 |
 | False Positives from Email.Phishing.RB-882 |  |
|
jamcc
|
|
I'm running ClamWin 0.90.2 with the latest daily updates.
I'm not sure if this is the correct place to post this issue, but just this past weekend (I cannot nail it to a particular day, but since approx Thurs or Fri), my mail server has been dropping outbound mail because it has detected an infection of Email.Phishing.RB-882 in the mail. The scenario is like so: User --> Mail Server 1 --Message is accepted --Message is sent thorugh Domain Keys signer plugin --Message is sent to our outbound relay (Mail Server 2) Mail Server 1 --> Mail Server 2 --Message is accepted --Message is scanned by ClamAv. --!!! Message is deleted because it contains Email.Phishing.RB-882. Our Mail Server software on both sides is SmarterMail 4.x and the Domain Keys plug in is called DKeyEvent. We were setting off any false positives prior, and this (I'm not sure if this is the correct place to post this issue, but just this past weekend (I cannot nail it to a particular day, but since approx Thurs or Fri), my mail server has been dropping outbound mail because it has detected an infection of Email.Phishing.RB-882 in the mail. The scenario is like so: User --> Mail Server 1 --Message is accepted --Message is sent thorugh Domain Keys signer plugin --Message is sent to our outbound relay (Mail Server 2) Mail Server 1 --> Mail Server 2 --Message is accepted --Message is scanned by ClamAv. --!!! Message is deleted because it contains Email.Phishing.RB-882 Our Mail Server software is SmarterMail 4.x, and the domain key plugin is called DKeyEvent. I will be asking on those support forums as well. I'm led to believe this is a Clam issue since I've not had this problem before, and I'm only being caught by the one (Email.Phishing.RB-882) virus. Every message is caught by this, regardless of sending domain, sender, or recipient, or recipient domain. Every message, every time, if it's been signed, is flagged as this virus. Thanks in advance... Angelo |
|||||||||||
|
|||||||||||||
 |
| Re: False Positives from Email.Phishing.RB-882 | |
|
b0ne
|
|
The signature is the following string: "https://www.declude.com/x-note.htm" If your email messages contain that string anywhere in their body, it will be flagged as that signature. Can you verify that the messages do not contain that string? |
|||||||||||||
|
|||||||||||||||
|
| |
|
jamcc
|
|
Yes, we have Declude...
But, so do a lot of legitimate people. Declude is a commercial product, and this will be pretty detrimental to their paying customers. Since I've been fire-fighting this all morning, I have come across Decldue mentioned as a culprit. I've disabled that X-hearder from my configuration. Thanks for the reply. Angelo |
|||||||||||
|
|||||||||||||
|
 | False Positives from Email.Phishing.RB-882 | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.