ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
False Positives from Email.Phishing.RB-882
jamcc


Joined: 21 May 2007
Posts: 2
Reply with quote
I'm running ClamWin 0.90.2 with the latest daily updates.

I'm not sure if this is the correct place to post this issue, but just this past weekend (I cannot nail it to a particular day, but since approx Thurs or Fri), my mail server has been dropping outbound mail because it has detected an infection of Email.Phishing.RB-882 in the mail.

The scenario is like so:

User --> Mail Server 1
--Message is accepted
--Message is sent thorugh Domain Keys signer plugin
--Message is sent to our outbound relay (Mail Server 2)

Mail Server 1 --> Mail Server 2
--Message is accepted
--Message is scanned by ClamAv.
--!!! Message is deleted because it contains Email.Phishing.RB-882.

Our Mail Server software on both sides is SmarterMail 4.x and the Domain Keys plug in is called DKeyEvent.

We were setting off any false positives prior, and this (I'm not sure if this is the correct place to post this issue, but just this past weekend (I cannot nail it to a particular day, but since approx Thurs or Fri), my mail server has been dropping outbound mail because it has detected an infection of Email.Phishing.RB-882 in the mail.

The scenario is like so:

User --> Mail Server 1
--Message is accepted
--Message is sent thorugh Domain Keys signer plugin
--Message is sent to our outbound relay (Mail Server 2)

Mail Server 1 --> Mail Server 2
--Message is accepted
--Message is scanned by ClamAv.
--!!! Message is deleted because it contains Email.Phishing.RB-882

Our Mail Server software is SmarterMail 4.x, and the domain key plugin is called DKeyEvent. I will be asking on those support forums as well. I'm led to believe this is a Clam issue since I've not had this problem before, and I'm only being caught by the one (Email.Phishing.RB-882) virus. Every message is caught by this, regardless of sending domain, sender, or recipient, or recipient domain. Every message, every time, if it's been signed, is flagged as this virus.

Thanks in advance...

Angelo
View user's profileSend private message
Re: False Positives from Email.Phishing.RB-882
b0ne


Joined: 26 Oct 2006
Posts: 174
Reply with quote
jamcc wrote:
We were setting off any false positives prior, and this (I'm not sure if this is the correct place to post this issue, but just this past weekend (I cannot nail it to a particular day, but since approx Thurs or Fri), my mail server has been dropping outbound mail because it has detected an infection of Email.Phishing.RB-882 in the mail.


The signature is the following string: "http://www.declude.com/x-note.htm" If your email messages contain that string anywhere in their body, it will be flagged as that signature. Can you verify that the messages do not contain that string?
View user's profileSend private message
jamcc


Joined: 21 May 2007
Posts: 2
Reply with quote
Yes, we have Declude...

But, so do a lot of legitimate people. Declude is a commercial product, and this will be pretty detrimental to their paying customers.

Since I've been fire-fighting this all morning, I have come across Decldue mentioned as a culprit. I've disabled that X-hearder from my configuration.

Thanks for the reply.

Angelo
View user's profileSend private message
False Positives from Email.Phishing.RB-882
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic