"Virus found" and completely disformatted Mails from Amazon & Paypal

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

"Virus found" and completely disformatted Mails from Amazon & Paypal

Post by gruenie » 2019-06-23 19:31

Hi there,
does anyone has the same problem and/or knows the reason:
When I get emails from Amazon or Paypal, the mails are completely disformatted and I can found the following line inside:
Virus found:
The attachment(s) of this message was removed since a virus was detected in at least one of them.
I'm quite sure that the Mails are serious and there has been no attachment.

I'm using hmailserver + clamAV + Spamassassin.

Kind regards

Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

palinka
Senior user
Senior user
Posts: 891
Joined: 2017-09-12 17:57

Re: "Virus found" and completely disformatted Mails from Amazon & Paypal

Post by palinka » 2019-06-23 20:25

Can you post the complete message including headers?

If a virus was found it probably didn't come from Amazon or PayPal.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8016
Joined: 2011-09-08 17:48

Re: "Virus found" and completely disformatted Mails from Amazon & Paypal

Post by jimimaseye » 2019-06-23 20:55

If you are using Clamav definitions only then you should be thankful that it is catching anything (even fp's). However if you are supplementing it with, for example, sanesecurity then it is likely that whatever it has caught and labelled as a virus is going to be true. I use clam AV and spamassassin and sanesecurity and the only emails that get labelled as viruses are genuine virus or rogue ware links. Any genuine emails from PayPal or Amazon tend to get through without a problem.

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: "Virus found" and completely disformatted Mails from Amazon & Paypal

Post by gruenie » 2019-06-23 21:16

Hello Palinka,

thank you for the answer.
As I told you, I'm quite sure that those messages directly come from Amazon or Paypal, because I can find them in the outbox there too.
And those messages did not have an attachment.
So I assume, that one part of the chain: hmailserver->clamAV->Spamassassin does destroy the completely format of the mail.
It happens only with most (not all) mails from Amazon and Paypal.

Here is one example from Amazon (I deleted some personal informations):

Code: Select all

Return-Path: RTE+NE-null-xxxxxxxx@sellernotifications.amazon.com
Delivered-To: amazon@xxxx.de
X-Spam-Checker-Version: SpamAssassin 3.4.2 (svnunknown) * on MAIL.xxxx.eu * at Wed, 12 Jun 2019 10:28:16 +0200
X-Spam-Status: No, score=1.5, hits=1.5, required=5.0, autolearn=no autolearn_force=no, shortcircuit=no
X-Spam-Report:  * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% *      [score: 0.0000] *  0.0 HTML_MESSAGE BODY: HTML included in message *  2.0 HTTPS_HTTP_MISMATCH BODY: No description available. *  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or *      identical to background *  0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily *       valid *  0.7 OBFUSCATING_COMMENT HTML comments which obfuscate text * -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender
Received: from a1-42.smtp-out.eu-west-1.amazonses.com (a1-42.smtp-out.eu-west-1.amazonses.com [54.240.1.42]) by mail.xxxx.eu with ESMTP ; Wed, 12 Jun 2019 10:28:15 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=llktbq2gwxn3x3xrq5ljspgjk2nc5ajv; d=amazon.de; t=1560328094; i=@marketplace.amazon.de; h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type; bh=GosmWbfL5sxKT/7IMPY+MCdXxho+rVNJwoStzILHqCc=; b=ChEXZob2niY0geVSAQHpaNCvbMJMX7qwok9XlL0jgtjRMhmjFL/znv1RYi65AIfH vWg6AJRPyCxZ5ih+JNQX3oi1igHMGhsBqY/tOC6icSQfNFFrbxr7o2r9V5Wcap/Lza/ wPfgPFEZmZ+1eMmsbwdSid5kqvwc72ZCEMHm0yEg=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ihchhvubuqgjsxyuhssfvqohv7z3u4hn; d=amazonses.com; t=1560328094; h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:Feedback-ID; bh=GosmWbfL5sxKT/7IMPY+MCdXxho+rVNJwoStzILHqCc=; b=Pvr9BSKo8jB82dtrQOS0fN2JbBVc49q4KWTE6x50CleO3L+eRFKa/3J4ruamaLk0 fI3JlRzKKdkKTJpWRz4TYSleRO3YPJKbXWG+vAF+pVIC0irn3QgHK7Gg1cmSWEej2iD xkdvVklNRqUPPX+O4/oumbPk1l12VWyqOXhvmvyQ=
Date: Wed, 12 Jun 2019 08:28:14 +0000
From: xxxxx - Amazon Payments <xxxxx@marketplace.amazon.de>
Reply-To:  xxxxx - Amazon Payments <xxxx@marketplace.amazon.de>
To: "amazon@xxxx.de" 
Message-ID: <xxxxx@eu-west-1.amazonses.com>
Subject: Virus found: =?UTF-8?Q?Re:_R=C3=BCcksendeantrag_f=C3=BCr_Bes?= =?UTF-8?Q?tellung_302-7689412-9402711?=
MIME-Version: 1.0
X-AMAZON-CATEGORY: BBC-Message
X-AMAZON-RTE-VERSION: 2.0
Bounces-to: RTE+NE-null-xxxxx@sellernotifications.amazon.com
X-AMAZON-MAIL-RELAY-TYPE: notification
X-Original-MessageID: <urn.correios.msg.xxxxxeu@1560328094732.rte-svc-eu-m4c-9d1bc338.eu-west-1.amazon.com>
X-SES-Outgoing: 2019.06.12-54.240.1.42
Feedback-ID: 1.eu-west-1.UIAUrMfbpGrxavqnRE0yoZrAUBI9C7GRNUx/kUDo6B4=:AmazonSES

Virus found:
The attachment(s) of this message was removed since a virus was detected in at least one of them.




