Hi,

We have the same problem here already on the login screen, it is randomly blocked

Norton error view:

Isn't this because the mailbox you're connecting with received a mail that contains some phising urls/patterns ?

It's hard to tell. We've checked email content of message from client mailbox which was causing alarm for Avast and Virustotal didn't detected anything for this content when passed as .txt file.

Problem is only with webmail and after logging in where webmail is maiking POST request to

/api/v1/mail/message

to retrieve message content. After that operation user gets Empty message in webmail with error message not available or something similar or is being logged out.

Unfortunately it is hard to tell what signature Avast or Norton are seeing that is triggering this response. Because the message is arriving via an API call, it does just arrive as a json so I can see the plain text or html code having something that could trigger these AV programs. 

Considering you know this is your own server, I would suggest excluding it from these scans. After all, you can have antispam and antivirus run on your spool. If you want to have Avast or Norton perform these checks, you can enable the proc folder and let these AV's run on that folder as SmarterMail processes the mail through the spool.

This is not something runned serverside but on my clients side. Browser API call from webmail to fetch message content in webmail is being catched and dropped by AV software. It looks somehow that Avast and Norton could be using the same database for phishing because this can'be be coincidence that both AV software are reporting the same issue.

My suggestion for clients was adding webmail URL to whitelisting in their AV soft. I've also reported webmail URL to Avast and Norton using false positive form but I was wondering if this is also something that occured to other forum/community users.

Similar random reports with Chrome marking the page as 'unsafe' but fine for other users including our internal users.

We've had the same thing and reached out to F-Secure to have the false positive removed.

They were kind enough to advise that a file had triggered the event and upon review we found that a user had uploaded a file using file sharing and this file was subsequently downloaded and flagged.