Hi steve, I can see a lot of false positives on all of my mailservers related to domain "info.aukro.cz". These emails are not being sent from a spoofed domain. See attached header. They are sent from an aution server - regular newsletter. Clamav kills it, but spamassassin itself gives it green lights. Content analysis details: (-6.0 points, 6.5 required) I admit that this server has had some phishing issues in the past, but this is not the case. Steve, could you please check it out ? Thanks a lot. RK _____________________ SPAMASSASSIN test: pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 RCVD_IN_HOSTKARMA_NO RBL: HostKarma: relay in NO-BL (varies) [178.21.155.22 listed in hostkarma.junkemailfilter.com] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.0 T_FRT_CONTACT BODY: ReplaceTags: Contact 0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area 0.0 HTML_MESSAGE BODY: HTML included in message -6.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid _________________________________ CLAMAV scan: A virus was found: Heuristics.Phishing.Email.SpoofedDomain Scanner detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 23700-19/Z2vNqCtaSj6D Return-Path: <aukro@xxxxxxxxxxxxx> X-Mailer: nlserver, Build 5.11.5812 Message-ID: <NM63898391B00906604allegro_prod_mid1@xxxxxxxxxxxxx> Subject: =?utf-8?B?WnJ1xaFpbGkganNtZSB2w6Fub8SNbsOtIHbDvW1sdXZ1IMSNLiA=?= =?utf-8?B?MjogTmVtw6FtIG5hIHRvISA3MCUgc2xldmEgbmEgSG9kaW5reSBSZXBsYXk=?= =?utf-8?B?LiA=?= The message has been quarantined as: virus-Z2vNqCtaSj6D Notification to sender will not be mailed. The message WAS NOT relayed to: <inyyyy@xxxxxxxxxxx>: 250 2.7.0 Ok, discarded, id=23700-19 - VIRUS: Heuristics.Phishing.Email.SpoofedDomain Virus scanner output: p001: Heuristics.Phishing.Email.SpoofedDomain FOUND
Return-Path: <aukro@xxxxxxxxxxxxx> Received: from mta-all22.info.aukro.cz (mta-all22.info.aukro.cz [178.21.155.22]) by mail.ille.sk (Postfix) with ESMTP id 0FDF31104AE for <stejskal@xxxxxxxxxx>; Thu, 6 Dec 2012 16:35:01 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=neolane; d=info.aukro.cz; h=domainkey-signature:from:date:subject:to:reply-to:mime-version:x-mailer:message-id:list-unsubscribe:content-type; bh=bRnb2dYw2uxEVO09VtIplj7lv4Knztxt2FNmwbuAjVE=; b=lnbFWUlsQUV7PLG3V5dQXooEyGU108gPsBU+PhcJZxgmEG78b+D1p+rzxAw2k9FCX71TmQcrseQT5/x4aJHZt86IyyTGUzIQ16fbTmE2zyYarXArCGHotNkYLRY90iL6nznsh3q/50NF0MpN6nffABn0wloJ8AGQACp2cQCelGQ= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=neolane; d=info.aukro.cz; h=From:Date:Subject:To:Reply-To:MIME-Version:X-mailer:Message-ID:List-Unsubscribe:Content-Type; b=JAkZZiAvoDFcd7pxsBnV3BPluNVz9wVcsPX/bFTdS2fIpHnd1cajaFEBnfsHHcc4LTQAkTQa3M7LbKvAZryDjV0fdA3ocQMb2/636ilxpagLuQNtLXZoXL8Yw2Ac4PU63QjLChgYvUaUnW8zAB6QbHl4Whnrr0SaMpuVrnpC4oU= From: "Aukro.cz" <newsletter@xxxxxxxxxxxxx> Date: Thu, 06 Dec 2012 16:35:05 +0100 Subject: =?utf-8?B?WnJ1xaFpbGkganNtZSB2w6Fub8SNbsOtIHbDvW1sdXZ1IMSNLiA=?= =?utf-8?B?MjogTmVtw6FtIG5hIHRvISA3MCUgc2xldmEgbmEgSG9kaW5reSBSZXBsYXk=?= =?utf-8?B?LiA=?= To: <stejskal@xxxxxxxxxx> Reply-To: "Aukro.cz" <reply@xxxxxxxxxxxxx> MIME-Version: 1.0 X-mailer: nlserver, Build 5.11.5812 Message-ID: <NM63898391B00906604allegro_prod_mid1@xxxxxxxxxxxxx> List-Unsubscribe: <mailto:abuse@xxxxxxxxxxxxx?subject=Unsubscribe Aukro> Content-Type: multipart/alternative; boundary="----=_NextPart_916_BABCE3E6.BABCE3E6"