<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.=
w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=3D"http://www.w3.org/1999/xhtml" xmlns:v=3D"urn:schemas-microso=
ft-com:vml" xmlns:o=3D"urn:schemas-microsoft-com:office:office">
=09

<!-- Email Header -->
<head>
<meta http-equiv=3D"Content-Type" content=3D"html; charset=3DUTF-8"></meta>=
=09
<!-- Included header file, can be cloned and/or replaced. -->

<!--[if gte mso 15]>
<xml>
=09<o:OfficeDocumentSettings>
=09<o:AllowPNG/>
=09<o:PixelsPerInch>96</o:PixelsPerInch>
=09</o:OfficeDocumentSettings>
</xml>
<![endif]-->
<meta charset=3D"UTF-8" />
<!--[if !mso]><!-->
=09=09<meta http-equiv=3D"X-UA-Compatible" content=3D"IE=3Dedge" />
=09<!--<![endif]-->
<meta name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=3D1"=
 />
<title></title>
<link href=3D'http://fonts.googleapis.com/css?family=3DLato:400,700' rel=3D=
'stylesheet' type=3D'text/css' />
<style type=3D"text/css">
=09

=09.nbus-survey{color: #FFF;font-family:'Lato', Helvetica, Arial, sans-seri=
f;font-size:13px;line-height:150%;text-align:center}
=09.nbus-survey:visited{color: #FFF;font-family:'Lato', Helvetica, Arial, s=
ans-serif;font-size:13px;line-height:150%;text-align:center}
=09.nbus-survey:hover{color: #FFF;font-family:'Lato', Helvetica, Arial, san=
s-serif;font-size:13px;line-height:150%;text-align:center}
=09.nbus-survey:focus{color: #FFF;font-family:'Lato', Helvetica, Arial, san=
s-serif;font-size:13px;line-height:150%;text-align:center}
=09.nbus-survey:active{color: #FFF;font-family:'Lato', Helvetica, Arial, sa=
ns-serif;font-size:13px;line-height:150%;text-align:center}
=09
=09one-column{border-spacing:0px;background-color:#FFFFFF;border:0px;paddin=
g:0px;width:100%;column-count:1;}
=09endrImageBlock{padding:0px;border-spacing:0px;min-width:100%;border-coll=
apse:collapse;width:100%;border:0px;}
=09endrImageBlockInner{padding:0px;}
=09endrImageContentContainer{adding:0px;border-spacing:0px;min-width:100%;b=
order-collapse:collapse;width:100%;border:0px;}
=09endrTextContentContainer{min-width:100%;width:100%;border-collapse:colla=
pse;background-color:#FFFFFF;border:0px;padding:0px;border-spacing:0px;}
=09endrTextBlock{min-width:100%;border-collapse:collapse;background-color:#=
FFFFFF;width:100%padding:0px;border-spacing:0px;border:0px;}
=09preview-text{display:none;font-size:1px;line-height:1px;max-height:0px;m=
ax-width:0px;opacity:0;overflow:hidden;mso-hide:all;font-family: sans-serif=
;}
=09
=09p{
=09text-align:left;
=09margin-top:10px;
=09margin-bottom:10px;
=09margin-right:0;
=09margin-left:0;
=09padding-top:0;
=09padding-bottom:0;
=09padding-right:0;
=09padding-left:0;
=09line-height:185%;
=09}
=09table{
=09border-collapse:collapse;
=09}
=09h1,h2,h3,h4,h5,h6{
=09display:block;
=09margin:0;
=09padding:0;
=09}
=09img,a img{
=09border:0;
=09height:auto;
=09outline:none;
=09text-decoration:none;
=09}
=09pre{
=09height:100%;
=09margin:0px;
=09padding:0px;
=09width:100%;
=09font-family:'Lato',Helvetica, Arial, sans-serif;
=09min-width:100%;
=09white-space: pre-wrap;       /* Since CSS 2.1 */
    white-space: -moz-pre-wrap;  /* Mozilla, since 1999 */
    white-space: -pre-wrap;      /* Opera 4-6 */
    white-space: -o-pre-wrap;    /* Opera 7 */
    word-wrap: break-word;       /* Internet Explorer 5.5+ */
=09}
=09body,#bodyTable,#bodyCell{
=09height:100%;
=09margin:0px;
=09padding:0px;
=09width:100%;
=09background-color:#e4e3e4;
=09color:#999999
=09font-family:'Lato', Helvetica, Arial, sans-serif;
=09min-width:100%;
=09}
=09#outlook a{
=09padding:0;
=09}
=09img{
=09-ms-interpolation-mode:bicubic;
=09}
=09table{
=09mso-table-lspace:0pt;
=09mso-table-rspace:0pt;
=09}
=09.ReadMsgBody{
=09width:100%;
=09}
=09.ExternalClass{
=09width:100%;
=09}
=09p,a,li,td,blockquote{
=09mso-line-height-rule:exactly;
=09}
=09a[href^=3Dtel],a[href^=3Dsms]{
=09color:inherit;
=09cursor:default;
=09text-decoration:none;
=09}
=09p,a,li,td,body,table,blockquote{
=09-ms-text-size-adjust:100%;
=09-webkit-text-size-adjust:100%;
=09}
=09.ExternalClass,.ExternalClass p,.ExternalClass td,.ExternalClass div,.Ex=
ternalClass span,.ExternalClass font{
=09line-height:100%;
=09}
=09a[x-apple-data-detectors]{
=09color:inherit !important;
=09text-decoration:none !important;
=09font-size:inherit !important;
=09font-family:inherit !important;
=09font-weight:inherit !important;
=09line-height:inherit !important;
=09}
=09.templateContainer{
=09max-width:600px !important;
=09}
=09.endrImage{
=09vertical-align:bottom;
=09}
=09.endrTextContent{
=09word-break:break-word;
=09padding-top:15px;
=09padding-bottom:10px;
=09padding-right:18px;
=09padding-left:18px;
=09text-align:left;
=09}
=09.endrTextContent img{
=09height:auto !important;
=09}
=09.endrDividerBlock{
=09table-layout:fixed !important;
=09}
=09body { margin:0 !important; }
=09div[style*=3D"margin: 16px 0"] { margin:0 !important; }

