Al Varnell
>> Sent: 31 May 2017 05:05
>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>> Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>
>> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>>
>> Most of the people that participate on this list are users and can't do anything but give you advice.
>>
>> Sent from Janet's iPad
>>
>> -Al-
>>
>> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>>> Hi Ged,
>>>
>>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>>
>>> IPs: 142.54.244.[96-110]
>>>
>>> Domains:
>>> mail.paypal.at
>>> mail.paypal.be
>>> mail.paypal.ch
>>> mail.paypal.co.il
>>> mail.paypal.co.uk
>>> mail.paypal.de
>>> mail.paypal.dk
>>> mail.paypal.es
>>> mail.paypal.fr
>>> mail.paypal.it
>>> mail.paypal.nl
>>> mail.paypal.no
>>> mail.paypal.pl
>>> mail.paypal.se
>>> mail.paypal.com
>>>
>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>>
>>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>>
>>>
>>> Many thanks,
>>>
>>>
>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> -
>>>
>>> Message: 1
>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>>> From: "G.W. Haywood"
>>> To: clamav-***@lists.clamav.net
>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>> phishing by ClamAv
>>> Message-ID:
>>> <***@mail6.jubileegroup.co.uk>
>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>>
>>> Hi there,
>>>
>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>>
>>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>>
>>> No surprise there.
>>>
>>>> We get this type of bounce erros:
>>>> 554 Your email was rejected because it contains the
>>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>>
>>> That's not a bounce, it's a reject.
>>>
>>>> Please make the necessary changes to your product ASAP.
>>>
>>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>>
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>> [lefttrianglebracket]
>>> img height="1"
>>> width="1"
>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>>> border="0"
>>> alt=""/
>>> [righttrianglebracket]
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>>
>>> The mail did pass our SPF checks on receipt:
>>>
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
>>> 173.0.84.226 as permitted sender) receiver=mail5;
>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>>> envelope-from=***@paypal.co.uk;
>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>>> 8<-------------------------------------------------------------------
>>> -
>>> --
>>>
>>> but then it went in the bin.
>>>
>>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>>>
>>> I don't suppose you'll actually read this.
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA
Joel Esler (jesler)
2017-05-31 10:41:24 UTC
Permalink
So is it us that needs to adjust our software for something that PayPal is doing? Or should PayPal adjust what they are doing?

--
Sent from my iPhone

> On May 31, 2017, at 06:38, Al Varnell <***@mac.com> wrote:
>
> OK, I managed to clean it up enough and added a fake header so I could run clamscan --debug and it confirmed my suspicions:
>
>> LibClamAV debug: Phishcheck:host:.epl.paypal-communication.com
>> LibClamAV debug: Phishing: looking up in whitelist: .epl.paypal-communication.com:.www.paypal.com; host-only:1
>> LibClamAV debug: Looking up in regex_list: epl.paypal-communication.com:www.paypal.com/
>> LibClamAV debug: Lookup result: not in regex list
>> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
>> LibClamAV debug: found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain
>
> -Al-
>
>> On Wed, May 31, 2017 at 02:05 AM, ***@epsilon.com wrote:
>>
>> Hi Al,
>>
>> Could you please confirm exactly what is the issue you see with the links? As far as I can see, they use standard link tracking. Here are two examples:
>>
>> <a style=3D"font-family:Arial; font-siz= e:13px; color:#009cde; text-decoration:none; font-weight:bold;" href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b057-9f4d47f20daa">
>> <a href=3D= "https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d47f20daa" = target=3D"_blank">
>>
>> This is an example of their images URL:
>> <img style=3D"display:block; border= :none;" src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/1111_cta_blue_left=2Ejpg" width=3D"5" height=3D"40" alt=3D""/>
>>
>> Many thanks,
>>
>> Anne-Sophie
>>
>> -----Original Message-----
>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
>> Sent: 31 May 2017 09:06
>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>
>> Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.
>>
>> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.
>>
>> But I am a bit surprised that they haven't commented.
>>
>> -Al-
>>
>>> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>>>
>>> Hi,
>>>
>>> I did but never heard anything back unfortunately.
>>>
>>> We still had a lot of mail blocked on the 29/5 because of this issue.
>>>
>>> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>>>
>>> Thanks,
>>>
>>> Anne-Sophie
>>>
>>> -----Original Message-----
>>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On
>>> Behalf Of Al Varnell
>>> Sent: 31 May 2017 05:05
>>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>>> Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
>>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>>
>>> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>>>
>>> Most of the people that participate on this list are users and can't do anything but give you advice.
>>>
>>> Sent from Janet's iPad
>>>
>>> -Al-
>>>
>>>> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>>>> Hi Ged,
>>>>
>>>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>>>
>>>> IPs: 142.54.244.[96-110]
>>>>
>>>> Domains:
>>>> mail.paypal.at
>>>> mail.paypal.be
>>>> mail.paypal.ch
>>>> mail.paypal.co.il
>>>> mail.paypal.co.uk
>>>> mail.paypal.de
>>>> mail.paypal.dk
>>>> mail.paypal.es
>>>> mail.paypal.fr
>>>> mail.paypal.it
>>>> mail.paypal.nl
>>>> mail.paypal.no
>>>> mail.paypal.pl
>>>> mail.paypal.se
>>>> mail.paypal.com
>>>>
>>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>>>
>>>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>>>
>>>>
>>>> Many thanks,
>>>>
>>>>
>>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>>>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> -
>>>>
>>>> Message: 1
>>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>>>> From: "G.W. Haywood"
>>>> To: clamav-***@lists.clamav.net
>>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>>> phishing by ClamAv
>>>> Message-ID:
>>>> <***@mail6.jubileegroup.co.uk>
>>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>>>
>>>> Hi there,
>>>>
>>>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>>>>
>>>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>>>
>>>> No surprise there.
>>>>
>>>>> We get this type of bounce erros:
>>>>> 554 Your email was rejected because it contains the
>>>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>>>
>>>> That's not a bounce, it's a reject.
>>>>
>>>>> Please make the necessary changes to your product ASAP.
>>>>
>>>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>>>
>>>> 8<-------------------------------------------------------------------
>>>> -
>>>> --
>>>> [lefttrianglebracket]
>>>> img height="1"
>>>> width="1"
>>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>>>> border="0"
>>>> alt=""/
>>>> [righttrianglebracket]
>>>> 8<-------------------------------------------------------------------
>>>> -
>>>> --
>>>>
>>>> The mail did pass our SPF checks on receipt:
>>>>
>>>> 8<-------------------------------------------------------------------
>>>> -
>>>> --
>>>> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
>>>> 173.0.84.226 as permitted sender) receiver=mail5;
>>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>>>> envelope-from=***@paypal.co.uk;
>>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>>>> 8<-------------------------------------------------------------------
>>>> -
>>>> --
>>>>
>>>> but then it went in the bin.
>>>>
>>>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>>>>
>>>> I don't suppose you'll actually read this.
>> _______________________________________________
>> clamav-users mailing list
>> clamav-***@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Reindl Harald
2017-05-31 11:02:17 UTC
Permalink
Am 31.05.2017 um 12:41 schrieb Joel Esler (jesler):
> So is it us that needs to adjust our software for something that PayPal is doing? Or should PayPal adjust what they are doing?

you need to adjust when you pretend something is phising while it's
legit which can be verified by SPF/DKIM and that clamav has no way to
verify SPF is no excuse, it proves only that it's wrong

> Sent from my iPhone
>
>> On May 31, 2017, at 06:38, Al Varnell <***@mac.com> wrote:
>>
>> OK, I managed to clean it up enough and added a fake header so I could run clamscan --debug and it confirmed my suspicions:
>>
>>> LibClamAV debug: Phishcheck:host:.epl.paypal-communication.com
>>> LibClamAV debug: Phishing: looking up in whitelist: .epl.paypal-communication.com:.www.paypal.com; host-only:1
>>> LibClamAV debug: Looking up in regex_list: epl.paypal-communication.com:www.paypal.com/
>>> LibClamAV debug: Lookup result: not in regex list
>>> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
>>> LibClamAV debug: found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
O***@epsilon.com
2017-05-31 10:51:44 UTC
Permalink
Hi Al,

Thank you for your help with this, it's appreciated.

Not being a ClamAv user myself, this doesn't make much sense to me tough. Could someone please confirm what this issue is in clear terms?

