Email.Phishing.Blackhole

Fri Dec 13 10:20:50 CET 2013

I have more information about this issue.

Dec 13 01:04:38 xxxmail01 postfix/cleanup[31864]: CAF2942A: message-id=<1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS at myusairways.com<mailto:1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS at myusairways.com>>
Dec 13 01:04:38 xxxmail01 postfix/qmgr[20672]: CAF2942A: from=< bounces.usair at myusairways.com<mailto:bounces.usair at myusairways.com>>, size=65596, nrcpt=1 (queue active)
Dec 13 01:04:38 xxxmail01 amavis[31868]: (31868-14) ESMTP:[127.0.0.1]:10024 /var/spool/amavisd/tmp/amavis-20131213T010358-31868-gjZpw82f: <" bounces.usair"@myusairways.com<mailto:%22%20bounces.usair%22 at myusairways.com>> -> <xxx<mailto:kkoch at sovereignbank.com>> SIZE=65596 Received: from xxxmail01 ([127.0.0.1]) by localhost (xxxmail01 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <kkoch at sovereignbank.com<mailto:kkoch at sovereignbank.com>>; Fri, 13 Dec 2013 01:04:38 +0100 (CET)
Dec 13 01:04:38 xxxmail01 clamd[10387]: /var/spool/amavisd/tmp/amavis-20131213T010358-31868-gjZpw82f/parts/p002: Email.Phishing.Blackhole FOUND
Dec 13 01:04:38 xxxmail01 amavis[31868]: (31868-14) Checking: aM6IjwPmd3CT <" bounces.usair"@myusairways.com<mailto:%22%20bounces.usair%22 at myusairways.com>> -> <xxx<mailto:kkoch at sovereignbank.com>>
Dec 13 01:04:39 xxxmail01 postfix/cleanup[31880]: 03C1243B: message-id=<1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS at myusairways.com<mailto:1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS at myusairways.com>>
Dec 13 01:04:39 xxxmail01 postfix/qmgr[20672]: 03C1243B: from=< bounces.usair at myusairways.com<mailto:bounces.usair at myusairways.com>>, size=66066, nrcpt=1 (queue active)
Dec 13 01:04:39 xxxmail01 amavis[31868]: (31868-14) FWD from <" bounces.usair"@myusairways.com<mailto:%22%20bounces.usair%22 at myusairways.com>> -> <xxx<mailto:kkoch at sovereignbank.com>>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 03C1243B
Dec 13 01:04:39 xxxmail01 amavis[31868]: (31868-14) Passed CLEAN {RelayedOpenRelay}, [67.131.29.32] <" bounces.usair"@myusairways.com<mailto:%22%20bounces.usair%22 at myusairways.com>> -> <xxx<mailto:xxx>>, Message-ID: <1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS at myusairways.com<mailto:1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS at myusairways.com>>, mail_id: aM6IjwPmd3CT, Hits: 0.1, size: 65595, queued_as: 03C1243B, 192 ms
Dec 13 01:04:40 xxxmail01 postfix/smtp[31523]: 03C1243B: to=<xxx<mailto:kkoch at sovereignbank.com>>, relay=xxx[180.88.65.16]:25, delay=1.4, delays=0.01/0/0.03/1.4, dsn=2.6.0, status=sent (250 2.6.0 <1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS at myusairways.com<mailto:1386893073.eb40.USAZ.2995925.1417951089MSOSI1.33OSIMS at myusairways.com>> [InternalId=14185593] Queued mail for delivery)

Even clamav detect the email as virus, amavis consider it as "Passed CLEAN", and deliver the message.

I have search the from email in internet, and I have found a post with this same problem, but it appears to be a false positive:

https://discussions.apple.com/thread/5528961?start=15&tstart=0

I have this directive configured on clamav, to avoid Euristic discards:

PhishingScanURLs no

Is it been used to not scan also Email.Phishing.Blackhole?