=09body,#bodyTable{
=09background-color:#e4e3e4;
=09color:#999999;
=09font-family: 'Lato', Helvetica, Arial, sans-serif;
=09}
=09
=09.templateBlocks{
=09background-color:#FFFFFF;
=09border-top-width:0;
=09border-bottom-width:0;
=09padding-top:0;
=09padding-bottom:0;
=09font-size:15px;
=09line-height:185%;
=09text-align:left;
=09background-color:#FFFFFF;
=09}
=09
=09.templateQuoteBlocks{
=09background-color:#F04D44;
=09}
=09
=09#bodyCell{
=09border-top:0;
=09}

=09h1{
=09color:#455c64;
=09font-family: 'Lato', Helvetica, Arial, sans-serif;
=09font-size:30px;
=09font-style:normal;
=09font-weight:normal;
=09line-height:120%;
=09letter-spacing:normal;
=09padding-top:2px;
=09padding-bottom:2px;
=09}

=09a{
=09color:#e74c3c;
=09font-weight:normal;
=09text-decoration:underline;
=09}

=09h2{
=09color:#848484;
=09font-family: 'Lato', Helvetica, Arial, sans-serif;
=09font-size:15px;
=09font-style:normal;
=09font-weight:normal;
=09line-height:145%;
=09letter-spacing:1px;
=09padding-top:5px;
=09padding-bottom:4px;
=09}

=09h3{
=09color:#455c64;
=09font-family: 'Lato', Helvetica, Arial, sans-serif;
=09font-size:20px;
=09font-style:normal;
=09font-weight:normal;
=09line-height:140%;
=09letter-spacing:normal;
=09text-align:left;
=09padding-top:2px;
=09padding-bottom:2px;
=09}

=09h4{
=09color:#666666;
=09font-family: 'Lato', Helvetica, Arial, sans-serif;
=09font-size:16px;
=09font-style:normal;
=09font-weight:normal;
=09line-height:125%;
=09letter-spacing:normal;
=09text-align:left;
=09padding-top:11px;
=09padding-bottom:4px;
=09}

=09h5{
=09color:#ffffff;
=09font-family: 'Lato', Helvetica, Arial, sans-serif;
=09font-size:20px;
=09font-style:normal;
=09font-weight:normal;
=09line-height:135%;
=09letter-spacing:normal;
=09text-align:left;
=09padding-top:11px;
=09padding-right:20px;
=09padding-bottom:8px;
=09padding-left:20px;
=09}

=09h6{
=09color:#ffffff;
=09font-family: 'Lato', Helvetica, Arial, sans-serif;
=09font-size:26px;
=09font-style:normal;
=09font-weight:normal;
=09line-height:135%;
=09letter-spacing:normal;
=09text-align:right;
=09padding-top:11px;
=09padding-right:20px;
=09padding-bottom:8px;
=09padding-left:20px;
=09}

=09#templatePreheader{
=09border-top:0;
=09border-bottom:0;
=09padding-top:4px;
=09padding-bottom:12px;
=09}

=09#templatePreheader .endrTextContent,#templatePreheader .endrTextContent =
p{
=09color:#fbfbfb;
=09font-family: 'Lato', Helvetica, Arial, sans-serif;
=09font-size:12px;
=09line-height:150%;
=09text-align:center;
=09}

=09#templatePreheader .endrTextContent a,#templatePreheader .endrTextConten=
t p a{
=09color:#fbfbfb;
=09font-weight:normal;
=09text-decoration:underline;
=09}

=09#templateHeader{
=09background-color:#303942;
=09border-top:0px solid #e4e3e4;
=09border-bottom:0;
=09padding-top:0px;
=09padding-bottom:0px;
=09}

=09#templateHeader .endrTextContent,#templateHeader .endrTextContent p{
=09color:#ffffff;
=09font-family: 'Lato', Helvetica, Arial, sans-serif;
=09font-size:13px;
=09line-height:100%;
=09text-align:right;
=09}

=09#templateHeader .endrTextContent,#templateHeader .endrTextContent h1{
=09color:#ffffff;
=09font-family: 'Lato', Helvetica, Arial, sans-serif;
=09font-size:20px;
=09line-height:100%;
=09text-align:right;
=09}

=09#templateHeader .endrTextContent a,#templateHeader .endrTextContent p a{
=09color:#ffffff;
=09font-weight:normal;
=09text-decoration:none;
=09}

=09#templateSeparator{
=09padding-top:8px;
=09padding-bottom:8px;
=09}

=09.templateLowerBody{
=09background-color:#455C64;
=09border-bottom:0;
=09padding-top:1px;
=09padding-bottom:1px;
=09}

=09.templateLowerBody .endrTextContent,.templateLowerBody .endrTextContent =
p{
=09color:#ffffff;
=09font-family: 'Lato', Helvetica, Arial, sans-serif;
=09font-size:13px;
=09line-height:150%;
=09text-align:left;
=09}

=09.templateLowerBody .endrTextContent a,.templateLowerBody .endrTextConten=
t p a{
=09color:#ffffff;
=09font-weight:normal;
=09text-decoration:underline;
=09}