Thanks,

Anne-Sophie

-----Original Message-----
From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
Sent: 31 May 2017 11:38
To: ClamAV users ML <clamav-***@lists.clamav.net>
Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

OK, I managed to clean it up enough and added a fake header so I could run clamscan --debug and it confirmed my suspicions:

> LibClamAV debug: Phishcheck:host:.epl.paypal-communication.com
> LibClamAV debug: Phishing: looking up in whitelist:
> .epl.paypal-communication.com:.www.paypal.com; host-only:1 LibClamAV
> debug: Looking up in regex_list:
> epl.paypal-communication.com:www.paypal.com/
> LibClamAV debug: Lookup result: not in regex list LibClamAV debug:
> Phishcheck: Phishing scan result: URLs are way too different LibClamAV
> debug: found Possibly Unwanted:
> Heuristics.Phishing.Email.SpoofedDomain

-Al-

On Wed, May 31, 2017 at 02:05 AM, ***@epsilon.com wrote:
>
> Hi Al,
>
> Could you please confirm exactly what is the issue you see with the links? As far as I can see, they use standard link tracking. Here are two examples:
>
> <a style=3D"font-family:Arial; font-siz= e:13px; color:#009cde;
> text-decoration:none; font-weight:bold;"
> href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b
> 8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b0
> 57-9f4d47f20daa"> <a href=3D=
> "https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4
> bbc782e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d
> 47f20daa" = target=3D"_blank">
>
> This is an example of their images URL:
> <img style=3D"display:block; border= :none;"
> src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/11
> 11_cta_blue_left=2Ejpg" width=3D"5" height=3D"40" alt=3D""/>
>
> Many thanks,
>
> Anne-Sophie
>
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On
> Behalf Of Al Varnell
> Sent: 31 May 2017 09:06
> To: ClamAV users ML <clamav-***@lists.clamav.net>
> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>
> Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.
>
> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.
>
> But I am a bit surprised that they haven't commented.
>
> -Al-
>
> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>>
>> Hi,
>>
>> I did but never heard anything back unfortunately.
>>
>> We still had a lot of mail blocked on the 29/5 because of this issue.
>>
>> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>>
>> Thanks,
>>
>> Anne-Sophie
>>
>> -----Original Message-----
>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On
>> Behalf Of Al Varnell
>> Sent: 31 May 2017 05:05
>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>> Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>
>> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>>
>> Most of the people that participate on this list are users and can't do anything but give you advice.
>>
>> Sent from Janet's iPad
>>
>> -Al-
>>
>> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>>> Hi Ged,
>>>
>>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>>
>>> IPs: 142.54.244.[96-110]
>>>
>>> Domains:
>>> mail.paypal.at
>>> mail.paypal.be
>>> mail.paypal.ch
>>> mail.paypal.co.il
>>> mail.paypal.co.uk
>>> mail.paypal.de
>>> mail.paypal.dk
>>> mail.paypal.es
>>> mail.paypal.fr
>>> mail.paypal.it
>>> mail.paypal.nl
>>> mail.paypal.no
>>> mail.paypal.pl
>>> mail.paypal.se
>>> mail.paypal.com
>>>
>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>>
>>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>>
>>>
>>> Many thanks,
>>>
>>>
>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>>>
>>>
>>>
>>>
>>> --------------------------------------------------------------------
>>> -
>>> -
>>>
>>> Message: 1
>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>>> From: "G.W. Haywood"
>>> To: clamav-***@lists.clamav.net
>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>> phishing by ClamAv
>>> Message-ID:
>>> <***@mail6.jubileegroup.co.uk>
>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>>
>>> Hi there,
>>>
>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>>
>>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>>
>>> No surprise there.
>>>
>>>> We get this type of bounce erros:
>>>> 554 Your email was rejected because it contains the
>>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>>
>>> That's not a bounce, it's a reject.
>>>
>>>> Please make the necessary changes to your product ASAP.
>>>
>>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>>
>>> 8<------------------------------------------------------------------
>>> -
>>> -
>>> --
>>> [lefttrianglebracket]
>>> img height="1"
>>> width="1"
>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>>> border="0"
>>> alt=""/
>>> [righttrianglebracket]
>>> 8<------------------------------------------------------------------
>>> -
>>> -
>>> --
>>>
>>> The mail did pass our SPF checks on receipt:
>>>
>>> 8<------------------------------------------------------------------
>>> -
>>> -
>>> --
>>> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
>>> 173.0.84.226 as permitted sender) receiver=mail5;
>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>>> envelope-from=***@paypal.co.uk;
>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>>> 8<------------------------------------------------------------------
>>> -
>>> -
>>> --
>>>
>>> but then it went in the bin.
>>>
>>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>>>
>>> I don't suppose you'll actually read this.
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA




_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2017-05-31 22:02:32 UTC
Permalink
Most of your links check out clean. The one that was found to be Possibly Unwanted was this one, apparently regarding Legal Agreements:

> <tr>
> <td align="left" style="font-family:Arial; font-size:13px; color:#666666;">We're changing our Legal Agreements. We wanted to check it&#8217;s OK with you.<br><br> We're making some changes to our Legal Agreements; the documents that govern our relationship with you. We've put details of the changes on our <a style="font-family:Arial; font-size:13px; color:#009cde; text-decoration:none; font-weight:bold;" href="https://epl.paypal-communication.com/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b057-9f4d47f20daa">Policy Update web page</a> - you can also find the page at <a style="font-family:Arial; font-size:13px; color:#009cde; text-decoration:none; font-weight:bold;" href="https://epl.paypal-communication.com/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc4/5ac10d12-aef1-4111-b057-9f4d47f20daa">www.paypal.com</a>, by clicking 'Legal&#8217; at the bottom of the page, selecting "Other countries (in English)" from the drop-down menu and then selecting 'Policy Updates&#8217;.</td>
> </tr>


The text shown to the user is www.paypal.com but the actual URL being used is https://epl.paypal-communication.com....

If I was to receive this e-mail and wanted to access these new Legal Agreements I would hover over www.paypal.com, see that I was being directed elsewhere and almost certainly conclude that this was a phishing or spam message. I almost never click a link in an e-mail anyway and advise everybody I know not to do so, but instead use my browser to access a firm like PayPal directly, then check whatever it is the message wants me to know.

I'm not sure what would cause PayPal to substitute a different URL in this case. Perhaps some sort of tracking mechanism? In any case, I find such behavior very suspicious. I receive spam/phish mail daily that purports to be from a financial institution out to steal my credentials, credit care or bank account information and many of them pretend to be from PayPal. I'm sure I can purchase a domain of "palpal-message.com" to do just that if I wanted to. I don't even have any proof that you are a legitimate PayPal representative and may be here trying to prevent A-V software from blocking your phishing messages.

At any rate, I would strongly recommend you use "https://www.paypal.com" for this link as the safest, most appropriate fix for you, PayPal and message recipients. If that's not acceptable, then work with Joel Esler <***@cisco.com> from Cisco and convince him that you have a legitimate need to have them whitelist palpal-communication.com.

