Email being blocked with "Heuristics.Phishing.E... | MDaemon Technologies Community Forum
  1. Forum
  2. MDaemon
  3. Email being blocked with "Heuristics.Phishing.Email.SpoofedDomain

Email being blocked with "Heuristics.Phishing.Email.SpoofedDomain

  • P

    Hello,

    I am getting a bank (Wellsfargo) email rejected with "Heuristics.Phishing.Email.SpoofedDomain" message.

    I tried to whitelist the address on Antivirus scanning exclusion, allow list no filtering and sender but still being blocked.

    How can I let this email through?

    Thank you

    0 likes
  • L

    Hello,

    The "Allow list no filtering" option is for the Spam Filter, not the AntiVirus. Can you confirm you added the address to the Anti-Virus "Configure Exclusions" section vs the Allow List (no filtering) section?

    Can you post the SMTP-in session where MDaemon is rejecting the message?

    0 likes
  • P

    Thank you for your reply.

    Email address was entered on all 3 sections, just to be safe.

    Would the server need to be restarted after changes?

    Thank you

    0 likes
  • L

    When you say "all 3 sections" that makes me think you are referring to the Allow List settings, which, again, is part of the spam filter settings, not the Anti-Virus settings. I believe the message you are seeing (Heuristics.Phishing.Email.SpoofedDomain) is related to ClamAV, one of the the anti-virus systems, but I cannot confirm that unless you post the SMTP-in session for the message that MDaemon is rejecting.

    Can you post the log for the message?

    0 likes
  • P

    Thank you for your reply.

    Sorry for not being clear. I meant 3 sections as in 2 in the allow list and the 1 in the anti-virus exclusion list. That's why I was asking if the service/server had to be restarted in order for changes to take effect.

    0 likes
  • L

    Hi Paul,

    You should not need to restart MDaemon when adding an address to an exclusion list as long as you are doing it from the MDaemon GUI or the MDaemon Remote Admin website (MDRA).

    The message ClamAV is giving is not technically for a virus, it thinks the message contains a phishing attempt. From my searching, a lot of banks fail this test for some reason. If you wish to disable it altogether you can go to Windows Explorer on the server, and go to C:\MDaemon\SecurityPlus\ClamAVPlugin\conf (by default, or wherever your path to MDaemon is) and open clamd.conf in a text editor.

    Look for:

    # Scan URLs found in mails for phishing attempts using heuristics.
    # Default: yes
    #PhishingScanURLs yes

    If you wish to disable this scan altogether, you can remove the # from in front of PhishingScanURLs to un-comment the line (it's enabled by default so that's why it's working though the line is commented out) and change the yes to no.

    So:

    # Scan URLs found in mails for phishing attempts using heuristics.
    # Default: yes
    PhishingScanURLs no

    Then save the file. Since you are changing this outside of MDaemon's GUI or MDRA, then you will need to restart MDaemon for it to pick up this change.

    Alternatively, if you wish to keep this enabled and continue to try and get the exclusion to work, I have a few more questions.

    Under the AntiVirus exclusions is three separate sections: Global Address Exclusions, Sender File Exclusions, and Recipient File Exclusions. Are you entering the address in all three sections there? And if so, are you entering the bank's email address or the recipient's address?

    What I would recommend is to enter the bank address used in the MAIL FROM line in the log file to the "Exclude messages FROM these addresses Ex: *@company.test" section of the Global Address Exclusions. Test to see if that makes a difference.

    If that does not resolve the issue, I would recommend that you submit a support request via https://mdaemon.com/pages/support-request-form so that you can submit more extensive logs for us to take a look at and assist you.

    Let me know if you have any questions.

    0 likes
Please login to reply to this topic!

Participants