=09.templateLowerBody .endrTextContent h1 {
=09color:#ffffff;
=09font-weight:700;
=09font-size:18px;
=09}

=09.templateSocial{
=09background-color:#e4e3e4;
=09padding-top:13px;
=09padding-bottom:3px;
=09}

=09#templateFooter{
=09border-top:0;
=09border-bottom:0;
=09padding-top:5px;
=09padding-bottom:5px;
=09}

=09#templateFooter .endrTextContent,#templateFooter .endrTextContent p{
=09color:#fbfbfb;
=09font-family: 'Lato', Helvetica, Arial, sans-serif;
=09font-size:12px;
=09line-height:150%;
=09text-align:center;
=09}

=09#templateFooter .endrTextContent a,#templateFooter .endrTextContent p a{
=09color:#fbfbfb;
=09font-weight:normal;
=09text-decoration:underline;
=09}
=09
=09@media only screen and (min-width:768px){
=09.templateContainer{
=09width:600px !important;
=09}
=09}=09
=09
=09@media only screen and (max-width: 480px){
=09
=09.templateHeader{
=09=09display: none;
=09}
=09=09
=09.bigimage .endrImageContent{
=09padding-top:0px !important;

=09}
=09.templateContainer{
=09width:100% !important;
=09max-width:600px;
=09}=09@media only screen and (max-width: 480px){
=09body,table,td,p,a,li,blockquote{
=09-webkit-text-size-adjust:none !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09body{
=09width:100% !important;
=09min-width:100% !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09#bodyCell{
=09padding-top:10px !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09.columnWrapper{
=09max-width:100% !important;
=09width:100% !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09.endrImage{
=09width:100% !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09.endrCaptionTopContent,.endrCaptionBottomContent,.endrTextContentContain=
er,.endrBoxedTextContentContainer,.endrImageGroupContentContainer,.endrCapt=
ionLeftTextContentContainer,.endrCaptionRightTextContentContainer,.endrCapt=
ionLeftImageContentContainer,.endrCaptionRightImageContentContainer,.endrIm=
ageCardLeftTextContentContainer,.endrImageCardRightTextContentContainer{
=09max-width:100% !important;
=09width:100% !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09.endrBoxedTextContentContainer{
=09min-width:100% !important;
=09}
=09} @media only screen and (max-width: 480px){
=09.column{
=09width:100% !important;
=09max-width:100% !important;
=09}
=09} @media only screen and (max-width: 480px){
=09.endrImageGroupContent{
=09padding:9px !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09.endrCaptionLeftContentOuter .endrTextContent,.endrCaptionRightContentOu=
ter .endrTextContent{
=09padding-top:9px !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09.endrImageCardTopImageContent,.endrCaptionBlockInner .endrCaptionTopCont=
ent:last-child .endrTextContent{
=09padding-top:18px !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09.endrImageCardBottomImageContent{
=09padding-bottom:9px !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09.endrImageGroupBlockInner{
=09padding-top:0 !important;
=09padding-bottom:0 !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09.endrImageGroupBlockOuter{
=09padding-top:9px !important;
=09padding-bottom:9px !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09.endrTextContent,.endrBoxedTextContentColumn{
=09padding-right:18px !important;
=09padding-left:18px !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09.endrImageCardLeftImageContent,.endrImageCardRightImageContent{
=09padding-right:18px !important;
=09padding-bottom:0 !important;
=09padding-left:18px !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09.mcpreview-image-uploader{
=09display:none !important;
=09width:100% !important;
=09}
=09}=09@media only screen and (max-width: 480px){

=09h1{
=09font-size:22px !important;
=09line-height:125% !important;
=09}
=09}=09@media only screen and (max-width: 480px){

=09h2{
=09font-size:20px !important;
=09line-height:125% !important;
=09}
=09}=09@media only screen and (max-width: 480px){

=09h3{
=09font-size:18px !important;
=09line-height:125% !important;
=09}
=09}=09@media only screen and (max-width: 480px){

=09h4{
=09font-size:16px !important;
=09line-height:150% !important;
=09}
=09}=09@media only screen and (max-width: 480px){
=09
=09.endrBoxedTextContentContainer .endrTextContent,.endrBoxedTextContentCon=
tainer .endrTextContent p{
=09font-size:14px !important;
=09line-height:150% !important;
=09}
=09}=09@media only screen and (max-width: 480px){

=09#templatePreheader{
=09display:block !important;
=09}
=09}=09@media only screen and (max-width: 480px){

=09#templatePreheader .endrTextContent,#templatePreheader .endrTextContent =
p{
=09font-size:12px !important;
=09line-height:150% !important;
=09}
=09}=09@media only screen and (max-width: 480px){

=09#templateHeader .endrTextContent,#templateHeader .endrTextContent p{
=09font-size:16px !important;
=09line-height:100% !important;
=09text-align:center !important;
=09}

=09#templateHeader .endrTextContent, #templateHeader .endrTextContent h1{
=09font-size:20px !important;
=09line-height:100% !important;
=09padding-bottom:10px !important;
=09}
=09}=09@media only screen and (max-width: 480px){

=09#templateUpperBody .endrTextContent,#templateUpperBody .endrTextContent =
p{
=09font-size:16px !important;
=09line-height:150% !important;
=09}
=09
=09}=09@media only screen and (max-width: 480px){

=09#templateColumns .columnContainer .endrTextContent,#templateColumns .col=
umnContainer .endrTextContent p{
=09font-size:16px !important;
=09line-height:150% !important;
=09}
=09}=09@media only screen and (max-width: 480px){

