A couple clients recently have had bounces from different places indicating that their mails were caught by the recipients’ anti-virus filter. These are some of my better clients sending out daily newsletters. They’ve been mailing for years and I know that they are not phishing. They asked me to investigate the bounce messages.
The information I had to work with was minimal. One bounce said:
The AntiVirus server has detected the Phishing.Heuristics.Email.SpoofedDomain virus in an email sent to you, allegedly sent by email@example.com. This email address may, or may not, be the originating source, as some viruses can hijack address books and in turn, send email with any of those addresses. Please take note that this virus has been destroyed and this email is a notification of virus activity and is itself virus free.
The other bounce said:
The message senders were
and they have been notified that they have sent a potential virus.
The message title was Customer: Subject line from email. The message date was Tue, 23 Jun 2009 12:16:13 – The virus or unauthorized code identified in the email is >>> Possible MalWare ‘Exploit/Phishing-amazon-04ee’ found in ’5832897_2X_PM2_EMQ_MH__message.htm’. Heuristics score: 202
The real clue came when I looked at the emails that triggered the bounce. In both cases, my clients were linking to Amazon.com with a re-director link. There are many filters out there that look at the visible text of a link and compare it with the link target. If the link points to one domain like a re-director but the visible text points to another, this may trigger some spam or virus filters to intercept the email.
My experience suggests this happens more often when the domain used in the visible text is one of those domains that are heavily phished: amazon.com, ebay.com, bank websites, etc. The solution is to not include a domain name in the visible text portion of a link. Instead of “Go buy the DVDs at <a href=”http://www.example.com/linkdomain/”>Amazon.com</a>,” change the link to “Go <a href=”http://www.example.com/linkdomain/”>buy the DVDs</a> at Amazon.com.” Same content, same call to action, but no chance of the email getting caught in a phish filter.