Why is this domain spoofing.

Robert Lopez rlopezcnm at gmail.com
Mon Nov 9 18:18:56 GMT 2009 

On Mon, Nov 9, 2009 at 9:50 AM, Alex Neuman <alex at rtpty.com> wrote:
> Spam is one thing, your antivirus kicking in because your newsletter's
> overcomplicated, unnecessary HTML-laden format matches a phishing-type
> message is another.
> You would have to correct that - since nothing guarantees the other end (the
> recipient's server) won't think the same thing, even though you whitelist it
> on your side.
> Disable virus scanning for those IPs (a bad thing, if you ask me) or modify
> the signatures in your AV to avoid the false positive, if you want the
> problem to go away (as opposed to solving it).
>
> On Nov 9, 2009, at 11:08 AM, Robert Lopez wrote:
>
>> Yesterday ever member of the honor society at this college had their
>> news letter blocked for Phishing.Heuristics.Email.SpoofedDomain .
>>
>> It is not clear to me why. It appears to me the domain is always
>> ptk.org and elist.ptk.org is simply a mail system within that domain
>> so nothing is spoofed.
>>
>> After they were blocked last month I thought I white listed them:
>> From:      12.230.142.18  OK  # elist.ptk.org
>> From:      12.230.142.9    OK  # ptk.org
>> are already in /etc/MailScanner/rules/spam.whitelist.rules
>>
>> How can I prevent these from being blocked?  Am I misunderstanding how
>> to whitelist SpoofedDomain-s?
>>
>> This is the report:
>> The following e-mails were found to have: Virus Detected
>>
>>   Sender:
>> golden_key_news_brief_htm-return-296-xxxxxx=cnm.edu at elist.ptk.org
>> IP Address: 12.230.142.18
>> Recipient: xxxxxx at cnm.edu
>>  Subject: GOLDEN KEY NEWS BRIEFS FOR November  6, 2009
>> MessageID: 53BDB10A5.B6931
>> Quarantine:
>>   Report: Clamd:  message was infected:
>> Phishing.Heuristics.Email.SpoofedDomain
>>
>> Full headers are:
>>
>> Received: from elist.ptk.org (elist.ptk.org [12.230.142.18])
>>        by mg06.cnm.edu (Postfix) with ESMTP id 53BDB10A5
>>        for <xxxxxx at cnm.edu>; Sat,  7 Nov 2009 10:40:20 -0700 (MST)
>> Received: (qmail 27695 invoked by alias); 6 Nov 2009 17:41:40 -0600
>> Mailing-List: contact golden_key_news_brief_htm-help at elist.ptk.org;
>> run by ezmlm
>> Precedence: bulk
>> X-No-Archive: yes
>> List-Post: <mailto:golden_key_news_brief_htm at elist.ptk.org>
>> List-Help: <mailto:golden_key_news_brief_htm-help at elist.ptk.org>
>> List-Unsubscribe:
>>
>> <mailto:golden_key_news_brief_htm-unsubscribe-rganley=cnm.edu at elist.ptk.org>
>> List-Subscribe: <mailto:golden_key_news_brief_htm-subscribe at elist.ptk.org>
>> X-You-are-Subscribed-As: <xxxxxx at cnm.edu>
>> From: Golden Key News Brief <news_service at ptk.org>
>> To: GKNB subscribers <xxxxxx at cnm.edu>
>> Mime-Version: 1.0
>> Content-Type: text/html
>> Delivered-To: mailing list golden_key_news_brief_htm at elist.ptk.org
>> Date: Fri,  6 Nov 2009 23:41:40 +0000
>> Subject: GOLDEN KEY NEWS BRIEFS FOR November  6, 2009
>> Message-Id: <20091107174020.53BDB10A5 at mg06.cnm.edu>
>>
>>
>>
>>
>> --
>> Robert Lopez
>> Unix Systems Administrator
>> Central New Mexico Community College (CNM)
>> 525 Buena Vista SE
>> Albuquerque, New Mexico 87106
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>

I had the office of PTK that sent out the news letter send it to me at
my Gmail address. The news letter has a lot of URL for addresses not
at ptk.org. Perhaps that may be a part of the problem.  They then sent
to my cnm.edu address the news letter as inline rather than as an
attachment. That was delivered to me via one of the same email
gateways that blocked all the previous email. That seems to mean the
content checking for inline email is different from the content
checking for attachments.

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

More information about the MailScanner mailing list