=09.templateLowerBody .endrTextContent,.templateLowerBody .endrTextContent =
p{
=09font-size:16px !important;
=09line-height:150% !important;
=09text-align:center !important;
=09}
=09}=09@media only screen and (max-width: 480px){

=09#templateFooter .endrTextContent,#templateFooter .endrTextContent p{
=09font-size:12px !important;
=09line-height:150% !important;
=09}
=09}
</style>

<!--[if mso]>
<style type=3D"text/css">
body, table, td {font-family: Arial, Helvetica, sans-serif !important;}
h1 {font-family: Arial, Helvetica, sans-serif !important;}
h2 {font-family: Arial, Helvetica, sans-serif !important;}
h3 {font-family: Arial, Helvetica, sans-serif !important;}
h4 {font-family: Arial, Helvetica, sans-serif !important;}
h5 {font-family: Arial, Helvetica, sans-serif !important;}
h6 {font-family: Arial, Helvetica, sans-serif !important;}
h7 {font-family: Arial, Helvetica, sans-serif !important;}
p {font-family: Arial, Helvetica, sans-serif !important;}
</style>
<![endif]-->

<!--[if gt mso 15]>
<style type=3D"text/css" media=3D"all">
/* Outlook 2016 Height Fix */
table, tr, td {border-collapse: collapse;}
tr {border-collapse: collapse; }
body {background-color:#ffffff;}
</style>
<![endif]-->

<!-- Title - Optional content - The title tag shows in email notifications =
on mobile devices -->
<title>

</title>
<style>
p.solid {border-style: solid;border-width: 1px;padding: 5px}
button-style {background: #222222; border: 15px solid #222222; padding: 0 1=
0px;color: #ffffff; font-family: sans-serif; font-size: 13px; line-height: =
1.1; text-align: center; text-decoration: none; display: block; border-radi=
us: 3px; font-weight: bold;}
tablebutton {    border-collapse: separate;  border-spacing: 10px;}
</style>
</head>

<!-- Email Body -->
<body style=3D"body" >
<center class=3D"wrapper" style=3D"width:100%;table-layout:fixed;background=
-color:#e4e3e4;" >
  <div class=3D"webkit" style=3D"max-width:600px;margin:0 auto;" >
      <table align=3D"center" border=3D"0" cellpadding=3D"0" cellspacing=3D=
"0" height=3D"100%" width=3D"100%" id=3D"bodyTable" style=3D"border-collaps=
e:collapse;height:100%;margin-top:0;margin-bottom:0;margin-right:0;margin-l=
eft:0;padding-top:0;padding-bottom:0;padding-right:0;padding-left:0;width:1=
00%;background-color:#e4e3e4;color:#5a5a5a;font-family:'Lato', Helvetica, A=
rial, sans-serif;" >
        <tr>
            <td align=3D"center" valign=3D"top" id=3D"bodyCell" style=3D"he=
ight:100%;margin-top:0;margin-bottom:0;margin-right:0;margin-left:0;width:1=
00%;padding-top:10px;padding-bottom:10px;border-top-width:0;" >
<!-- BEGIN TEMPLATE // -->
<!--[if (gte mso 9)|(IE)]>
<table align=3D"center" border=3D"0" cellspacing=3D"0" cellpadding=3D"0" wi=
dth=3D"600" style=3D"width:600px;border-collapse:collapse;" >
=09<tr>
=09<td align=3D"center" valign=3D"top" width=3D"600" style=3D"width:600px;"=
 >
=09=09<![endif]-->
=09=09<table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" class=3D"temp=
lateContainer" style=3D"width:100%;max-width:600px;border-collapse:collapse=
;" >
=09=09<tr>
=09=09<td>
<!-- Previewtext - Optional content - This text will appear in the inbox pr=
eview, but not the email body. div class =3D "preview-text" -->
<div style=3D"display:none;font-size:1px;line-height:1px;max-height:0px;max=
-width:0px;opacity:0;overflow:hidden;mso-hide:all;font-family: sans-serif;"
>
</div>

<!-- Included header file(graphics)  -->
<!-- BLOCK Logo Center -->
<table class=3D"one-column" border=3D"0" cellpadding=3D"0" cellspacing=3D"0=
" width=3D"100%" style=3D"border-spacing:0;">
=09=09=09=09=09<tr valign=3D"top" style=3D"border-top-width:0;border-bottom=
-width:0;font-size:14px;line-height:185%;text-align:left;" >
=09=09=09=09=09=09<td valign=3D"top" class=3D"templateLowerBody" style=3D"b=
ackground-color:#2a323a;" >
                        =09<table border=3D"0" cellpadding=3D"0" cellspacin=
g=3D"0" width=3D"100%" class=3D"endrTextBlock" style=3D"min-width:100%;bord=
er-collapse:collapse;background-color:#2a323a;" bgcolor=3D"#2a323a">
=09=09=09=09=09=09=09=09<tbody class=3D"endrTextBlockOuter">
=09=09=09=09=09=09=09=09=09<tr>
=09=09=09=09=09=09=09=09=09=09<td valign=3D"top" class=3D"endrTextBlockInne=
r">
=09=09=09=09=09=09=09=09=09=09=09<table align=3D"left" border=3D"0" cellpad=
ding=3D"0" cellspacing=3D"0" width=3D"100%" class=3D"endrTextContentContain=
er" style=3D"min-width:100%;border-collapse:collapse;"bgcolor=3D"#2a323a">
=09=09=09=09=09=09=09=09=09=09=09<tbody>
=09=09=09=09=09=09=09=09=09=09=09<tr>
          <td class=3D"templateHeader" valign=3D"top" style =3D "padding: 2=
0px 0; padding-left:40px">
          <img align=3D"center" alt=3D"" src=3D"http://g-ecx.images-amazon.=
com/images/G/01/tmtdefaulttemplate/img/logo-selling_coach.png" width=3D"200=
" style=3D"max-width:200px;padding-bottom:0;display:inline !important;verti=
cal-align:bottom;border-width:0;height:auto;outline-style:none;text-decorat=
ion:none;-ms-interpolation-mode:bicubic;" />
          </td>
                        =09=09=09=09=09</tr>
                                            </tbody>
                                            </table>
                                       </td>
                                   </tr>
                             </tbody>
                             </table>
=09=09=09=09=09=09</td>
=09=09=09=09=09</tr>
=09=09=09=09=09</table><!-- ENDR Header  -->


</td>
</tr>
</table>

<table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" class=3D"templateCo=
ntainer" width=3D"100%" style=3D"width:100%;max-width:600px;border-collapse=
:collapse;background-color:#ffffff;" bgcolor=3D"#ffffff" >
<tr>
<td>
<!-- General Block of text - modify/replace with your content -->
<table class=3D"one-column">
<tr valign=3D"top" class=3D"templateBlocks">
=09<td valign=3D"top">
=09=09<table class=3D"endrTextBlock">
=09=09=09<tbody class=3D"endrTextBlockOuter">
=09=09=09<tr>
=09=09=09=09<td valign=3D"top" class=3D"endrTextBlockInner">
=09=09=09=09<table align=3D"left" class=3D"endrTextContentContainer">
=09=09=09=09=09<tbody>
=09=09=09=09=09<tr>


<td valign=3D"top" class=3D"endrTextContent" align=3D"center">
=09
Sie haben eine Nachricht erhalten.


Bestellnummer  302-7689412-xxxxx:
1 of xxxxx
1 of xxxxx
1 of xxxxx


<h4 style=3D"color:black"><strong>Nachricht:</strong></h4>

<table border=3D"1 /">
  <tr>
    <th style=3D"padding:5px;text-align: left">

<p > <html><head></head><body><pre style=3D"white-space: pre-wrap">Hallo, l=
ieber Kunde,

* here is the real text which is no spam!*


</pre><img src=3D"https://sellercentral-europe.amazon.com/nms/img/1a3b874b-=
7911-32a2-9c9a-1b65a3982f06?sk=3Dveas6xRQLJlLJuEuKMqaTkN09Aost7Ywnbpqxs2DIx=
wPoWQceMuKei_7NrPTXHRX6IzKgUJUef_0dAw8eaPdHQ&amp;n=3D1" height=3D"1" width=
=3D"1" border=3D"0" alt=3D""></body></html> </p>
</th>
  </tr>
</table>

<br>



<table  cellspacing=3D"2" padding:120px cellpadding=3D"" border=3D"0" align=
=3D"center" style=3D"border-collapse: separate;
    border-spacing: 10px;width:100%">
=09 <tr>
=09 =09<th colspan=3D"4" style=3D"text-align:left">
 =09 =09<font style=3D"color:black;">Hat dies Ihr Problem gel=C3=B6st?</fon=
t>
 =09 =09</th>
 </tr>
=20
=09<tr>
=09=09
<td style=3D"border-radius: 3px;border-color:black;border-style: solid;bord=
er-width: thin; text-align: center;width:100px" class=3D"button-td"><a href=
=3D"https://sellercentral-europe.amazon.com/nms/redirect/f2eba7fe-614f-3569=
-9275-611a28b3b2ce?sk=3DJwZINtr18OSnih6-EXPZHXdr-hFANTFcsf6eqkvBhm6SOVi1B9U=
iujilOuGy29fgn0R_kiFr7zfmOwaULWT7bw&amp;n=3D1&amp;u=3DaHR0cDovL3d3dy5hbWF6b=
24uZGUvZ3AvaGVscC9zdXJ2ZXk_cD1BM1BRVVlSRDA4OTFCSyZrPWh5JnJlZl89YnNtX2htZHll=
c19odA" style=3D"background: #fff; border: 15px solid #fff; padding: 0 2px;=
color: #000000; font-family: sans-serif; font-size: 13px; line-height: 1.1;=
 text-align: center; text-decoration: none; display: block; border-radius: =
3px; font-weight: bold;"> <!--[if mso]>&nbsp;&nbsp;&nbsp;&nbsp;<![endif]-->=
Ja<!--[if mso]>&nbsp;&nbsp;&nbsp;&nbsp;<![endif]--></a></td>