Regards
David Sanz

David Sanz | SO Unix | Cloud Platforms | Global Systems | Produban - Grupo Santander
dasanz at ext.produban.com<mailto:dasanz at servexternos.gruposantander.com>|  Mobile +34 608769873 | Landline +34 911756648
Parque Empresarial La Finca, Edificio 16. Paseo de Club Deportivo nº1 28223, Pozuelo de Alarcón (Madrid) - Spain
______________________________________________________________________________________________
For any problem or request, open a ticket following the remedy circuits<http://kosmos.produban.gs.corp/group/global-systems-area-global-systems-operations-wiki/home/-/wiki/Main/Remedy+Circuits> of Global Systems.

De: Sanz Moreno David
Enviado el: jueves, 12 de diciembre de 2013 11:11
Para: 'tejas sarade'
CC: amavis-users at amavis.org
Asunto: RE: Email.Phishing.Blackhole

How can I check it?

Amavis receives the email from Postfix, use amavis as unix socket to evaluate it, clamav found a virus on it but no more lines are logged, so I don't know If the email has been discarded or not

De: tejas sarade [mailto:tejas.a.sarade at gmail.com]<mailto:[mailto:tejas.a.sarade at gmail.com]>
Enviado el: jueves, 12 de diciembre de 2013 10:33
Para: Sanz Moreno David
CC: amavis-users at amavis.org<mailto:amavis-users at amavis.org>
Asunto: Re: Email.Phishing.Blackhole

On Thu, Dec 12, 2013 at 2:14 PM, Sanz Moreno David <dasanz at ext.produban.com<mailto:dasanz at ext.produban.com>> wrote:
>
> Thats what I say.
>
>
>
> For other blocked emails, I see the amavis log line blocking it, but there´s no amavis line for this one
Do you have on-access scanning enabled in Clamav? What I think is that Amavis extracted message in temporary directory for processing. And Clamav found the suspious content in one of these extracted files and did its job. You must check the Clamav setting.

________________________________
Antes de imprimir este mensaje o sus documentos anexos, asegúrese de que es necesario.
Proteger el medio ambiente está en nuestras manos.

Before printing this e-mail or attachments, be sure it is necessary.
It is in our hands to protect the environment.

******************AVISO LEGAL**********************
Este mensaje es privado y confidencial y solamente para la persona a la que va dirigido. Si usted ha recibido este mensaje por error, no debe revelar, copiar, distribuir o usarlo en ningún sentido. Le rogamos lo comunique al remitente y borre dicho mensaje y cualquier documento adjunto que pudiera contener. No hay renuncia a la confidencialidad ni a ningún privilegio por causa de transmisión errónea o mal funcionamiento.
Cualquier opinión expresada en este mensaje pertenece únicamente al autor remitente, y no representa necesariamente la opinión de Grupo Santander, a no ser que expresamente se diga y el remitente esté autorizado para hacerlo. Los correos electrónicos no son seguros, no garantizan la confidencialidad ni la correcta recepción de los mismos, dado que pueden ser interceptados, manipulados, destruidos, llegar con demora, incompletos, o con virus. Grupo Santander no se hace responsable de las alteraciones que pudieran hacerse al mensaje una vez enviado.
Este mensaje sólo tiene una finalidad de información, y no debe interpretarse como una oferta de venta o de compra de valores ni de instrumentos financieros relacionados. En el caso de que el destinatario de este mensaje no consintiera la utilización del correo electrónico vía Internet, rogamos lo ponga en nuestro conocimiento.

**********************DISCLAIMER*****************
This message is private and confidential and it is intended exclusively for the addressee. If you receive this message by mistake, you should not disseminate, distribute or copy this e-mail. Please inform the sender and delete the message and attachments from your system. No confidentiality nor any privilege regarding the information is waived or lost by any mistransmission or malfunction.
Any views or opinions contained in this message are solely those of the author, and do not necessarily represent those of Grupo Santander, unless otherwise specifically stated and the sender is authorized to do so. E-mail transmission cannot be guaranteed to be secure, confidential, or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. Grupo Santander does not accept responsibility for any changes in the contents of this message after it has been sent.
This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. If the addressee of this message does not consent to the use of internet e-mail, please communicate it to us.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20131213/a3f5b6d0/attachment.html>