<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style>
<!--
@font-face
{font-family:Calibri}
@font-face
{font-family:Tahoma}
@font-face
{font-family:Consolas}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif"}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif"}
span.EstiloCorreo17
{font-family:"Calibri","sans-serif";
color:#1F497D}
span.EstiloCorreo18
{font-family:"Calibri","sans-serif";
color:#1F497D}
span.TextodegloboCar
{font-family:"Tahoma","sans-serif"}
.MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:70.85pt 3.0cm 70.85pt 3.0cm}
div.WordSection1
{}
-->
</style>
</head>
<body lang="ES" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">I have more information about this issue.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8.0pt; font-family:Consolas; color:black">Dec 13 01:04:38 xxxmail01 postfix/cleanup[31864]: CAF2942A: message-id=<<a href="mailto:1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS@myusairways.com">1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS@myusairways.com</a>></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8.0pt; font-family:Consolas; color:black">Dec 13 01:04:38 xxxmail01 postfix/qmgr[20672]: CAF2942A: from=<
<a href="mailto:bounces.usair@myusairways.com">bounces.usair@myusairways.com</a>>, size=65596, nrcpt=1 (queue active)</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8.0pt; font-family:Consolas; color:black">Dec 13 01:04:38 xxxmail01 amavis[31868]: (31868-14) ESMTP:[127.0.0.1]:10024 /var/spool/amavisd/tmp/amavis-20131213T010358-31868-gjZpw82f: <<a href="mailto:%22%20bounces.usair%22@myusairways.com">"
bounces.usair"@myusairways.com</a>> -> <<a href="mailto:kkoch@sovereignbank.com">xxx</a>> SIZE=65596 Received: from xxxmail01 ([127.0.0.1]) by localhost (xxxmail01 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <<a href="mailto:kkoch@sovereignbank.com">kkoch@sovereignbank.com</a>>;
Fri, 13 Dec 2013 01:04:38 +0100 (CET)</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8.0pt; font-family:Consolas; color:red">Dec 13 01:04:38 xxxmail01 clamd[10387]: /var/spool/amavisd/tmp/amavis-20131213T010358-31868-gjZpw82f/parts/p002: Email.Phishing.Blackhole FOUND</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8.0pt; font-family:Consolas; color:black">Dec 13 01:04:38 xxxmail01 amavis[31868]: (31868-14) Checking: aM6IjwPmd3CT <<a href="mailto:%22%20bounces.usair%22@myusairways.com">" bounces.usair"@myusairways.com</a>>
-> <<a href="mailto:kkoch@sovereignbank.com">xxx</a>></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8.0pt; font-family:Consolas; color:black">Dec 13 01:04:39 xxxmail01 postfix/cleanup[31880]: 03C1243B: message-id=<<a href="mailto:1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS@myusairways.com">1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS@myusairways.com</a>></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8.0pt; font-family:Consolas; color:black">Dec 13 01:04:39 xxxmail01 postfix/qmgr[20672]: 03C1243B: from=<
<a href="mailto:bounces.usair@myusairways.com">bounces.usair@myusairways.com</a>>, size=66066, nrcpt=1 (queue active)</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8.0pt; font-family:Consolas; color:black">Dec 13 01:04:39 xxxmail01 amavis[31868]: (31868-14) FWD from <<a href="mailto:%22%20bounces.usair%22@myusairways.com">" bounces.usair"@myusairways.com</a>> ->
<<a href="mailto:kkoch@sovereignbank.com">xxx</a>>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 03C1243B</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8.0pt; font-family:Consolas; color:red">Dec 13 01:04:39 xxxmail01 amavis[31868]: (31868-14) Passed CLEAN {RelayedOpenRelay}, [67.131.29.32] <<a href="mailto:%22%20bounces.usair%22@myusairways.com"><span style="color:red">"
bounces.usair"@myusairways.com</span></a>> -> <<a href="mailto:xxx"><span style="color:red">xxx</span></a>>, Message-ID: <<a href="mailto:1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS@myusairways.com"><span style="color:red">1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS@myusairways.com</span></a>>,
mail_id: aM6IjwPmd3CT, Hits: 0.1, size: 65595, queued_as: 03C1243B, 192 ms</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:8.0pt; font-family:Consolas; color:black">Dec 13 01:04:40 xxxmail01 postfix/smtp[31523]: 03C1243B: to=<</span><span style="font-size:8.0pt; font-family:Consolas; color:black"><a href="mailto:kkoch@sovereignbank.com"><span lang="EN-US">xxx</span></a></span><span lang="EN-US" style="font-size:8.0pt; font-family:Consolas; color:black">>,