<td style=3D"border-radius: 3px;border-color:black;border-style: solid;bord=
er-width: thin; text-align: center;width:100px" class=3D"button-td"><a href=
=3D"https://sellercentral-europe.amazon.com/nms/redirect/3960f322-699c-33fb=
-b166-0f9f683765c2?sk=3DaUSfxUu2BK07EjTsXODIn49R_yuwhQaUqSZ1dUbTwCrOrvMiKT_=
-eu9Hn4u73bnPqd2AxtnYvv042LkzYP6Aqw&amp;n=3D1&amp;u=3DaHR0cDovL3d3dy5hbWF6b=
24uZGUvZ3AvaGVscC9zdXJ2ZXk_cD1BM1BRVVlSRDA4OTFCSyZrPWhuJnJlZl89YnNtX2htZG5v=
X2h0" style=3D"background: #fff; border: 15px solid #fff; padding: 0 2px;co=
lor: #000000; font-family: sans-serif; font-size: 13px; line-height: 1.1; t=
ext-align: center; text-decoration: none; display: block; border-radius: 3p=
x; font-weight: bold;"> <!--[if mso]>&nbsp;&nbsp;&nbsp;&nbsp;<![endif]-->Ne=
in<!--[if mso]>&nbsp;&nbsp;&nbsp;&nbsp;<![endif]--></a></td>
<td></td>
<td style=3D"border-radius: 3px; border-color:black;border-style: solid;bor=
der-width: thin; text-align: center;width:175px" class=3D"button-td"><a hre=
f=3D"https://sellercentral-europe.amazon.com/nms/redirect/6e2e3543-7867-39d=
b-81b9-14a9e8f97e50?sk=3DRUtKEfS-qsbwa3EoOCjlszSdmiY1b6lCxC6DMeQHy38BlNa91y=
jEIQmIRp9om2QJTZliIa3QcRmp1sA-gVv3Tw&amp;n=3D1&amp;u=3DaHR0cDovL3NlbGxlcmNl=
bnRyYWwuYW1hem9uLmRlL21lc3NhZ2luZy9yZXBvcnQ_dD1BMDUzOTczODIyVlVCVzE2WlQwVFA=
mbT1BMDM5MzMxNDM4T1c2QjdTOEhBVVUmYz1BMUpYQk42MUZQOFpBVyZtcD1BMVBBNjc5NVVLTU=
ZSOSZoPTRkMTM3NmZlY2MyN2M4YjZmMWZiZGNmMDU1MThkNDQ2ZGZiOTc3ZmUmcz0xJmI9MCZDT=
0RFPUFRMzQ2N0RFMjBTU01LRTE5NlQmY29kZT1BUTM0NjdERTIwU1NNS0UxOTZU" style=3D"b=
ackground: #fff; border: 15px solid #fff; padding: 0 2px;color: #000000; fo=
nt-family: sans-serif; font-size: 13px; line-height: 1.1; text-align: cente=
r; text-decoration: none; display: block; border-radius: 3px; font-weight: =
bold;"> <!--[if mso]>&nbsp;&nbsp;&nbsp;&nbsp;<![endif]-->Nachricht melden<!=
--[if mso]>&nbsp;&nbsp;&nbsp;&nbsp;<![endif]--></a></td>
=09</tr>
</table>



<br>


=09=09=09=09=09<table class=3D"one-column" border=3D"0" cellpadding=3D"0" c=
ellspacing=3D"0" width=3D"100%" style=3D"border-spacing:0;">
=09=09=09=09=09<tr valign=3D"top" style=3D"border-top-width:0;border-bottom=
-width:0;font-size:14px;line-height:185%;text-align:left;" >
=09=09=09=09=09=09<td valign=3D"top" class=3D"templateLowerBody" style=3D"b=
ackground-color:#2a323a;" >
                        =09<table border=3D"0" cellpadding=3D"0" cellspacin=
g=3D"0" width=3D"100%" class=3D"endrTextBlock" style=3D"min-width:100%;bord=
er-collapse:collapse;background-color:#2a323a;" bgcolor=3D"#2a323a">
=09=09=09=09=09=09=09=09<tbody class=3D"endrTextBlockOuter">
=09=09=09=09=09=09=09=09=09<tr>
=09=09=09=09=09=09=09=09=09=09<td valign=3D"top" class=3D"endrTextBlockInne=
r">
=09=09=09=09=09=09=09=09=09=09=09<table align=3D"left" border=3D"0" cellpad=
ding=3D"0" cellspacing=3D"0" width=3D"100%" class=3D"endrTextContentContain=
er" style=3D"min-width:100%;border-collapse:collapse;"bgcolor=3D"#2a323a">
=09=09=09=09=09=09=09=09=09=09=09<tbody>
=09=09=09=09=09=09=09=09=09=09=09<tr>
                       =20
                        <p style=3D"text-align:center !important;margin-top=
:10px;margin-bottom:10px;margin-right:10px;margin-left:15px;padding-top:0;p=
adding-bottom:0;padding-right:0;padding-left:0;color:#ffffff;font-family:'L=
ato', Helvetica, Arial, sans-serif;font-size:13px;line-height:150%;">
=09=09=09=09=09=09=09=09=09=09=09=09Copyright 2019 Amazon, Inc, or its affi=
liates. All rights reserved.<br/>
=09=09=09=09=09=09Amazon Services Europe S.=C3=A0 r.l.<br />
5 Rue Plaetis <br />
L-2338 Luxembourg <br />
Handelsregisternummer Luxemburg: B-93815<br />
Gesellschaftskapital 12.500 EUR<br />
Gewerbelizenznummer: 100416<br />
USt.-Identifikationsnummer Luxemburg: LU 19647148</p>
                        =09=09=09=09=09</tr>
                                            </tbody>
                                            </table>
                                       </td>
                                   </tr>
                             </tbody>
                             </table>
=09=09=09=09=09=09</td>
=09=09=09=09=09</tr>
=09=09=09=09=09</table>
=09=09=09<br />=09=09
<div id=3D"amznCommMgrFooter" alt=3D"amznCommMgrFooter" style=3D"background=
-color: white; border: 0px solid #a0a0a5; padding: 2px">
            <small>Wichtiger Hinweis: Wenn Sie dieser E-Mail antworten, wir=
d Amazon.de Ihre E-Mail-Adresse mit einer von Amazon bereitgestellten Adres=
se ersetzen, um Ihre Identit=C3=A4t zu sch=C3=BCtzen, und die Nachricht in =
Ihrem Namen weiterleiten. Um einen m=C3=B6glichen Betrug zu verhindern, set=
zt Amazon.de Filtertechniken ein. Nachrichten, die diesen Filter nicht pass=
ieren, werden nicht weitergeleitet. Amazon.de beh=C3=A4lt Kopien aller =C3=
=BCber diesen Service gesendeten und empfangenen E-Mails, einschlie=C3=9Fli=
ch der Nachricht, die Sie hier eingeben. Amazon.de wird diese Kopien insbes=
ondere zur Kl=C3=A4rung von eingereichten A-bis-z-Garantie-Antr=C3=A4gen he=
ranziehen. Indem Sie diesen Dienst nutzen, erkl=C3=A4ren Sie sich mit diese=
m Vorgehen einverstanden.</small><br/>
            <br/>
            <small>Wir m=C3=B6chten, dass Sie stets mit Vertrauen einkaufen=
, wenn Sie Produkte auf Amazon.de erwerben. Hier finden Sie n=C3=A4here Inf=
ormationen =C3=BCber sichere Online-Eink=C3=A4ufe (http://www.amazon.de/gp/=
help/customer/display.html?nodeId=3D13023711) und unsere Garantie f=C3=BCr =
den sicheren Einkauf (http://www.amazon.de/gp/help/customer/display.html?no=
deId=3D886414).</small>
        </div>
            <font color=3D"white">[commMgrTok:A039331438OW6B7S8HAUU]</font>
       =20


