store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Wed Apr 16, 2014 2:15 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: clamav blocking genuine ebay emails
Unread postPosted: Mon Dec 12, 2011 11:06 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2005
Do any of you quarantine virus emails, or do you all drop them like we do?

The problem is that HTML.Phishing.Auction-214 appears to be blocking genine ebay emails. Unfortunately this is causing a bit of a load on our servers as loads of these are getting sent and resent and resent, in large numbers.

Code:
Mon, 12 Dec 2011 14:53:23 GMT:21949: g_e_h: return-path='REDACTED@ebay.emarsys.net', recips='customer@domain.co.uk'
Mon, 12 Dec 2011 14:53:23 GMT:21949: from='"eBay" <eBay@reply.ebay.co.uk>', subj='Great deals on a selection of gifts, REDACTED', via SMTP from e3pmta194.emarsys.net
Mon, 12 Dec 2011 14:53:23 GMT:21949: clamdscan: there be a virus! (HTML.Phishing.Auction-214)


There's nothing I can do about this without the actual email in question. If anybody has a copy then maybe we can report it as a false positive.

All I know is that emarsys.net genuinely sends marketing emails on behalf of ebay (at least according to Google), which is why I assume these emails are genuine.

This has been going on for several weeks now. I'm surprised someone else hasn't caught it and reported it.

Or am I sooo totally wrong I'm going to feel very stupid?

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: clamav blocking genuine ebay emails
Unread postPosted: Mon Dec 12, 2011 12:05 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Jan 02, 2008 3:21 pm
Posts: 515
Location: United Kingdom
Hi faris,

Have the exact same problem and like you, realised no delivery = no fp report + expected it to have been rectified already. Not sure what to do next...


Top
 Profile  
 
 Post subject: Re: clamav blocking genuine ebay emails
Unread postPosted: Mon Dec 12, 2011 1:39 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2005
Oh dear.

I just checked th config files, and I see no way to make clamd quarantine. Spam can be quarantined via qmail-scanner.ini, but there doesn't appear to be an option for viruses either there or in clamd.conf

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: clamav blocking genuine ebay emails
Unread postPosted: Mon Dec 12, 2011 1:45 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3545
Location: Chantilly, VA
qmail-scanner will quarantine viruses. It puts them into a maildir named "viruses/", policy-blocks into "policy/" and (potentially) high-rated SPAM into "spam/".

Quote:
All I know is that emarsys.net genuinely sends marketing emails on behalf of ebay (at least according to Google), which is why I assume these emails are genuine.


How does the MTA determine the FQDN? Is it just doing a forward lookup? If so, thats trivial to forge, if its not doing a forward and reverse on that then you can't trust an FQDN in your logs as the source, only the IP.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: clamav blocking genuine ebay emails
Unread postPosted: Mon Dec 12, 2011 5:42 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2005
Good point as usual Mike.

In this case it is origin_ip: 91.194.249.192 origin_rdns: e3pmta192.emarsys.net

inetnum: 91.194.248.0 - 91.194.249.255
netname: EMARSYS-NET
descr: emarsys eMarketing Systems AG

So, it is legit unless they have faked the WHOIS as well (not impossible).

However, there are no hallmarks of viruses or anything.

But beeping beep Mike. I didn't know about those directories. They are full of crap, including twelve zillion of these particular messages.

I've submitted it as an FP. It was hard to find the link. Same page as submitting an actual virus, but you need to select the "this is a false positive..." option.

Can I ask that anybody else with the same problem please do the same?

I'm really going to kick myself if I've got this wrong.......

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: clamav blocking genuine ebay emails
Unread postPosted: Tue Dec 13, 2011 12:30 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3545
Location: Chantilly, VA
Quote:
But beeping beep Mike. I didn't know about those directories. They are full of crap, including twelve zillion of these particular messages.


Oh yeah, they can fill up. We have a script that runs weekly to clean them out. We figure if none of our personnel holer about something not arriving, by one week its not gonna happen. (Plus with the nightly backups technically we have those quarantined emails for a year).

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group