-Al-

On Wed, May 31, 2017 at 03:51 AM, ***@epsilon.com wrote:
>
> Hi Al,
>
> Thank you for your help with this, it's appreciated.
>
> Not being a ClamAv user myself, this doesn't make much sense to me tough. Could someone please confirm what this issue is in clear terms?
>
> Thanks,
>
> Anne-Sophie
>
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
> Sent: 31 May 2017 11:38
> To: ClamAV users ML <clamav-***@lists.clamav.net>
> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>
> OK, I managed to clean it up enough and added a fake header so I could run clamscan --debug and it confirmed my suspicions:
>
>> LibClamAV debug: Phishcheck:host:.epl.paypal-communication.com
>> LibClamAV debug: Phishing: looking up in whitelist:
>> .epl.paypal-communication.com:.www.paypal.com; host-only:1 LibClamAV
>> debug: Looking up in regex_list:
>> epl.paypal-communication.com:www.paypal.com/
>> LibClamAV debug: Lookup result: not in regex list LibClamAV debug:
>> Phishcheck: Phishing scan result: URLs are way too different LibClamAV
>> debug: found Possibly Unwanted:
>> Heuristics.Phishing.Email.SpoofedDomain
>
> -Al-
>
> On Wed, May 31, 2017 at 02:05 AM, ***@epsilon.com wrote:
>>
>> Hi Al,
>>
>> Could you please confirm exactly what is the issue you see with the links? As far as I can see, they use standard link tracking. Here are two examples:
>>
>> <a style=3D"font-family:Arial; font-siz= e:13px; color:#009cde;
>> text-decoration:none; font-weight:bold;"
>> href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b
>> 8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b0
>> 57-9f4d47f20daa"> <a href=3D=
>> "https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4
>> bbc782e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d
>> 47f20daa" = target=3D"_blank">
>>
>> This is an example of their images URL:
>> <img style=3D"display:block; border= :none;"
>> src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/11
>> 11_cta_blue_left=2Ejpg" width=3D"5" height=3D"40" alt=3D""/>
>>
>> Many thanks,
>>
>> Anne-Sophie
>>
>> -----Original Message-----
>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On
>> Behalf Of Al Varnell
>> Sent: 31 May 2017 09:06
>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>
>> Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.
>>
>> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.
>>
>> But I am a bit surprised that they haven't commented.
>>
>> -Al-
>>
>> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>>>
>>> Hi,
>>>
>>> I did but never heard anything back unfortunately.
>>>
>>> We still had a lot of mail blocked on the 29/5 because of this issue.
>>>
>>> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>>>
>>> Thanks,
>>>
>>> Anne-Sophie
>>>
>>> -----Original Message-----
>>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On
>>> Behalf Of Al Varnell
>>> Sent: 31 May 2017 05:05
>>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>>> Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
>>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>>
>>> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>>>
>>> Most of the people that participate on this list are users and can't do anything but give you advice.
>>>
>>> Sent from Janet's iPad
>>>
>>> -Al-
>>>
>>> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>>>> Hi Ged,
>>>>
>>>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>>>
>>>> IPs: 142.54.244.[96-110]
>>>>
>>>> Domains:
>>>> mail.paypal.at
>>>> mail.paypal.be
>>>> mail.paypal.ch
>>>> mail.paypal.co.il
>>>> mail.paypal.co.uk
>>>> mail.paypal.de
>>>> mail.paypal.dk
>>>> mail.paypal.es
>>>> mail.paypal.fr
>>>> mail.paypal.it
>>>> mail.paypal.nl
>>>> mail.paypal.no
>>>> mail.paypal.pl
>>>> mail.paypal.se
>>>> mail.paypal.com
>>>>
>>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>>>
>>>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>>>
>>>>
>>>> Many thanks,
>>>>
>>>>
>>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>>>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>>>>
>>>>
>>>>
>>>>
>>>> --------------------------------------------------------------------
>>>> -
>>>> -
>>>>
>>>> Message: 1
>>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>>>> From: "G.W. Haywood"
>>>> To: clamav-***@lists.clamav.net
>>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>>> phishing by ClamAv
>>>> Message-ID:
>>>> <***@mail6.jubileegroup.co.uk>
>>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>>>
>>>> Hi there,
>>>>
>>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>>>
>>>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>>>
>>>> No surprise there.
>>>>
>>>>> We get this type of bounce erros:
>>>>> 554 Your email was rejected because it contains the
>>>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>>>
>>>> That's not a bounce, it's a reject.
>>>>
>>>>> Please make the necessary changes to your product ASAP.
>>>>
>>>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>>>
>>>> 8<------------------------------------------------------------------
>>>> -
>>>> -
>>>> --
>>>> [lefttrianglebracket]
>>>> img height="1"
>>>> width="1"
>>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>>>> border="0"
>>>> alt=""/
>>>> [righttrianglebracket]
>>>> 8<------------------------------------------------------------------
>>>> -
>>>> -
>>>> --
>>>>
>>>> The mail did pass our SPF checks on receipt:
>>>>
>>>> 8<------------------------------------------------------------------
>>>> -
>>>> -
>>>> --
>>>> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
>>>> 173.0.84.226 as permitted sender) receiver=mail5;
>>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>>>> envelope-from=***@paypal.co.uk;
>>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>>>> 8<------------------------------------------------------------------
>>>> -
>>>> -
>>>> --
>>>>
>>>> but then it went in the bin.
>>>>
>>>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>>>>
>>>> I don't suppose you'll actually read this.
>> _______________________________________________
>> clamav-users mailing list
>> clamav-***@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> -Al-

-Al-
--
Al Varnell
Mountain View, CA
Al Varnell
2017-06-01 01:04:15 UTC
Permalink
I made an attempt to determine whether epl.paypal-communication.com was a legitimate domain owned by PayPal with very mixed results.

No WhoIs service could identify it directly, but ARIN was able to determine that the IP address 159.127.187.100 belongs to Epsilon Data Management LLC (PSI1), which does not match owner of paypal.com (PayPal, Inc.),

A lengthy discussion on the PayPal site back in February
<https://www.paypal-community.com/t5/Access-and-security/epl-paypal-communication-com/td-p/1164823>
isn't much help with reports from PayPal security that it isn't a legitimate PayPal message but evidence that the https certificates were issues by the same entity.

So at this point I see no reason for ClamAV to do anything about the matter.

