Outbound emails blocked (Heuristics.Phishing.Email.SpoofedDomain)
Problem reported by Jay Dubb - 1/28/2022 at 9:50 AM
We've seen a noticeable uptick in outbound emails sent to the Virus quarantine, by legitimate senders hosted on our server, with the reason "Heuristics.Phishing.Email.SpoofedDomain".

We cannot find any reason this should have been tagged as "SpoofedDomain".  The senders are our customers, properly authenticating to our mail server, sending from the domain hosted by us. 

But on the way out to the world, when it hits the spool Clam scans the message and throws into quarantine.

Anyone know WHY that would happen in the first place?  Outbound virus filtering is part of being a good mail system, but it's not good when clean legitimate email isn't allowed out.

2 Replies

Reply to Thread
Nathan Replied
It is a configuration option within Clam that is enabled by default with SmarterMail. It results in too many false positives. You need to add the following to the Clam conf file:

PhishingScanURLs no

Jay Dubb Replied
Hopefully the false-positive problem can be reduced by the filter creators.  We *reluctantly* turned off the Phishing URL scans, but that will let a lot of garbage now slip through.  The quarantine had a LOT of legitimately bad phishing-related emails, and it's a shame they won't be stopped now-- at least not by Clam.

But there were too many important messages from legitimate senders (including American Express, Nationwide Insurance, Marriot, AppRiver, etc.) that after careful examination, we verified never should have been quarantined.  

The trapped messages from AppRiver were quarantine notices.  Quarantine notices being quarantined... oh, the irony.  For those not familiar with AppRiver (SpamLab) they are a 3rd party "premium" spam filtering service some of our customers subscribe to.

Reply to Thread