Why is this domain spoofing.
Robert Lopez
rlopezcnm at gmail.com
Mon Nov 9 16:58:09 GMT 2009
On Mon, Nov 9, 2009 at 9:20 AM, Michael Masse <mrm at medicine.wisc.edu> wrote:
> It appears to me that Clamd is what's tripping the rule and not spamassassin. I am a couple of versions behind so I'm not running a version capable of using the spam detection stuff within Clam, but I believe there is probably a similar rules file like spam.whitelist.rules for the virus scanners as well that you would need to put them in. Since I'm not actually running a new version of MS I don't know this for sure, but since just about every other option can have a rules file, my guess is that this does too.
>
> -Mike
>
>
>>>> On 11/9/2009 at 10:08 AM, in message
> <edbd9f430911090808i68c0be74r5707bee9ab47de94 at mail.gmail.com>, Robert Lopez
> <rlopezcnm at gmail.com> wrote:
>> Yesterday ever member of the honor society at this college had their
>> news letter blocked for Phishing.Heuristics.Email.SpoofedDomain .
>>
>> It is not clear to me why. It appears to me the domain is always
>> ptk.org and elist.ptk.org is simply a mail system within that domain
>> so nothing is spoofed.
>>
>> After they were blocked last month I thought I white listed them:
>> From: 12.230.142.18 OK # elist.ptk.org
>> From: 12.230.142.9 OK # ptk.org
>> are already in /etc/MailScanner/rules/spam.whitelist.rules
>>
>> How can I prevent these from being blocked? Am I misunderstanding how
>> to whitelist SpoofedDomain-s?
>>
>> This is the report:
>> The following e-mails were found to have: Virus Detected
>>
>> Sender: golden_key_news_brief_htm-return-296-xxxxxx=cnm.edu at elist.ptk.org
>> IP Address: 12.230.142.18
>> Recipient: xxxxxx at cnm.edu
>> Subject: GOLDEN KEY NEWS BRIEFS FOR November 6, 2009
>> MessageID: 53BDB10A5.B6931
>> Quarantine:
>> Report: Clamd: message was infected:
>> Phishing.Heuristics.Email.SpoofedDomain
>>
>> Full headers are:
>>
>> Received: from elist.ptk.org (elist.ptk.org [12.230.142.18])
>> by mg06.cnm.edu (Postfix) with ESMTP id 53BDB10A5
>> for <xxxxxx at cnm.edu>; Sat, 7 Nov 2009 10:40:20 -0700 (MST)
>> Received: (qmail 27695 invoked by alias); 6 Nov 2009 17:41:40 -0600
>> Mailing-List: contact golden_key_news_brief_htm-help at elist.ptk.org;
>> run by ezmlm
>> Precedence: bulk
>> X-No-Archive: yes
>> List-Post: <mailto:golden_key_news_brief_htm at elist.ptk.org>
>> List-Help: <mailto:golden_key_news_brief_htm-help at elist.ptk.org>
>> List-Unsubscribe:
>> <mailto:golden_key_news_brief_htm-unsubscribe-rganley=cnm.edu at elist.ptk.org>
>> List-Subscribe: <mailto:golden_key_news_brief_htm-subscribe at elist.ptk.org>
>> X-You-are-Subscribed-As: <xxxxxx at cnm.edu>
>> From: Golden Key News Brief <news_service at ptk.org>
>> To: GKNB subscribers <xxxxxx at cnm.edu>
>> Mime-Version: 1.0
>> Content-Type: text/html
>> Delivered-To: mailing list golden_key_news_brief_htm at elist.ptk.org
>> Date: Fri, 6 Nov 2009 23:41:40 +0000
>> Subject: GOLDEN KEY NEWS BRIEFS FOR November 6, 2009
>> Message-Id: <20091107174020.53BDB10A5 at mg06.cnm.edu>
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
Mike,
I am running MailScanner version 4.74.16 from Ubuntu distribution.
What makes it look like Clamd? I know there is the line "Report:
Clamd: message was infected:" but I am not aware of Clam looking to
spoofed domains.
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
More information about the MailScanner
mailing list