-Al-

On Wed, May 31, 2017 at 03:02 PM, Al Varnell wrote:
>
> Most of your links check out clean. The one that was found to be Possibly Unwanted was this one, apparently regarding Legal Agreements:
>
>> <tr>
>> <td align="left" style="font-family:Arial; font-size:13px; color:#666666;">We're changing our Legal Agreements. We wanted to check it&#8217;s OK with you.<br><br> We're making some changes to our Legal Agreements; the documents that govern our relationship with you. We've put details of the changes on our <a style="font-family:Arial; font-size:13px; color:#009cde; text-decoration:none; font-weight:bold;" href="https://epl.paypal-communication.com/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b057-9f4d47f20daa">Policy Update web page</a> - you can also find the page at <a style="font-family:Arial; font-size:13px; color:#009cde; text-decoration:none; font-weight:bold;" href="https://epl.paypal-communication.com/T/v20000015c53387d90b8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc4/5ac10d12-aef1-4111-b057-9f4d47f20daa">www.paypal.com</a>, by clicking 'Legal&#8217; at the bottom of the page, selecting "Other countries (in English)" from the drop-down menu and then selecting 'Policy Updates&#8217;.</td>
>> </tr>
>
>
> The text shown to the user is www.paypal.com but the actual URL being used is https://epl.paypal-communication.com....
>
> If I was to receive this e-mail and wanted to access these new Legal Agreements I would hover over www.paypal.com, see that I was being directed elsewhere and almost certainly conclude that this was a phishing or spam message. I almost never click a link in an e-mail anyway and advise everybody I know not to do so, but instead use my browser to access a firm like PayPal directly, then check whatever it is the message wants me to know.
>
> I'm not sure what would cause PayPal to substitute a different URL in this case. Perhaps some sort of tracking mechanism? In any case, I find such behavior very suspicious. I receive spam/phish mail daily that purports to be from a financial institution out to steal my credentials, credit care or bank account information and many of them pretend to be from PayPal. I'm sure I can purchase a domain of "palpal-message.com" to do just that if I wanted to. I don't even have any proof that you are a legitimate PayPal representative and may be here trying to prevent A-V software from blocking your phishing messages.
>
> At any rate, I would strongly recommend you use "https://www.paypal.com" for this link as the safest, most appropriate fix for you, PayPal and message recipients. If that's not acceptable, then work with Joel Esler <***@cisco.com> from Cisco and convince him that you have a legitimate need to have them whitelist palpal-communication.com.
>
> -Al-
>
> On Wed, May 31, 2017 at 03:51 AM, ***@epsilon.com wrote:
>>
>> Hi Al,
>>
>> Thank you for your help with this, it's appreciated.
>>
>> Not being a ClamAv user myself, this doesn't make much sense to me tough. Could someone please confirm what this issue is in clear terms?
>>
>> Thanks,
>>
>> Anne-Sophie
>>
>> -----Original Message-----
>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Al Varnell
>> Sent: 31 May 2017 11:38
>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>
>> OK, I managed to clean it up enough and added a fake header so I could run clamscan --debug and it confirmed my suspicions:
>>
>>> LibClamAV debug: Phishcheck:host:.epl.paypal-communication.com
>>> LibClamAV debug: Phishing: looking up in whitelist:
>>> .epl.paypal-communication.com:.www.paypal.com; host-only:1 LibClamAV
>>> debug: Looking up in regex_list:
>>> epl.paypal-communication.com:www.paypal.com/
>>> LibClamAV debug: Lookup result: not in regex list LibClamAV debug:
>>> Phishcheck: Phishing scan result: URLs are way too different LibClamAV
>>> debug: found Possibly Unwanted:
>>> Heuristics.Phishing.Email.SpoofedDomain
>>
>> -Al-
>>
>> On Wed, May 31, 2017 at 02:05 AM, ***@epsilon.com wrote:
>>>
>>> Hi Al,
>>>
>>> Could you please confirm exactly what is the issue you see with the links? As far as I can see, they use standard link tracking. Here are two examples:
>>>
>>> <a style=3D"font-family:Arial; font-siz= e:13px; color:#009cde;
>>> text-decoration:none; font-weight:bold;"
>>> href=3D"https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b
>>> 8822cf4bbc782e8/5ac10d12aef141110000021ef3a0bcc3/5ac10d12-aef1-4111-b0
>>> 57-9f4d47f20daa"> <a href=3D=
>>> "https://epl=2Epaypal-communication=2Ecom/T/v20000015c53387d90b8822cf4
>>> bbc782e8/5ac10d12aef141110000021ef3a0bcc2/5ac10d12-aef1-4111-b057-9f4d
>>> 47f20daa" = target=3D"_blank">
>>>
>>> This is an example of their images URL:
>>> <img style=3D"display:block; border= :none;"
>>> src=3D"https://www=2Epaypalobjects=2Ecom/digitalassets/c/EMEA/email/11
>>> 11_cta_blue_left=2Ejpg" width=3D"5" height=3D"40" alt=3D""/>
>>>
>>> Many thanks,
>>>
>>> Anne-Sophie
>>>
>>> -----Original Message-----
>>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On
>>> Behalf Of Al Varnell
>>> Sent: 31 May 2017 09:06
>>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>>
>>> Perhaps they feel the burden is on PayPal to remove the obfuscation being used in their links.
>>>
>>> Might be necessary for PayPal corporate to contact Cisco/Talos/ClamAV directly to resolve this long standing issue.
>>>
>>> But I am a bit surprised that they haven't commented.
>>>
>>> -Al-
>>>
>>> On Wed, May 31, 2017 at 12:53 AM, Outreach wrote:
>>>>
>>>> Hi,
>>>>
>>>> I did but never heard anything back unfortunately.
>>>>
>>>> We still had a lot of mail blocked on the 29/5 because of this issue.
>>>>
>>>> Is there any other way I can submit the samples than via the website? It looks like no-one is following up on this, which is very poor.
>>>>
>>>> Thanks,
>>>>
>>>> Anne-Sophie
>>>>
>>>> -----Original Message-----
>>>> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On
>>>> Behalf Of Al Varnell
>>>> Sent: 31 May 2017 05:05
>>>> To: ClamAV users ML <clamav-***@lists.clamav.net>
>>>> Cc: ***@jubileegroup.co.uk; clamav-***@lists.clamav.net
>>>> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>>>>
>>>> Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do.
>>>>
>>>> Most of the people that participate on this list are users and can't do anything but give you advice.
>>>>
>>>> Sent from Janet's iPad
>>>>
>>>> -Al-
>>>>
>>>> On May 19, 2017, at 9:14 AM, "Outreach wrote:
>>>>> Hi Ged,
>>>>>
>>>>> I did read your message. Note that the header that you quote below is not related to my request. I am contacting you regarding the following:
>>>>>
>>>>> IPs: 142.54.244.[96-110]
>>>>>
>>>>> Domains:
>>>>> mail.paypal.at
>>>>> mail.paypal.be
>>>>> mail.paypal.ch
>>>>> mail.paypal.co.il
>>>>> mail.paypal.co.uk
>>>>> mail.paypal.de
>>>>> mail.paypal.dk
>>>>> mail.paypal.es
>>>>> mail.paypal.fr
>>>>> mail.paypal.it
>>>>> mail.paypal.nl
>>>>> mail.paypal.no
>>>>> mail.paypal.pl
>>>>> mail.paypal.se
>>>>> mail.paypal.com
>>>>>
>>>>> Call it "reject", "bounce" or "delivery error" - the bottom line is that legitimate mail from our client (including financial communications from account holders) is not being delivered and wrongly identified as a phish by ClamAv.
>>>>>
>>>>> These emails are authenticated, they come from a well-respected organization - hence there is no reason for them to be rejected with the message "554 Your email was rejected because it contains the Heuristics.Phishing.Email.SpoofedDomain virus"
>>>>>
>>>>>
>>>>> Many thanks,
>>>>>
>>>>>
>>>>> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
>>>>> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>>
>>>>> Message: 1
>>>>> Date: Thu, 18 May 2017 17:51:15 +0100 (BST)
>>>>> From: "G.W. Haywood"
>>>>> To: clamav-***@lists.clamav.net
>>>>> Subject: Re: [clamav-users] Mail from Paypal wrongly identified as
>>>>> phishing by ClamAv
>>>>> Message-ID:
>>>>> <***@mail6.jubileegroup.co.uk>
>>>>> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>>>>>
>>>>> Hi there,
>>>>>
>>>>> On Thu, 18 May 2017, Anne-Sophie Marsh wrote:
>>>>>
>>>>>> Mail from our client Paypal is being wrongly flagged as phishing by ClamAv.
>>>>>
>>>>> No surprise there.
>>>>>
>>>>>> We get this type of bounce erros:
>>>>>> 554 Your email was rejected because it contains the
>>>>>> Heuristics.Phishing.Email.SpoofedDomain virus
>>>>>
>>>>> That's not a bounce, it's a reject.
>>>>>
>>>>>> Please make the necessary changes to your product ASAP.
>>>>>
>>>>> Well... the last email I saw from PayPal had this in it, carefully hidden:
>>>>>
>>>>> 8<------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>> --
>>>>> [lefttrianglebracket]
>>>>> img height="1"
>>>>> width="1"
>>>>> src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageName=system_email_PP1814"
>>>>> border="0"
>>>>> alt=""/
>>>>> [righttrianglebracket]
>>>>> 8<------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>> --
>>>>>
>>>>> The mail did pass our SPF checks on receipt:
>>>>>
>>>>> 8<------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>> --
>>>>> Received-SPF: pass (mail5: domain of ***@paypal.co.uk designates
>>>>> 173.0.84.226 as permitted sender) receiver=mail5;
>>>>> client-ip=173.0.84.226; helo=mx0.slc.paypal.com;
>>>>> envelope-from=***@paypal.co.uk;
>>>>> x-software=spfmilter 0.98-gwh with libspf2-1.2.9;
>>>>> 8<------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>> --
>>>>>
>>>>> but then it went in the bin.
>>>>>
>>>>> Admittedly this was quite a while ago; we've been rejecting all mail from PayPal since 2013. All the same, you aren't helping anybody by doing things like that.
>>>>>
>>>>> I don't suppose you'll actually read this.
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-***@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>
>> -Al-
>
> -Al-

-Al-
--
Al Varnell
Mountain View, CA
Reindl Harald
2017-06-01 06:24:09 UTC
Permalink
Am 01.06.2017 um 03:04 schrieb Al Varnell:
> I made an attempt to determine whether epl.paypal-communication.com was a legitimate domain owned by PayPal with very mixed results.
>
> No WhoIs service could identify it directly

and here is stop to read - let me guess you entered
"epl.paypal-communication.com" including the subdomain and/or used some
obsucre website doing whois requests


[***@srv-rhsoft:~]$ whois paypal-communication.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: PAYPAL-COMMUNICATION.COM
Registrar: MARKMONITOR INC.
Sponsoring Registrar IANA ID: 292
Whois Server: whois.markmonitor.com
Referral URL: http://www.markmonitor.com
Name Server: NS1.P57.DYNECT.NET
Name Server: NS2.P57.DYNECT.NET
Name Server: PDNS100.ULTRADNS.COM
Name Server: PDNS100.ULTRADNS.NET
Status: clientDeleteProhibited
https://icann.org/epp#clientDeleteProhibited
Status: clientTransferProhibited
https://icann.org/epp#clientTransferProhibited
Status: clientUpdateProhibited
https://icann.org/epp#clientUpdateProhibited
Updated Date: 05-mar-2017
Creation Date: 06-apr-2011
Expiration Date: 06-apr-2018

>>> Last update of whois database: Thu, 01 Jun 2017 06:20:04 GMT <<<

For more information on Whois status codes, please visit
https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the
expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

Domain Name: paypal-communication.com
Registry Domain ID: 1649488607_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2017-03-05T02:14:48-0800
Creation Date: 2011-04-06T05:23:32-0700


Registrar Registration Expiration Date: 2018-04-06T00:00:00-0700


Registrar: MarkMonitor, Inc.