relay=xxx[180.88.65.16]:25, delay=1.4, delays=0.01/0/0.03/1.4, dsn=2.6.0, status=sent (250 2.6.0 <</span><span style="font-size:8.0pt; font-family:Consolas; color:black"><a href="mailto:1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS@myusairways.com"><span lang="EN-US">1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS@myusairways.com</span></a></span><span lang="EN-US" style="font-size:8.0pt; font-family:Consolas; color:black">>
[InternalId=14185593] Queued mail for delivery)</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">Even clamav detect the email as virus, amavis consider it as “Passed CLEAN”, and deliver the message.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">I have search the from email in internet, and I have found a post with this same problem, but it appears to be a false positive:</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><a href="https://discussions.apple.com/thread/5528961?start=15&tstart=0"><span lang="EN-US">https://discussions.apple.com/thread/5528961?start=15&tstart=0</span></a><span lang="EN-US"></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">I have this directive configured on clamav, to avoid Euristic discards:</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">PhishingScanURLs no</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">Is it been used to not scan also Email.Phishing.Blackhole?</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">Regards</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">David Sanz</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<div>
<p class="MsoNormal"><b><span style="font-size:11.0pt; font-family:"Arial","sans-serif"; color:gray">David Sanz</span></b><b><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:gray"> | SO Unix | Cloud Platforms | Global Systems |</span></b><b><span style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:red">
Produban – Grupo Santander</span></b><b><span style="font-family:"Arial","sans-serif"; color:gray"></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:gray"><a href="mailto:dasanz@servexternos.gruposantander.com" title="mailto:dasanz@servexternos.gruposantander.com"><span lang="DE" style="font-size:8.0pt; font-family:"Arial","sans-serif"">dasanz@ext.produban.com</span></a></span></b><b><span lang="DE" style="font-size:8.0pt; font-family:"Arial","sans-serif"; color:gray">|
</span></b><b><span lang="DE" style="font-size:7.5pt; font-family:"Arial","sans-serif"; color:gray">Mobile +34 608769873 | Landline +34 911756648</span></b></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:7.5pt; font-family:"Arial","sans-serif"; color:gray">Parque Empresarial La Finca, Edificio 16. Paseo de Club Deportivo nº1 28223, Pozuelo de Alarcón (Madrid) - Spain</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB" style="font-size:7.5pt; font-family:"Arial","sans-serif"; color:#595959">______________________________________________________________________________________________</span></b></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:7.5pt; font-family:"Arial","sans-serif"; color:gray">For any problem or request, open a ticket following the
</span></b><b><span style="font-size:7.5pt; font-family:"Arial","sans-serif"; color:gray"><a href="http://kosmos.produban.gs.corp/group/global-systems-area-global-systems-operations-wiki/home/-/wiki/Main/Remedy+Circuits"><span lang="EN-US">remedy circuits</span></a></span></b><b><span lang="EN-US" style="font-size:7.5pt; font-family:"Arial","sans-serif"; color:gray">
of Global Systems.</span></b></p>
</div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<div>
<div style="border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">De:</span></b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif""> Sanz Moreno David
<br>
<b>Enviado el:</b> jueves, 12 de diciembre de 2013 11:11<br>
<b>Para:</b> 'tejas sarade'<br>
<b>CC:</b> amavis-users@amavis.org<br>
<b>Asunto:</b> RE: Email.Phishing.Blackhole</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">How can I check it?</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D">Amavis receives the email from Postfix, use amavis as unix socket to evaluate it, clamav found a virus on it but no more lines are logged, so
I don’t know If the email has been discarded or not</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri","sans-serif"; color:#1F497D"> </span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">De:</span></b><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif""> tejas sarade
<a href="mailto:[mailto:tejas.a.sarade@gmail.com]">[mailto:tejas.a.sarade@gmail.com]</a>
<br>
<b>Enviado el:</b> jueves, 12 de diciembre de 2013 10:33<br>
<b>Para:</b> Sanz Moreno David<br>
