Mailing List Archive

> Am 27.01.20 um 17:22 schrieb Charles Amstutz:
> > Can someone explain what this actually means and maybe provide an
> example?
> >
> > Rule Name: FROM_MISSP_DYNIP
> >
> > Rule Definition: misspaced + dynamic rDNS
> >
> > Getting a high score on this and having trouble finding an actual real
> > definition and example. I get the dynamic rDNS I believe, but not sure
> > about the misspaced meaning for sure
>
> misspaced FROM header which leave sthe question open why you don't
> provide any useful information like, well, the headers or better raw-mail at
> pastebin

From your explanation, I think I found what might be causing the rule to trigger.

I think it is the Weird characters in subject, from and to?

This is redacted a bit, of course.

Return-Path: <from@email.com>
Delivered-To: recipient@email.com
Received: (qmail 4989 invoked by alias); 25 Jan 2020 15:13:45 -0600
Delivered-To: recipient@email.com
Received: (qmail 4975 invoked from network); 25 Jan 2020 15:13:45 -0600
Received: from SMTP Server (HELO SMTP Server) (internal IP)
by mailserver with ESMTP; 25 Jan 2020 15:13:45 -0600
Received: (qmail 81888 invoked from network); 25 Jan 2020 15:13:35 -0600
Received: from dynamic RDNS (HELO HP511DF8) (Dynamic IP)
by smtp external DNS name with ESMTP; 25 Jan 2020 15:13:35 -0600
Received-SPF: softfail (SMTP Server: transitioning SPF record at domain does not designate dynamic IP as permitted sender)
From: =?UTF-8?Q?Sender_name?= <from@email.com>
To: =?UTF-8?Q?Recipient_name?= <recipient2@email.com>

Subject: =?UTF-8?Q?Subject?=
Date: Sat, 25 Jan 2020 19:35:07 +0000
Message-ID: <1815052843-1579980907@>
Content-Type: multipart/mixed;
boundary="----=_Part_Boundary_0000004b_6b102fb7.6b102fb7"
MIME-Version: 1.0

On Mon, 27 Jan 2020 16:22:39 +0000
Charles Amstutz wrote:

> Hello,
>
> Can someone explain what this actually means and maybe provide an
> example?
>
> Rule Name: FROM_MISSP_DYNIP
> Rule Definition: misspaced + dynamic rDNS
>
> Getting a high score on this and having trouble finding an actual
> real definition and example. I get the dynamic rDNS I believe, but
> not sure about the misspaced meaning for sure.

It means that there is no space between the display name and the '<',
e.g.

From: John Smith<js@example.com>

If you are seeing anything very different?

>
> > Hello,
> >
> > Can someone explain what this actually means and maybe provide an
> > example?
> >
> > Rule Name: FROM_MISSP_DYNIP
> > Rule Definition: misspaced + dynamic rDNS
> >
> > Getting a high score on this and having trouble finding an actual real
> > definition and example. I get the dynamic rDNS I believe, but not sure
> > about the misspaced meaning for sure.
>
> It means that there is no space between the display name and the '<', e.g.
>
> From: John Smith<js@example.com>
>
> If you are seeing anything very different?

Thanks, however, I do see a space between the name and the '<'

This is what it looks like:

From: =?UTF-8?Q?Name?= <from@email.com>

>> > Can someone explain what this actually means and maybe provide an
>> > example?
>> >
>> > Rule Name: FROM_MISSP_DYNIP
>> > Rule Definition: misspaced + dynamic rDNS
>> >
>> > Getting a high score on this and having trouble finding an actual real
>> > definition and example. I get the dynamic rDNS I believe, but not sure
>> > about the misspaced meaning for sure.

>> It means that there is no space between the display name and the '<', e.g.
>>
>> From: John Smith<js@example.com>
>>
>> If you are seeing anything very different?

On 27.01.20 17:01, Charles Amstutz wrote:
>Thanks, however, I do see a space between the name and the '<'
>
>This is what it looks like:
>
>From: =?UTF-8?Q?Name?= <from@email.com>

where do you see it? Especially Micro$oft products (outlook, exchange, ...)
tend to reformat mail so you can't see how it looked before.

a few years ago I come exactly to this problem, the missing space between
fullname and "<" was added by misrosoft product and I couldn't understand
why blocking it does not work.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.

On 20200127 09:01:10, Charles Amstutz wrote:
>>
>>> Hello,
>>>
>>> Can someone explain what this actually means and maybe provide an
>>> example?
>>>
>>> Rule Name: FROM_MISSP_DYNIP
>>> Rule Definition: misspaced + dynamic rDNS
>>>
>>> Getting a high score on this and having trouble finding an actual real
>>> definition and example. I get the dynamic rDNS I believe, but not sure
>>> about the misspaced meaning for sure.
>>
>> It means that there is no space between the display name and the '<', e.g.
>>
>> From: John Smith<js@example.com>
>>
>> If you are seeing anything very different?
>
> Thanks, however, I do see a space between the name and the '<'
>
> This is what it looks like:
>
> From: =?UTF-8?Q?Name?= <from@email.com>


Are you sure it is not the extra space between the routing headers and the
"Subject:" line?

===8<---
From: =3D?UTF-8?Q?Sender_name?=3D <from@email.com>
To: =3D?UTF-8?Q?Recipient_name?=3D <recipient2@email.com>

Subject: =3D?UTF-8?Q?Subject?=3D
Date: Sat, 25 Jan 2020 19:35:07 +0000
===8<---

That spacing is very typical of spam and never seen as ham here.

{^_^}

On 27 Jan 2020, at 12:32, jdow wrote:

> Are you sure it is not the extra space between the routing headers and
> the "Subject:" line?

100% certain. In the standard rule channel, the file 72_active.cf has
these lines:

meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC
header __FROM_RUNON From =~ /\S+<\w+/

i.e. a non-whitespace character immediately preceding a left
angle-bracket/less-than symbol.


(RDNS_DYNAMIC is a massive meta-rule for rDNS names that match patterns
derived from the IP itself)


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

On Mon, 27 Jan 2020, Charles Amstutz wrote:

>>> Can someone explain what this actually means and maybe provide an
>>> example?
>>>
>>> Rule Name: FROM_MISSP_DYNIP
>>> Rule Definition: misspaced + dynamic rDNS
>>>
>>> Getting a high score on this and having trouble finding an actual real
>>> definition and example. I get the dynamic rDNS I believe, but not sure
>>> about the misspaced meaning for sure.
>>
>> It means that there is no space between the display name and the '<', e.g.
>>
>> From: John Smith<js@example.com>
>>
>> If you are seeing anything very different?
>
> Thanks, however, I do see a space between the name and the '<'
>
> This is what it looks like:
>
> From: =?UTF-8?Q?Name?= <from@email.com>

I do not see that hit __FROM_RUNON (the component rule) in my test
environment. I suspect that whatever you copied that from has "helpfully"
cleaned it up for you. We would need to see the raw message header that
your mail system processed, not what your mail client displays to you.

I wager that if you were able to see the raw original message header, you
would not see a space there.

*Presuming* this is a legitimate email you do wish to receive, the
solution is to contact the sender and tell them to fix the configuration
of their mail client (or bulk mail tool if it's a bulk mail).


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
Today: the 34th anniversary of the loss of STS-51L Challenger