Registrar IANA ID: 292


Registrar Abuse Contact Email: ***@markmonitor.com


Registrar Abuse Contact Phone: +1.2083895740


Domain Status: clientUpdateProhibited
(https://www.icann.org/epp#clientUpdateProhibited)


Domain Status: clientTransferProhibited
(https://www.icann.org/epp#clientTransferProhibited)


Domain Status: clientDeleteProhibited
(https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited
(https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited
(https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited
(https://www.icann.org/epp#serverDeleteProhibited)
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: PayPal Inc.
Registrant Street: 2211 North First Street,
Registrant City: San Jose
Registrant State/Province: CA
Registrant Postal Code: 95131
Registrant Country: US
Registrant Phone: +1.8882211161
Registrant Phone Ext:
Registrant Fax: +1.4025375774
Registrant Fax Ext:
Registrant Email: ***@paypal.com
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: PayPal Inc.
Admin Street: 2211 North First Street,
Admin City: San Jose
Admin State/Province: CA
Admin Postal Code: 95131
Admin Country: US
Admin Phone: +1.8882211161
Admin Phone Ext:
Admin Fax: +1.4025375774
Admin Fax Ext:
Admin Email: ***@paypal.com
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: PayPal Inc.
Tech Street: 2211 North First Street,
Tech City: San Jose
Tech State/Province: CA
Tech Postal Code: 95131
Tech Country: US
Tech Phone: +1.8882211161
Tech Phone Ext:
Tech Fax: +1.4025375774
Tech Fax Ext:
Tech Email: ***@paypal.com
Name Server: ns2.p57.dynect.net
Name Server: pdns100.ultradns.com.
Name Server: ns1.p57.dynect.net
Name Server: pdns100.ultradns.net.
DNSSEC: signedDelegation
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
>>> Last update of WHOIS database: 2017-05-31T23:20:11-0700 <<<
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2017-06-01 06:32:53 UTC
Permalink
On May 31, 2017, at 11:24 PM, Reindl Harald <***@thelounge.net> wrote:
> Am 01.06.2017 um 03:04 schrieb Al Varnell:
>> I made an attempt to determine whether epl.paypal-communication.com was a legitimate domain owned by PayPal with very mixed results.
>> No WhoIs service could identify it directly
>
> and here is stop to read - let me guess you entered "epl.paypal-communication.com" including the subdomain and/or used some obsucre website doing whois requests

Wrong on both points. I initially used only paypal-communications.com in two different Mac utilities which have given flawless results in the past. Then I tried a TraceRoute, eventually coming up with the IP.

-Al-

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Reindl Harald
2017-06-01 06:44:23 UTC
Permalink
Am 01.06.2017 um 08:32 schrieb Al Varnell:
>
> On May 31, 2017, at 11:24 PM, Reindl Harald <***@thelounge.net> wrote:
>> Am 01.06.2017 um 03:04 schrieb Al Varnell:
>>> I made an attempt to determine whether epl.paypal-communication.com was a legitimate domain owned by PayPal with very mixed results.
>>> No WhoIs service could identify it directly
>>
>> and here is stop to read - let me guess you entered "epl.paypal-communication.com" including the subdomain and/or used some obsucre website doing whois requests
>
> Wrong on both points. I initially used only paypal-communications.com in two different Mac utilities which have given flawless results in the past. Then I tried a TraceRoute, eventually coming up with the IP

who knows how that crap works, proper software directly asks the servers
on such a list https://github.com/rfc1036/whois/blob/next/tld_serv_list
and everybody but you knows "paypal-communications.com" is owned by
Paypal for a very long time

why i am so emotional about this topic?

because *THAT ISSUE* i originally registered on this list and *you*
recommended at
http://lists.clamav.net/pipermail/clamav-users/2016-July/003111.html
"You must disable Heuristics using clamd.conf and clamscan options"
while all you guys which recommend that not realizing that it would
disable safebrowsings too and so CLAMAV IS BROKEN BY DESIGN as long
nobody either makes that crap whitelisteable with ign2-files, removes it
completly or make a switch *only* diable that crap without other heuristics

http://lists.clamav.net/pipermail/clamav-users/2016-July/003111.html
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Joel Esler (jesler)
2017-06-01 16:48:00 UTC
Permalink
I do agree that these features need to be decoupled. We’ve marked that as a feature we’d like to develop.

--
Joel Esler | Talos: Manager | ***@cisco.com<mailto:***@cisco.com>






On Jun 1, 2017, at 2:44 AM, Reindl Harald <***@thelounge.net<mailto:***@thelounge.net>> wrote:



Am 01.06.2017 um 08:32 schrieb Al Varnell:
On May 31, 2017, at 11:24 PM, Reindl Harald <***@thelounge.net<mailto:***@thelounge.net>> wrote:
Am 01.06.2017 um 03:04 schrieb Al Varnell:
I made an attempt to determine whether epl.paypal-communication.com<http://epl.paypal-communication.com> was a legitimate domain owned by PayPal with very mixed results.
No WhoIs service could identify it directly

and here is stop to read - let me guess you entered "epl.paypal-communication.com<http://epl.paypal-communication.com>" including the subdomain and/or used some obsucre website doing whois requests
Wrong on both points. I initially used only paypal-communications.com<http://paypal-communications.com> in two different Mac utilities which have given flawless results in the past. Then I tried a TraceRoute, eventually coming up with the IP

who knows how that crap works, proper software directly asks the servers on such a list https://github.com/rfc1036/whois/blob/next/tld_serv_list and everybody but you knows "paypal-communications.com<http://paypal-communications.com>" is owned by Paypal for a very long time

why i am so emotional about this topic?

because *THAT ISSUE* i originally registered on this list and *you* recommended at http://lists.clamav.net/pipermail/clamav-users/2016-July/003111.html "You must disable Heuristics using clamd.conf and clamscan options" while all you guys which recommend that not realizing that it would disable safebrowsings too and so CLAMAV IS BROKEN BY DESIGN as long nobody either makes that crap whitelisteable with ign2-files, removes it completly or make a switch *only* diable that crap without other heuristics

http://lists.clamav.net/pipermail/clamav-users/2016-July/003111.html
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-f
Al Varnell
2017-06-02 06:12:03 UTC
Permalink
On Wed, May 31, 2017 at 11:44 PM, Reindl Harald wrote:
>
> why i am so emotional about this topic?
>
> because *THAT ISSUE* i originally registered on this list and *you* recommended at http://lists.clamav.net/pipermail/clamav-users/2016-July/003111.html "You must disable Heuristics using clamd.conf and clamscan options" while all you guys which recommend that not realizing that it would disable safebrowsings too and so CLAMAV IS BROKEN BY DESIGN as long nobody either makes that crap whitelisteable with ign2-files, removes it completly or make a switch *only* diable that crap without other heuristics

Yes, I remember that very well.

Looks like ClamAV may be taking some action on it, hopefully sooner than later.

In the meanwhile, have you tried using a local.sfp file containing whitelisted pairs?

You could either fill it with "M" records for each pair, e.g.
M:http://epl.paypal-communication.com/:www.paypal.com

or a Regex formatted "X" record for multiple country codes, e.g.
X:.+\.paypal-communications\.(de|fr|it|at|ca|be|ch|nl|pl|es|co\.uk|com|com\.(au|cn|hk|my|sg))([/?].*)?:(.+\.)?paypal\.(at|be|ca|ch|co\.uk|de|es|fr|ie|in|it|nl|ph|pl|com|com\.(au|cn|hk|my|sg))([/?].*)?

-Al-
--
Al Varnell
Mountain View, CA
Reindl Harald
2017-06-02 13:20:54 UTC
Permalink
Am 02.06.2017 um 08:12 schrieb Al Varnell:
> On Wed, May 31, 2017 at 11:44 PM, Reindl Harald wrote:
>>
>> why i am so emotional about this topic?
>>
>> because *THAT ISSUE* i originally registered on this list and *you* recommended at http://lists.clamav.net/pipermail/clamav-users/2016-July/003111.html "You must disable Heuristics using clamd.conf and clamscan options" while all you guys which recommend that not realizing that it would disable safebrowsings too and so CLAMAV IS BROKEN BY DESIGN as long nobody either makes that crap whitelisteable with ign2-files, removes it completly or make a switch *only* diable that crap without other heuristics
>
> Yes, I remember that very well.
>
> Looks like ClamAV may be taking some action on it, hopefully sooner than later.
>
> In the meanwhile, have you tried using a local.sfp file containing whitelisted pairs?
>
> You could either fill it with "M" records for each pair, e.g.
> M:http://epl.paypal-communication.com/:www.paypal.com
>
> or a Regex formatted "X" record for multiple country codes, e.g.
> X:.+\.paypal-communications\.(de|fr|it|at|ca|be|ch|nl|pl|es|co\.uk|com|com\.(au|cn|hk|my|sg))([/?].*)?:(.+\.)?paypal\.(at|be|ca|ch|co\.uk|de|es|fr|ie|in|it|nl|ph|pl|com|com\.(au|cn|hk|my|sg))([/?].*)?

i solved it with 2 different clamd instances with different scores and a
self-fixed spamassassin-clamav-plugin which don't have it's stuff
hardcoded and supports more then one instance because when we start to
block leigt customer mail i have a red flag and to solve that
*instantly* and not months or years later
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
O***@epsilon.com
2017-06-01 08:19:32 UTC
Permalink
Hi Reindl and Al,

Thank you for your feedback.