<b>CC:</b> <a href="mailto:amavis-users@amavis.org">amavis-users@amavis.org</a><br>
<b>Asunto:</b> Re: Email.Phishing.Blackhole</span></p>
<p class="MsoNormal"> </p>
<div>
<div>
<div>
<p class="MsoNormal"><br>
On Thu, Dec 12, 2013 at 2:14 PM, Sanz Moreno David <<a href="mailto:dasanz@ext.produban.com">dasanz@ext.produban.com</a>> wrote:<br>
><br>
> Thats what I say.<br>
></p>
</div>
<div>
<p class="MsoNormal">> </p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">><br>
> For other blocked emails, I see the amavis log line blocking it, but there´s no amavis line for this one</p>
</div>
</div>
<p class="MsoNormal">Do you have on-access scanning enabled in Clamav? What I think is that Amavis extracted message in temporary directory for processing. And Clamav found the suspious content in one of these extracted files and did its job. You must check
the Clamav setting.</p>
<div>
<div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
</div>
<br>
<hr color="green">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Arial","sans-serif""><font color="green">Antes de imprimir este mensaje o sus documentos anexos, asegúrese de que es necesario.<br>
Proteger el medio ambiente está en nuestras manos. <br>
<br>
Before printing this e-mail or attachments, be sure it is necessary.<br>
It is in our hands to protect the environment. <br>
<br>
</p>
</font>
<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Arial","sans-serif"">******************AVISO LEGAL**********************</span></p>
<p class="MsoNormal"><span lang="ES" style="font-size:10.0pt; font-family:"Arial","sans-serif"">Este mensaje es privado y confidencial y solamente para la persona a la que va dirigido. Si usted ha recibido este mensaje por error, no debe revelar, copiar, distribuir
o usarlo en ningún sentido. Le rogamos lo comunique al remitente y borre dicho mensaje y cualquier documento adjunto que pudiera contener. No hay renuncia a la confidencialidad ni a ningún privilegio por causa de transmisión errónea o mal funcionamiento.</span></p>
<p class="MsoNormal"><span lang="ES" style="font-size:10.0pt; font-family:"Arial","sans-serif"">Cualquier opinión expresada en este mensaje pertenece únicamente al autor remitente, y no representa necesariamente la opinión de Grupo Santander, a no ser que expresamente
se diga y el remitente esté autorizado para hacerlo. Los correos electrónicos no son seguros, no garantizan la confidencialidad ni la correcta recepción de los mismos, dado que pueden ser interceptados, manipulados, destruidos, llegar con demora, incompletos,
o con virus. Grupo Santander no se hace responsable de las alteraciones que pudieran hacerse al mensaje una vez enviado.
</span></p>
<p class="MsoNormal"><span lang="ES" style="font-size:10.0pt; font-family:"Arial","sans-serif"">Este mensaje sólo tiene una finalidad de información, y no debe interpretarse como una oferta de venta o de compra de valores ni de instrumentos financieros relacionados.
En el caso de que el destinatario de este mensaje no consintiera la utilización del correo electrónico vía Internet, rogamos lo ponga en nuestro conocimiento.</span></p>
<p class="MsoPlainText"> </p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Arial","sans-serif"">**********************DISCLAIMER*****************</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Arial","sans-serif"">This message is private and confidential and it is intended exclusively for the addressee. If you receive this message by mistake, you should not disseminate,
distribute or copy this e-mail. Please inform the sender and delete the message and attachments from your system. No confidentiality nor any privilege regarding the information is waived or lost by any
<span class="SpellE">mistransmission</span> or malfunction. </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Arial","sans-serif"">Any views or opinions contained in this message are solely those of the author, and do not necessarily represent those of Grupo Santander, unless otherwise specifically
stated and the sender is authorized to do so. E-mail transmission cannot be guaranteed to be secure, confidential, or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. Grupo Santander
does not accept responsibility for any changes in the contents of this message after it has been sent.
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Arial","sans-serif"">This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial
instruments. If the addressee of this message does not consent to the use of internet e-mail, please communicate it to us.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style=""> </span></p>
</div>
</span>
</body>
</html>