Why is this domain spoofing.

Robert Lopez rlopezcnm at gmail.com
Mon Nov 9 16:58:09 GMT 2009

On Mon, Nov 9, 2009 at 9:20 AM, Michael Masse <mrm at medicine.wisc.edu> wrote:
> It appears to me that Clamd is what's tripping the rule and not spamassassin.    I am a couple of versions behind so I'm not running a version capable of using the spam detection stuff within Clam, but I believe there is probably a similar rules file like spam.whitelist.rules for the virus scanners as well that you would need to put them in.   Since I'm not actually running a new version of MS I don't know this for sure, but since just about every other option can have a rules file, my guess is that this does too.
> -Mike
>>>> On 11/9/2009 at 10:08 AM, in message
> <edbd9f430911090808i68c0be74r5707bee9ab47de94 at mail.gmail.com>, Robert Lopez
> <rlopezcnm at gmail.com> wrote:
>> Yesterday ever member of the honor society at this college had their
>> news letter blocked for Phishing.Heuristics.Email.SpoofedDomain .
>> It is not clear to me why. It appears to me the domain is always
>> ptk.org and elist.ptk.org is simply a mail system within that domain
>> so nothing is spoofed.
>> After they were blocked last month I thought I white listed them:
>> From:  OK  # elist.ptk.org
>> From:    OK  # ptk.org
>> are already in /etc/MailScanner/rules/spam.whitelist.rules
>> How can I prevent these from being blocked?  Am I misunderstanding how
>> to whitelist SpoofedDomain-s?
>> This is the report:
>> The following e-mails were found to have: Virus Detected
>>     Sender: golden_key_news_brief_htm-return-296-xxxxxx=cnm.edu at elist.ptk.org
>> IP Address:
>>  Recipient: xxxxxx at cnm.edu
>>    Subject: GOLDEN KEY NEWS BRIEFS FOR November  6, 2009
>>  MessageID: 53BDB10A5.B6931
>> Quarantine:
>>     Report: Clamd:  message was infected:
>> Phishing.Heuristics.Email.SpoofedDomain
>> Full headers are:
>>  Received: from elist.ptk.org (elist.ptk.org [])
>>       by mg06.cnm.edu (Postfix) with ESMTP id 53BDB10A5
>>       for <xxxxxx at cnm.edu>; Sat,  7 Nov 2009 10:40:20 -0700 (MST)
>>  Received: (qmail 27695 invoked by alias); 6 Nov 2009 17:41:40 -0600
>>  Mailing-List: contact golden_key_news_brief_htm-help at elist.ptk.org;
>> run by ezmlm
>>  Precedence: bulk
>>  X-No-Archive: yes
>>  List-Post: <mailto:golden_key_news_brief_htm at elist.ptk.org>
>>  List-Help: <mailto:golden_key_news_brief_htm-help at elist.ptk.org>
>>  List-Unsubscribe:
>> <mailto:golden_key_news_brief_htm-unsubscribe-rganley=cnm.edu at elist.ptk.org>
>>  List-Subscribe: <mailto:golden_key_news_brief_htm-subscribe at elist.ptk.org>
>>  X-You-are-Subscribed-As: <xxxxxx at cnm.edu>
>>  From: Golden Key News Brief <news_service at ptk.org>
>>  To: GKNB subscribers <xxxxxx at cnm.edu>
>>  Mime-Version: 1.0
>>  Content-Type: text/html
>>  Delivered-To: mailing list golden_key_news_brief_htm at elist.ptk.org
>>  Date: Fri,  6 Nov 2009 23:41:40 +0000
>>  Subject: GOLDEN KEY NEWS BRIEFS FOR November  6, 2009
>>  Message-Id: <20091107174020.53BDB10A5 at mg06.cnm.edu>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> Before posting, read http://wiki.mailscanner.info/posting
> Support MailScanner development - buy the book off the website!


I am running  MailScanner version 4.74.16 from Ubuntu distribution.

What makes it look like Clamd?  I know there is the line "Report:
Clamd:  message was infected:" but I am not aware of Clam looking to
spoofed domains.
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

More information about the MailScanner mailing list