The domain https://epl.paypal-communication.com is used by Paypal for link tracking purposes in their emails. Their sending domains are for example: mail.paypal.com, mail.paypal.co.uk, mail.paypal.fr etc.

To clarify, I work for Epsilon which is a major Email Service Provider (www.epsilon.com) and Paypal use our platform to deploy their emails, hence me contacting you about this delivery issue.

I will pass back your feedback to Paypal so they can make a decision on whether or not they will want to make any changes to their emails moving forward.

Best regards,


Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
 T   +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK  epsilon.com



-----Original Message-----
From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Reindl Harald
Sent: 01 June 2017 07:24
To: clamav-***@lists.clamav.net
Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19



Am 01.06.2017 um 03:04 schrieb Al Varnell:
> I made an attempt to determine whether epl.paypal-communication.com was a legitimate domain owned by PayPal with very mixed results.
>
> No WhoIs service could identify it directly

and here is stop to read - let me guess you entered "epl.paypal-communication.com" including the subdomain and/or used some obsucre website doing whois requests


[***@srv-rhsoft:~]$ whois paypal-communication.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information.

Domain Name: PAYPAL-COMMUNICATION.COM
Registrar: MARKMONITOR INC.
Sponsoring Registrar IANA ID: 292
Whois Server: whois.markmonitor.com
Referral URL: http://www.markmonitor.com
Name Server: NS1.P57.DYNECT.NET
Name Server: NS2.P57.DYNECT.NET
Name Server: PDNS100.ULTRADNS.COM
Name Server: PDNS100.ULTRADNS.NET
Status: clientDeleteProhibited
https://icann.org/epp#clientDeleteProhibited
Status: clientTransferProhibited
https://icann.org/epp#clientTransferProhibited
Status: clientUpdateProhibited
https://icann.org/epp#clientUpdateProhibited
Updated Date: 05-mar-2017
Creation Date: 06-apr-2011
Expiration Date: 06-apr-2018

>>> Last update of whois database: Thu, 01 Jun 2017 06:20:04 GMT <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration.

Domain Name: paypal-communication.com
Registry Domain ID: 1649488607_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2017-03-05T02:14:48-0800 Creation Date: 2011-04-06T05:23:32-0700


Registrar Registration Expiration Date: 2018-04-06T00:00:00-0700


Registrar: MarkMonitor, Inc.


Registrar IANA ID: 292


Registrar Abuse Contact Email: ***@markmonitor.com


Registrar Abuse Contact Phone: +1.2083895740


Domain Status: clientUpdateProhibited
(https://www.icann.org/epp#clientUpdateProhibited)


Domain Status: clientTransferProhibited
(https://www.icann.org/epp#clientTransferProhibited)


Domain Status: clientDeleteProhibited
(https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited
(https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited
(https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited
(https://www.icann.org/epp#serverDeleteProhibited)
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: PayPal Inc.
Registrant Street: 2211 North First Street,
Registrant City: San Jose
Registrant State/Province: CA
Registrant Postal Code: 95131
Registrant Country: US
Registrant Phone: +1.8882211161
Registrant Phone Ext:
Registrant Fax: +1.4025375774
Registrant Fax Ext:
Registrant Email: ***@paypal.com
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: PayPal Inc.
Admin Street: 2211 North First Street,
Admin City: San Jose
Admin State/Province: CA
Admin Postal Code: 95131
Admin Country: US
Admin Phone: +1.8882211161
Admin Phone Ext:
Admin Fax: +1.4025375774
Admin Fax Ext:
Admin Email: ***@paypal.com
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: PayPal Inc.
Tech Street: 2211 North First Street,
Tech City: San Jose
Tech State/Province: CA
Tech Postal Code: 95131
Tech Country: US
Tech Phone: +1.8882211161
Tech Phone Ext:
Tech Fax: +1.4025375774
Tech Fax Ext:
Tech Email: ***@paypal.com
Name Server: ns2.p57.dynect.net
Name Server: pdns100.ultradns.com.
Name Server: ns1.p57.dynect.net
Name Server: pdns100.ultradns.net.
DNSSEC: signedDelegation
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
>>> Last update of WHOIS database: 2017-05-31T23:20:11-0700 <<<
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Dennis Peterson
2017-06-01 16:01:17 UTC
Permalink
If I were to have gotten a suspicious message notice from
epl.paypal-communication.com and gone through a whois, nslookup, whois (ip
address), dig txt paypal-communication.com, dig mx paypal-communication.com, dig
mx epl.paypal-communication.com routine I would have found a very suspicious
pedigree and I would add the IP and domain name to my blacklist. And that is
exactly what I did. Businesses that send email that is indistinguishable from
spam/phishing/obfuscation/cloaking/tracking don't deserve space in my systems.
And because I'll not remember long that I did all this forensic investigation
and was dissatisfied with the results, I go with the least-effort option of
blocking. It is your problem to fix. Be obvious or be blocked. There's too much
at risk.

And including a link to a one-pixel (spacer1.gif) image, obviously a tracking
beacon, in already suspect messages always looks more suspicious yet.

dp

On 6/1/17 1:19 AM, ***@epsilon.com wrote:
> Hi Reindl and Al,
>
> Thank you for your feedback.
>
> The domain https://epl.paypal-communication.com is used by Paypal for link tracking purposes in their emails. Their sending domains are for example: mail.paypal.com, mail.paypal.co.uk, mail.paypal.fr etc.
>
> To clarify, I work for Epsilon which is a major Email Service Provider (www.epsilon.com) and Paypal use our platform to deploy their emails, hence me contacting you about this delivery issue.
>
> I will pass back your feedback to Paypal so they can make a decision on whether or not they will want to make any changes to their emails moving forward.
>
> Best regards,
>
>
> Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
> T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street, Teddington TW11 8QZ, UK epsilon.com
>
>
>
> -----Original Message-----
> From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On Behalf Of Reindl Harald
> Sent: 01 June 2017 07:24
> To: clamav-***@lists.clamav.net
> Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
>
>
>
> Am 01.06.2017 um 03:04 schrieb Al Varnell:
>> I made an attempt to determine whether epl.paypal-communication.com was a legitimate domain owned by PayPal with very mixed results.
>>
>> No WhoIs service could identify it directly
> and here is stop to read - let me guess you entered "epl.paypal-communication.com" including the subdomain and/or used some obsucre website doing whois requests
>
>
> [***@srv-rhsoft:~]$ whois paypal-communication.com
>
> Whois Server Version 2.0
>
> Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information.
>
> Domain Name: PAYPAL-COMMUNICATION.COM
> Registrar: MARKMONITOR INC.
> Sponsoring Registrar IANA ID: 292
> Whois Server: whois.markmonitor.com
> Referral URL: http://www.markmonitor.com
> Name Server: NS1.P57.DYNECT.NET
> Name Server: NS2.P57.DYNECT.NET
> Name Server: PDNS100.ULTRADNS.COM
> Name Server: PDNS100.ULTRADNS.NET
> Status: clientDeleteProhibited
> https://icann.org/epp#clientDeleteProhibited
> Status: clientTransferProhibited
> https://icann.org/epp#clientTransferProhibited
> Status: clientUpdateProhibited
> https://icann.org/epp#clientUpdateProhibited
> Updated Date: 05-mar-2017
> Creation Date: 06-apr-2011
> Expiration Date: 06-apr-2018
>
> >>> Last update of whois database: Thu, 01 Jun 2017 06:20:04 GMT <<<
>
> For more information on Whois status codes, please visit https://icann.org/epp
>
> NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration.
>
> Domain Name: paypal-communication.com
> Registry Domain ID: 1649488607_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2017-03-05T02:14:48-0800 Creation Date: 2011-04-06T05:23:32-0700
>
>
> Registrar Registration Expiration Date: 2018-04-06T00:00:00-0700
>
>
> Registrar: MarkMonitor, Inc.
>
>
> Registrar IANA ID: 292
>
>
> Registrar Abuse Contact Email: ***@markmonitor.com
>
>
> Registrar Abuse Contact Phone: +1.2083895740
>
>
> Domain Status: clientUpdateProhibited
> (https://www.icann.org/epp#clientUpdateProhibited)
>
>
> Domain Status: clientTransferProhibited
> (https://www.icann.org/epp#clientTransferProhibited)
>
>
> Domain Status: clientDeleteProhibited
> (https://www.icann.org/epp#clientDeleteProhibited)
> Domain Status: serverUpdateProhibited
> (https://www.icann.org/epp#serverUpdateProhibited)
> Domain Status: serverTransferProhibited
> (https://www.icann.org/epp#serverTransferProhibited)
> Domain Status: serverDeleteProhibited
> (https://www.icann.org/epp#serverDeleteProhibited)
> Registry Registrant ID:
> Registrant Name: Domain Administrator
> Registrant Organization: PayPal Inc.
> Registrant Street: 2211 North First Street,
> Registrant City: San Jose
> Registrant State/Province: CA
> Registrant Postal Code: 95131
> Registrant Country: US
> Registrant Phone: +1.8882211161
> Registrant Phone Ext:
> Registrant Fax: +1.4025375774
> Registrant Fax Ext:
> Registrant Email: ***@paypal.com
> Registry Admin ID:
> Admin Name: Domain Administrator
> Admin Organization: PayPal Inc.
> Admin Street: 2211 North First Street,
> Admin City: San Jose
> Admin State/Province: CA
> Admin Postal Code: 95131
> Admin Country: US
> Admin Phone: +1.8882211161
> Admin Phone Ext:
> Admin Fax: +1.4025375774
> Admin Fax Ext:
> Admin Email: ***@paypal.com
> Registry Tech ID:
> Tech Name: Domain Administrator
> Tech Organization: PayPal Inc.
> Tech Street: 2211 North First Street,
> Tech City: San Jose
> Tech State/Province: CA
> Tech Postal Code: 95131
> Tech Country: US
> Tech Phone: +1.8882211161
> Tech Phone Ext:
> Tech Fax: +1.4025375774
> Tech Fax Ext:
> Tech Email: ***@paypal.com
> Name Server: ns2.p57.dynect.net
> Name Server: pdns100.ultradns.com.
> Name Server: ns1.p57.dynect.net
> Name Server: pdns100.ultradns.net.
> DNSSEC: signedDelegation
> URL of the ICANN WHOIS Data Problem Reporting System:
> http://wdprs.internic.net/
> >>> Last update of WHOIS database: 2017-05-31T23:20:11-0700 <<<
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Gene Heskett
2017-06-01 23:16:26 UTC
Permalink
On Thursday 01 June 2017 12:01:17 Dennis Peterson wrote:

> It is your problem to fix.
> Be obvious or be blocked. There's too much at risk.
>
I couldn't have said it any better Dennis, and yes, spamassassin is well
trained here.

Email is IMO supposed to be text, but may include links provided they are
surrounded by a pair of <>.

Pure html messages are generally from a spammer who thinks its cute I
guess, but thats 3.5 points on its way for a 5+ point score. Throw in
some obfuscated links 200+ characters long, and it will be rerouted to a
special directory here, where at a bit after midnight it gets used for
bayes training by sa-learn. From there is moved to another directory
that is first cleaned out. So a message such as what comes from paypal
has about 47 hours for me to review it and rescue it. And a fair warning
for the OP here, far less than 1% of that junk gets rescued. I do not
recall ever rescuing something from epsilon.com.

So I am with Danny 100%, be obvious, state your message clearly in
readable plain text without the html obfuscation, or be ignored.

FWIW, I have a high point score for any message from a no-reply address.
If its important enough to dirty my inbox, and you want a reply, my
answering the message had better be read by a human if I take the time
to reply. To me, there is a 1/1 comparison between your time to spam me
with worthless messages, and my time to read it.

And it IS your problem to fix.

Can you grok that? Frankly I am quite amazed at the gaul it took to file
the original protest, wasting Al and Joel's time for several days now.
You have been advised of ways to fix it, so please just go away AND fix
it. But first you must understand that you do not set the rules, the
individual receiver of your junk does. We do not serve at your
pleasure.

> And including a link to a one-pixel (spacer1.gif) image, obviously a
> tracking beacon, in already suspect messages always looks more
> suspicious yet.
>
> dp
>
> On 6/1/17 1:19 AM, ***@epsilon.com wrote:
> > Hi Reindl and Al,
> >
> > Thank you for your feedback.
> >
> > The domain https://epl.paypal-communication.com is used by Paypal
> > for link tracking purposes in their emails. Their sending domains
> > are for example: mail.paypal.com, mail.paypal.co.uk, mail.paypal.fr
> > etc.
> >
> > To clarify, I work for Epsilon which is a major Email Service
> > Provider (www.epsilon.com) and Paypal use our platform to deploy
> > their emails, hence me contacting you about this delivery issue.
> >
> > I will pass back your feedback to Paypal so they can make a decision
> > on whether or not they will want to make any changes to their emails
> > moving forward.
> >
> > Best regards,
> >
> >
> > Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
> > T +44 2086143219 M +44 7469352383 Epsilon, 67 Broad Street,
> > Teddington TW11 8QZ, UK epsilon.com
> >
> >
> >
> > -----Original Message-----
> > From: clamav-users [mailto:clamav-users-***@lists.clamav.net] On
> > Behalf Of Reindl Harald Sent: 01 June 2017 07:24
> > To: clamav-***@lists.clamav.net
> > Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
> >
> > Am 01.06.2017 um 03:04 schrieb Al Varnell:
> >> I made an attempt to determine whether epl.paypal-communication.com
> >> was a legitimate domain owned by PayPal with very mixed results.
> >>
> >> No WhoIs service could identify it directly
> >
> > and here is stop to read - let me guess you entered
> > "epl.paypal-communication.com" including the subdomain and/or used
> > some obsucre website doing whois requests
> >
> >
> > [***@srv-rhsoft:~]$ whois paypal-communication.com
> >
> > Whois Server Version 2.0
> >
> > Domain names in the .com and .net domains can now be registered with
> > many different competing registrars. Go to http://www.internic.net
> > for detailed information.
> >
> > Domain Name: PAYPAL-COMMUNICATION.COM
> > Registrar: MARKMONITOR INC.
> > Sponsoring Registrar IANA ID: 292
> > Whois Server: whois.markmonitor.com
> > Referral URL: http://www.markmonitor.com
> > Name Server: NS1.P57.DYNECT.NET
> > Name Server: NS2.P57.DYNECT.NET
> > Name Server: PDNS100.ULTRADNS.COM
> > Name Server: PDNS100.ULTRADNS.NET
> > Status: clientDeleteProhibited
> > https://icann.org/epp#clientDeleteProhibited
> > Status: clientTransferProhibited
> > https://icann.org/epp#clientTransferProhibited
> > Status: clientUpdateProhibited
> > https://icann.org/epp#clientUpdateProhibited
> > Updated Date: 05-mar-2017
> > Creation Date: 06-apr-2011
> > Expiration Date: 06-apr-2018
> >
> > >>> Last update of whois database: Thu, 01 Jun 2017 06:20:04 GMT
> > >>> <<<
> >
> > For more information on Whois status codes, please visit
> > https://icann.org/epp
> >
> > NOTICE: The expiration date displayed in this record is the date the
> > registrar's sponsorship of the domain name registration in the
> > registry is currently set to expire. This date does not necessarily
> > reflect the expiration date of the domain name registrant's
> > agreement with the sponsoring registrar. Users may consult the
> > sponsoring registrar's Whois database to view the registrar's
> > reported date of expiration for this registration.
> >
> > Domain Name: paypal-communication.com
> > Registry Domain ID: 1649488607_DOMAIN_COM-VRSN Registrar WHOIS
> > Server: whois.markmonitor.com Registrar URL:
> > http://www.markmonitor.com Updated Date: 2017-03-05T02:14:48-0800
> > Creation Date: 2011-04-06T05:23:32-0700
> >
> >
> > Registrar Registration Expiration Date: 2018-04-06T00:00:00-0700
> >
> >
> > Registrar: MarkMonitor, Inc.
> >
> >
> > Registrar IANA ID: 292
> >
> >
> > Registrar Abuse Contact Email: ***@markmonitor.com
> >
> >
> > Registrar Abuse Contact Phone: +1.2083895740
> >
> >
> > Domain Status: clientUpdateProhibited
> > (https://www.icann.org/epp#clientUpdateProhibited)
> >
> >
> > Domain Status: clientTransferProhibited
> > (https://www.icann.org/epp#clientTransferProhibited)
> >
> >
> > Domain Status: clientDeleteProhibited
> > (https://www.icann.org/epp#clientDeleteProhibited)
> > Domain Status: serverUpdateProhibited
> > (https://www.icann.org/epp#serverUpdateProhibited)
> > Domain Status: serverTransferProhibited
> > (https://www.icann.org/epp#serverTransferProhibited)
> > Domain Status: serverDeleteProhibited
> > (https://www.icann.org/epp#serverDeleteProhibited)
> > Registry Registrant ID:
> > Registrant Name: Domain Administrator
> > Registrant Organization: PayPal Inc.
> > Registrant Street: 2211 North First Street,
> > Registrant City: San Jose
> > Registrant State/Province: CA
> > Registrant Postal Code: 95131
> > Registrant Country: US
> > Registrant Phone: +1.8882211161
> > Registrant Phone Ext:
> > Registrant Fax: +1.4025375774
> > Registrant Fax Ext:
> > Registrant Email: ***@paypal.com
> > Registry Admin ID:
> > Admin Name: Domain Administrator
> > Admin Organization: PayPal Inc.
> > Admin Street: 2211 North First Street,
> > Admin City: San Jose
> > Admin State/Province: CA
> > Admin Postal Code: 95131
> > Admin Country: US
> > Admin Phone: +1.8882211161
> > Admin Phone Ext:
> > Admin Fax: +1.4025375774
> > Admin Fax Ext:
> > Admin Email: ***@paypal.com
> > Registry Tech ID:
> > Tech Name: Domain Administrator
> > Tech Organization: PayPal Inc.
> > Tech Street: 2211 North First Street,
> > Tech City: San Jose
> > Tech State/Province: CA
> > Tech Postal Code: 95131
> > Tech Country: US
> > Tech Phone: +1.8882211161
> > Tech Phone Ext:
> > Tech Fax: +1.4025375774
> > Tech Fax Ext:
> > Tech Email: ***@paypal.com
> > Name Server: ns2.p57.dynect.net
> > Name Server: pdns100.ultradns.com.
> > Name Server: ns1.p57.dynect.net
> > Name Server: pdns100.ultradns.net.
> > DNSSEC: signedDelegation
> > URL of the ICANN WHOIS Data Problem Reporting System:
> > http://wdprs.internic.net/
> >
> > >>> Last update of WHOIS database: 2017-05-31T23:20:11-0700 <<<
> >
> > _______________________________________________
> > clamav-users mailing list
> > clamav-***@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> > _______________________________________________
> > clamav-users mailing list
> > clamav-***@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> clamav-users mailing list
> clamav-***@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Reindl Harald
2017-06-01 23:49:11 UTC
Permalink
Am 02.06.2017 um 01:16 schrieb Gene Heskett:
> On Thursday 01 June 2017 12:01:17 Dennis Peterson wrote:
>
>> It is your problem to fix.
>> Be obvious or be blocked. There's too much at risk.
>>
> I couldn't have said it any better Dennis, and yes, spamassassin is well
> trained here.
>
> Email is IMO supposed to be text, but may include links provided they are
> surrounded by a pair of <>.