=09=09=09=09=09</tr>
=09=09=09=09=09</tbody>
=09=09=09=09</table>
=09=09=09=09</td>
=09=09=09</tr>
=09=09=09</tbody>
=09=09</table>
=09</td>
</tr>
</table>

<!-- Footer -->

<!-- Footer -->
</body>
</html>
Errare humanum est, sed in errare perseverare diabolicum!

palinka
Senior user
Senior user
Posts: 891
Joined: 2017-09-12 17:57

Re: "Virus found" and completely disformatted Mails from Amazon & Paypal

Post by palinka » 2019-06-23 23:16

Can you send the email to gmail or somewhere other than your hmailserver and post the headers from that message? Would the other MTA also pick it up a virus?

If yes, you need to talk to amazon about it. If no, then there must be something going on with clamav. Do you have a log?

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: "Virus found" and completely disformatted Mails from Amazon & Paypal

Post by gruenie » 2019-06-23 23:31

No, I can't send the mail to another mailserver.
As I said, the mails are generated by amazon (or paypal). I get them by email and I can found them in the message center in my amazon-account.
There is no possibility to forward them - at least I have no idea how.
Errare humanum est, sed in errare perseverare diabolicum!

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: "Virus found" and completely disformatted Mails from Amazon & Paypal

Post by mattg » 2019-06-24 02:47

MOST Paypal emails (their regular newsletters and such) are always the same for me, shown as containing a virus that was removed
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 891
Joined: 2017-09-12 17:57

Re: "Virus found" and completely disformatted Mails from Amazon & Paypal

Post by palinka » 2019-06-24 04:46

mattg wrote:
2019-06-24 02:47
MOST Paypal emails (their regular newsletters and such) are always the same for me, shown as containing a virus that was removed
A total shot in the dark, but do you think this is the reason?

Code: Select all

Subject: Virus found: =?UTF-8?Q?Re:_R=C3=BCcksendeantrag_f=C3=BCr_Bes?= =?UTF-8?Q?tellung_302-7689412-9402711?=

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: "Virus found" and completely disformatted Mails from Amazon & Paypal

Post by mattg » 2019-06-24 06:47

The words 'Virus Found' is probably prepended to the subject line by hMailserver.

Is that what you mean?
Or do you mean the subject line being UTF-8 originally?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
katip
Senior user
Senior user
Posts: 662
Joined: 2006-12-22 07:58
Location: Istanbul

Re: "Virus found" and completely disformatted Mails from Amazon & Paypal

Post by katip » 2019-06-24 09:47

Sanesecurity has particularly signature sets for Paypal and Amazon (and Ebay) in their phish.ndb
this may cause FPs and removal attempt by ClamAV if called directly by HMS, hence garbled body.

ClamAV integrated in SA keeps the message as it is, but scores it and adds an informative header. a better combo if SA is already in charge, i think..
Katip
--
HMS 5.7.0-B2428-LTS-64-bit, MySQL 5.7.24, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: "Virus found" and completely disformatted Mails from Amazon & Paypal

Post by mattg » 2019-06-24 11:17

katip wrote:
2019-06-24 09:47
Sanesecurity has particularly signature sets for Paypal and Amazon (and Ebay) in their phish.ndb
this may cause FPs and removal attempt by ClamAV if called directly by HMS, hence garbled body.

ClamAV integrated in SA keeps the message as it is, but scores it and adds an informative header. a better combo if SA is already in charge, i think..
And that completely explains why I stopped getting this happen about 5 months back

That's when I stopped using ClamAV to scan for virus directly, I now ONLY use ClamAV via SpamAssassin, and have another AV scan for virus directly from hMailserver

Thanks
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: "Virus found" and completely disformatted Mails from Amazon & Paypal

Post by gruenie » 2019-06-24 21:42

Thank you for all the answers.
I'm using ClamAV directly in the hMailServer-Anti-virus-section.
ClamAV.JPG
And I'm using "Spamassassin in a box" (for Windows) too and have integrated it in hMailServer.
Spamassassin.JPG
So what should I do or change so that the Mails from Amazon and Paypal can pass the server too without being tattered?
I do not have problems with other mails, only with them from Amazon and Paypal.
Should I disable ClamAV? I'm using "Symantec Endpoint Protection Cloud" for the whole server too (but will change to Kaspersky next year).
Errare humanum est, sed in errare perseverare diabolicum!

palinka
Senior user
Senior user
Posts: 891
Joined: 2017-09-12 17:57

Re: "Virus found" and completely disformatted Mails from Amazon & Paypal

Post by palinka » 2019-06-24 23:04

https://hmailserver.com/forum/viewtopic ... 21&t=26829

This will get you started. Then after, search for spamassassin ClamAV plugin to get that working.

Post Reply