I get several spoofed ebay and paypal emails a week and always forward them to spoof@ for them to look at. I just got another one and it was immediately returned with the following message.

==========

Your message did not reach some or all of the intended recipients.

Subject: FW: Seller has responded to your question about this item
Sent: 12/13/2007 2:17 PM

The following recipient(s) could not be reached:

'spoof@ebay.com' on 12/13/2007 2:17 PM
554 5.7.0 Virus scan failed: Phishing.Heuristics.Email.SpoofedDomain FOUND

=========

If that a futurequest generated message?

As a part of resolving the recent virus scanning crisis (http://www.aota.net/forums/showthread.php?t=23362), we upgraded the virus scanning engines to the latest version of ClamAV. One of the major additions in this newer version was the addition of signatures to detect forgeries in email, specifically phishing attempts. Your email contained content that matched one of the phishing heuristics used by ClamAV, and so was rejected.

We are looking into seeing if the scanning can be altered for mail to that address, but haven't come up with any good solutions yet.

Do we have any option to turn off scanning for outgoing mail, Bruce? I think it is important that we be able to report these phising sites and get them shut down, asap. I get them for Bank of America, Chase and plenty of others. The ability to notify any company affected by this is affected with outgoing scanning being mandatory. I make it a habit to report these things and quite often do that within 10 minutes of getting the email.

Monty,

At this time ClamAV scanning cannot be disabled for one aspect and still enabled for the other. The outgoing scanning is also very important in protecting the overall network from a compromised client machine spawning 1000's of phishing messages.

Some logging was done in the last few days and it appears that the addition of phishing scanning has more then doubled the effectiveness of ClamAV in the numbers of malicious messages that were detected.

As with everything spam and email scanning, it isn't perfect and some malicious messages will still get through either as a result of a new signature not yet being detected or the ClamAV engines being disabled by Server Guardians during high load issues, as they are very resource intensive.

As far as a solution to reporting these types of messages, when they do get through, sending messages from QuestMail which is not scanned by ClamAV would be one solution and also possibly using your ISP email.

We are also working towards a more stable ClamAV scanning engine that would have less resource issues and therefore catch even more malicious messages.

We do understand this may make reporting suspected phishing messages less convenient however the overall benefits of this scanning outweigh that aspect in this situation.

Thanks,
Bob

Like Monty, I always try to forward spam (with the message source and full headers) to the actual site so they can go after the dopes. Is it possible to not scan outbound emails sent to certain specific off-site addresses that are known to be valid for sending spam reports to, i.e. abuse@ebay.com, abuse@paypal.com, ...@chase.com...@citibank.com, etc.? Site owners only could contribute to this list.

The frustrating thing upon seeing the first few of these rejected emails was that you can't tell who it's from...it says "System Administrator" and you can't view the headers in the rejection notice like you can normal emails to determine where it came from. A simple tweak of the wording in the message might help.

We discussed internally already the option of whitelisting some recipient addresses. However, this is not possible as essentially the virus scanner is either on or off. It knows nothing of the sender/recipients of the email. All it sees is the message data (essentially the body of the message).