it would be nice if....

> And it IS your problem to fix.
>
> Can you grok that? Frankly I am quite amazed at the gaul it took to file
> the original protest, wasting Al and Joel's time for several days now.
> You have been advised of ways to fix it, so please just go away AND fix
> it. But first you must understand that you do not set the rules, the
> individual receiver of your junk does. We do not serve at your
> pleasure.

no you do not serve the pleasure of Paypal but with your attitude you
also do not serve the pleasure of your users wanting their mails from
Paypal and hopefully they are aware of that our you have no users except
yourself at all
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Gene Heskett
2017-06-02 02:37:56 UTC
Permalink
On Thursday 01 June 2017 19:49:11 Reindl Harald wrote:

> Am 02.06.2017 um 01:16 schrieb Gene Heskett:
> > On Thursday 01 June 2017 12:01:17 Dennis Peterson wrote:
> >> It is your problem to fix.
> >> Be obvious or be blocked. There's too much at risk.
> >
> > I couldn't have said it any better Dennis, and yes, spamassassin is
> > well trained here.
> >
> > Email is IMO supposed to be text, but may include links provided
> > they are surrounded by a pair of <>.
>
> it would be nice if....
>
> > And it IS your problem to fix.
> >
> > Can you grok that? Frankly I am quite amazed at the gaul it took to
> > file the original protest, wasting Al and Joel's time for several
> > days now. You have been advised of ways to fix it, so please just go
> > away AND fix it. But first you must understand that you do not set
> > the rules, the individual receiver of your junk does. We do not
> > serve at your pleasure.
>
> no you do not serve the pleasure of Paypal but with your attitude you
> also do not serve the pleasure of your users wanting their mails from
> Paypal and hopefully they are aware of that our you have no users
> except yourself at all

That is correct, I am the only user here, and to the best of my ability,
I set the rules since I am paying for the bandwidth. This /can/ be true
of every individual user should they wish to help clean up the swamp the
internet has become since I posted my first message thru the Princeton
server circa 1985 or 86. At 300 baud. I was then 51 years old.

So yeah, guilty, I am a genuine oldtimer. But an honest one, who wants to
have honest dealings with my fellow man.

Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Reindl Harald
2017-06-02 13:17:37 UTC
Permalink
Am 02.06.2017 um 04:37 schrieb Gene Heskett:
> On Thursday 01 June 2017 19:49:11 Reindl Harald wrote:
>
>> Am 02.06.2017 um 01:16 schrieb Gene Heskett:
>>> On Thursday 01 June 2017 12:01:17 Dennis Peterson wrote:
>>>> It is your problem to fix.
>>>> Be obvious or be blocked. There's too much at risk.
>>>
>>> I couldn't have said it any better Dennis, and yes, spamassassin is
>>> well trained here.
>>>
>>> Email is IMO supposed to be text, but may include links provided
>>> they are surrounded by a pair of <>.
>>
>> it would be nice if....
>>
>>> And it IS your problem to fix.
>>>
>>> Can you grok that? Frankly I am quite amazed at the gaul it took to
>>> file the original protest, wasting Al and Joel's time for several
>>> days now. You have been advised of ways to fix it, so please just go
>>> away AND fix it. But first you must understand that you do not set
>>> the rules, the individual receiver of your junk does. We do not
>>> serve at your pleasure.
>>
>> no you do not serve the pleasure of Paypal but with your attitude you
>> also do not serve the pleasure of your users wanting their mails from
>> Paypal and hopefully they are aware of that our you have no users
>> except yourself at all
>
> That is correct, I am the only user here, and to the best of my ability,
> I set the rules since I am paying for the bandwidth. This /can/ be true
> of every individual user should they wish to help clean up the swamp the
> internet has become since I posted my first message thru the Princeton
> server circa 1985 or 86. At 300 baud. I was then 51 years old.
>
> So yeah, guilty, I am a genuine oldtimer. But an honest one, who wants to
> have honest dealings with my fellow man

if you are the only user without *customers* for which mail you are
responsible just refrain from discussions of mailserver admins far way
from your homebox
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Kris Deugau
2017-06-01 14:08:43 UTC
Permalink
***@epsilon.com wrote:
> Hi Al,
>
> Could you please confirm exactly what is the issue you see with the links? As far as I can see, they use standard link tracking.
^^^^^^^^^^^^^^^^^^^^^^

In my experience that, in and of itself, is often the problem.

The cases I've whitelisted locally are almost always mismatches between
the visible link text and the actual link target, eg:

<a href="tracker.bigesp/path/to/some/thing/hexstring">example.com/link</a>

All too often, "bigesp" seems to go to great lengths to remain
unidentified, by way of cryptic and ever-multiplying domains which
appear, without time-consuming investigation, to be Just Another Spoof.

I would also suggest that using a complete separate TLD for
click-tracking is a good way to *raise* red flags when a message is
inspected by hand; even worse when the domain looks similar to the main
domain - such as "paypal-communications.com" vs "paypal.com".

Use a subdomain (eg "communication.paypal.com", or
"espname.paypal.com"), which is clearly delegated from the organization
potentially being spoofed, rather than Yet Another Similar But Not
Obviously Associated Domain (because the domain registrars clearly can't
be trusted to prevent *these* from being registered by world+dog, and a
disturbing number don't shut down the real spoofs very quickly either).

In short, stop doing the same things that the scammers do, and do things
that the scammers can't.

-kgd
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Loading...