ConfigServer Community Forum

I'm really hoping that someone here can help, since my servers' O/S no longer qualifies for support for my purchased CP+MS installs (CloudLinux 6.10) and I'm in dire need of some guidance on this issue.

Recently some clients brought to my attention that the are not receiving their Amazon Order confirmation and Shipped confirmation emails. They're receiving all other emails from Amazon, just not the most important ones with the following commong subjects:

"Amazon.com order of (order item number)"
"Your Amazon.com order # (order number)"
"Your Amazon.com order # (order number) has shipped"

Where I have parenthesis above would be the actual order numbers.

So I took a look in WHM > ConfigServer MailScanner Front-End > MailControl and discovered the following:

Those legitimate order & shipping update emails from Amazon are getting tagged as Infected.

This is happening to all users on all my servers who use their domain email addresses on their Amazon accounts.

It has been happening for quite some time - longer than the logs can go back - so I don't know when exactly it started.

Additionally I've discovered the following:

Legitimate Order updates from eBay are also getting marked as infected. Legit messages from vzwmail@ecrmemail.verizonwireless.com and ebay@ebay.com are doing the same thing.

Billing and Order upgrades from Verizon, as well as Order Confirmations and Order Updates are also getting marked as infected.

- In all cases, the email is legit and not infected.
- In all cases, if there are any attachments, the attachments are not infected.
- In all cases, the spam score is way below zero. In the negatives, and obviously not spam.

I've downloaded the messages and scanned them, along with their attachments, and they're definitely not infected and they have an excellent spam score (typically -0.1 to -7.5 range).

Has anyone else ever faced this?

Can anyone guide me as to what could be causing the virus scanner produce these false-positives, and a way to adjust any related scan modules to stop marking legit orders and shipping emails to stopped being marked as infected?

Thank you for any advice or help, as this is obviously causing a major issue now.

My current servers are environment of cPanel 106.0.9, CloudLinux 6.10, ConfigServer MailScanner Front-End v9.14, MailScanner - v5.3.3, and ConfigServer MailScanner Script v5.04

Please and thank you!

Screenshots:
https://imgur.com/a/uaRnDvn
https://imgur.com/a/tjtpA1W
https://imgur.com/a/eADzi4x

The images that you posted doesn't gives any info at all.
Click on the ambulance icon and then on the next page paste the error that shows about the infected file name, that will give more info about the issue.

Thank you very much for the reply Sergio, I really appreciate it.

The two files are simply the plain txt and html versions of the message, which in this example are just the normal "Thank you for shopping with us. We’ll send a confirmation when your item ships" and the user's Amazon order number, along with the typical / normal things in any Amazon order confirmation such as the dollar amount of the purchase, the user's shipping address, a button to "View or Manage Order", and a typical Amazon Prime Video banner link.

The attachments are completely clean and are exactly like every Amazon Order Confirmation email.

The only thing indicated next to "Infection" is "Found a script in HTML message" , which is crazy because all kinds of order confirmation emails from Amazon (and eBay, and Verizon, etc...) are HTML and typically include a script for order management and tracking. It's normal / common.

https://imgur.com/iayzv3y

https://imgur.com/vv4u2CD

And yet these same exact Order Confirmation emails go through perfectly to accounts not hosted on my servers. And just like everyone else, I get these same types of emails on my Amazon orders with no problem at all using my personal Gmail and ISP provided email accounts.

I've also just noticed that my Verizon monthly payment receipts are getting falsely tagged as infected and not coming through because I use an email account on one of my domains on my server for Verizon. My monthly bill due email notice comes through just fine, but not email receipt when I pay the bill, as those messages are being detected as infected just like the Amazon example above.

This is baffling

PS - even if I whitelist vzwmail@ecrmemail.verizonwireless.com and ebay@ebay.com and even *@bounces.amazon.com etc.. it makes no difference on the Order Confirmation emails and Payment Receipt emails. Server still tags them as infected and does not allow them through.

Hi.
Check your ConfigServer MailScanner FrontEnd under MailScanner Configuration and check the value at:

Allow Script Tags =

And set it to: disarm

That will help.

Thank you again Sergio. I'll give it a shot and make that change. The strange thing there is that at one point some time ago I had to set "Allow Script Tags" to Yes because that setting was preventing important trackers in messages from properly working in e-commerce scripts on user sites hosted with me. I've made that change now and will monitor to see what happens. Hopefully all goes well. I'll update this thread in a couple days after seeing what results. Thanks again for taking the time to view this and for responding, I really appreciate it!

@Sergio - Thanks again very much for your response and advice. So far your recommendation appears to have solve the issue almost entirely!

Really nice to know it is working.

Sergio