[sanesecurity] VIRUS (Heuristics.Phishing.Email.SpoofedDomain) in mail FROM (?) - false positive
- From: "Robo Kupka" <robo@xxxxxxxx>
- To: <sanesecurity@xxxxxxxxxxxxx>
- Date: Thu, 6 Dec 2012 17:16:34 +0100
Hi steve,
I can see a lot of false positives on all of my mailservers related to
domain "info.aukro.cz". These emails are not being sent from a spoofed
domain. See attached header. They are sent from an aution server - regular
newsletter.
Clamav kills it, but spamassassin itself gives it green lights.
Content analysis details: (-6.0 points, 6.5 required)
I admit that this server has had some phishing issues in the past, but this
is not the case.
Steve, could you please check it out ?
Thanks a lot.
RK
_____________________
SPAMASSASSIN test:
pts rule name description
---- ----------------------
--------------------------------------------------
-0.1 RCVD_IN_HOSTKARMA_NO RBL: HostKarma: relay in NO-BL (varies)
[178.21.155.22 listed in
hostkarma.junkemailfilter.com]
-0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
0.0 T_FRT_CONTACT BODY: ReplaceTags: Contact
0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
0.0 HTML_MESSAGE BODY: HTML included in message
-6.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
_________________________________
CLAMAV scan:
A virus was found: Heuristics.Phishing.Email.SpoofedDomain
Scanner detecting a virus: ClamAV-clamd
Content type: Virus
Internal reference code for the message is 23700-19/Z2vNqCtaSj6D
Return-Path: <aukro@xxxxxxxxxxxxx>
X-Mailer: nlserver, Build 5.11.5812
Message-ID: <NM63898391B00906604allegro_prod_mid1@xxxxxxxxxxxxx>
Subject: =?utf-8?B?WnJ1xaFpbGkganNtZSB2w6Fub8SNbsOtIHbDvW1sdXZ1IMSNLiA=?=
=?utf-8?B?MjogTmVtw6FtIG5hIHRvISA3MCUgc2xldmEgbmEgSG9kaW5reSBSZXBsYXk=?=
=?utf-8?B?LiA=?=
The message has been quarantined as: virus-Z2vNqCtaSj6D
Notification to sender will not be mailed.
The message WAS NOT relayed to:
<inyyyy@xxxxxxxxxxx>:
250 2.7.0 Ok, discarded, id=23700-19 - VIRUS:
Heuristics.Phishing.Email.SpoofedDomain
Virus scanner output:
p001: Heuristics.Phishing.Email.SpoofedDomain FOUND
Return-Path: <aukro@xxxxxxxxxxxxx>
Received: from mta-all22.info.aukro.cz (mta-all22.info.aukro.cz [178.21.155.22])
by mail.ille.sk (Postfix) with ESMTP id 0FDF31104AE
for <stejskal@xxxxxxxxxx>; Thu, 6 Dec 2012 16:35:01 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
s=neolane;
d=info.aukro.cz;
h=domainkey-signature:from:date:subject:to:reply-to:mime-version:x-mailer:message-id:list-unsubscribe:content-type;
bh=bRnb2dYw2uxEVO09VtIplj7lv4Knztxt2FNmwbuAjVE=;
b=lnbFWUlsQUV7PLG3V5dQXooEyGU108gPsBU+PhcJZxgmEG78b+D1p+rzxAw2k9FCX71TmQcrseQT5/x4aJHZt86IyyTGUzIQ16fbTmE2zyYarXArCGHotNkYLRY90iL6nznsh3q/50NF0MpN6nffABn0wloJ8AGQACp2cQCelGQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns;
s=neolane;
d=info.aukro.cz;
h=From:Date:Subject:To:Reply-To:MIME-Version:X-mailer:Message-ID:List-Unsubscribe:Content-Type;
b=JAkZZiAvoDFcd7pxsBnV3BPluNVz9wVcsPX/bFTdS2fIpHnd1cajaFEBnfsHHcc4LTQAkTQa3M7LbKvAZryDjV0fdA3ocQMb2/636ilxpagLuQNtLXZoXL8Yw2Ac4PU63QjLChgYvUaUnW8zAB6QbHl4Whnrr0SaMpuVrnpC4oU=
From: "Aukro.cz" <newsletter@xxxxxxxxxxxxx>
Date: Thu, 06 Dec 2012 16:35:05 +0100
Subject: =?utf-8?B?WnJ1xaFpbGkganNtZSB2w6Fub8SNbsOtIHbDvW1sdXZ1IMSNLiA=?=
=?utf-8?B?MjogTmVtw6FtIG5hIHRvISA3MCUgc2xldmEgbmEgSG9kaW5reSBSZXBsYXk=?=
=?utf-8?B?LiA=?=
To: <stejskal@xxxxxxxxxx>
Reply-To: "Aukro.cz" <reply@xxxxxxxxxxxxx>
MIME-Version: 1.0
X-mailer: nlserver, Build 5.11.5812
Message-ID: <NM63898391B00906604allegro_prod_mid1@xxxxxxxxxxxxx>
List-Unsubscribe: <mailto:abuse@xxxxxxxxxxxxx?subject=Unsubscribe Aukro>
Content-Type: multipart/alternative;
boundary="----=_NextPart_916_BABCE3E6.BABCE3E6"
Other related posts:
