clamav blocking genuine ebay emails

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

clamav blocking genuine ebay emails

Unread post by faris »

Do any of you quarantine virus emails, or do you all drop them like we do?

The problem is that HTML.Phishing.Auction-214 appears to be blocking genine ebay emails. Unfortunately this is causing a bit of a load on our servers as loads of these are getting sent and resent and resent, in large numbers.

Code: Select all

Mon, 12 Dec 2011 14:53:23 GMT:21949: g_e_h: return-path='REDACTED@ebay.emarsys.net', recips='customer@domain.co.uk'
Mon, 12 Dec 2011 14:53:23 GMT:21949: from='"eBay" <eBay@reply.ebay.co.uk>', subj='Great deals on a selection of gifts, REDACTED', via SMTP from e3pmta194.emarsys.net
Mon, 12 Dec 2011 14:53:23 GMT:21949: clamdscan: there be a virus! (HTML.Phishing.Auction-214)
There's nothing I can do about this without the actual email in question. If anybody has a copy then maybe we can report it as a false positive.

All I know is that emarsys.net genuinely sends marketing emails on behalf of ebay (at least according to Google), which is why I assume these emails are genuine.

This has been going on for several weeks now. I'm surprised someone else hasn't caught it and reported it.

Or am I sooo totally wrong I'm going to feel very stupid?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Kalimari
Forum Regular
Forum Regular
Posts: 526
Joined: Wed Jan 02, 2008 3:21 pm
Location: United Kingdom

Re: clamav blocking genuine ebay emails

Unread post by Kalimari »

Hi faris,

Have the exact same problem and like you, realised no delivery = no fp report + expected it to have been rectified already. Not sure what to do next...
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: clamav blocking genuine ebay emails

Unread post by faris »

Oh dear.

I just checked th config files, and I see no way to make clamd quarantine. Spam can be quarantined via qmail-scanner.ini, but there doesn't appear to be an option for viruses either there or in clamd.conf
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: clamav blocking genuine ebay emails

Unread post by mikeshinn »

qmail-scanner will quarantine viruses. It puts them into a maildir named "viruses/", policy-blocks into "policy/" and (potentially) high-rated SPAM into "spam/".
All I know is that emarsys.net genuinely sends marketing emails on behalf of ebay (at least according to Google), which is why I assume these emails are genuine.
How does the MTA determine the FQDN? Is it just doing a forward lookup? If so, thats trivial to forge, if its not doing a forward and reverse on that then you can't trust an FQDN in your logs as the source, only the IP.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: clamav blocking genuine ebay emails

Unread post by faris »

Good point as usual Mike.

In this case it is origin_ip: 91.194.249.192 origin_rdns: e3pmta192.emarsys.net

inetnum: 91.194.248.0 - 91.194.249.255
netname: EMARSYS-NET
descr: emarsys eMarketing Systems AG

So, it is legit unless they have faked the WHOIS as well (not impossible).

However, there are no hallmarks of viruses or anything.

But beeping beep Mike. I didn't know about those directories. They are full of crap, including twelve zillion of these particular messages.

I've submitted it as an FP. It was hard to find the link. Same page as submitting an actual virus, but you need to select the "this is a false positive..." option.

Can I ask that anybody else with the same problem please do the same?

I'm really going to kick myself if I've got this wrong.......
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: clamav blocking genuine ebay emails

Unread post by mikeshinn »

But beeping beep Mike. I didn't know about those directories. They are full of crap, including twelve zillion of these particular messages.
Oh yeah, they can fill up. We have a script that runs weekly to clean them out. We figure if none of our personnel holer about something not arriving, by one week its not gonna happen. (Plus with the nightly backups technically we have those quarantined emails for a year).
Post Reply