Mailing List Archive

PDS_DBL_URL_TNB_RUNON
Hello all,

I was wondering what this rule means?
the description reads :
Double-url and To no arrows, from runon.

Pretty cryptic to the unlearned.

Best,
-- Yassine -- sysadm
Re: PDS_DBL_URL_TNB_RUNON [ In reply to ]
Hello,

This rule is indicating that the To/From headers look a bit weird, as well
as having a "double URL" - a URL within the email has a URL embedded within
it. From runon is a sub rule looking for correct spacing on the From header.

It is the combination of these that is causing the rule to fire. If this is
an email you're sending it would indicate the need to look at fixing the
From & To headers in said email.

Paul

On Sun, 13 Nov 2022 at 10:47, Yassine Chaouche <a.chaouche@algerian-radio.dz>
wrote:

> Hello all,
>
> I was wondering what this rule means?
> the description reads :
> Double-url and To no arrows, from runon.
>
> Pretty cryptic to the unlearned.
>
> Best,
>
> --
> Yassine -- sysadm
>
>
Re: PDS_DBL_URL_TNB_RUNON [ In reply to ]
Thank you Paul.
It actually is a received spam.
I was intrigued by its very low score


X-Spam-Score: 1.312


DKIM_INVALID=0.1
DKIM_SIGNED=0.1
HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1
PDS_DBL_URL_TNB_RUNON=1
SPF_HELO_NONE=0.001,
SPF_PASS=-0.001
T_REMOTE_IMAGE=0.01
URIBL_BLOCKED=0.001


At the same time,
URI lookup as been blocked,
potentialy minimizing the score by skipping this (important?) check.

The From: and To: look like this :

From: =?UTF-8?B?QmlsamFuYSBCT8W9ScSG?=<sales@helliomo.bar>
To: a.chaouche@algerian-radio.dz


Here's its full HTML

#################################### HTML ####################################

------=_NextPart_000_0012_3811D078.9728D954 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML> <html><head><title></title> <meta http-equiv=3D"X-UA-Compatible" content=3D"IE=3Dedge"> </head> <body style=3D"margin: 0.4em;"> <p>Good day!<br><br></p><p><span> </span></p><p>We have sent the payment confirmation&nbsp;for the purchase o= rder we made. </p><p><span> </span></p><p>Attached here is the payment receipt. <br><br>Kindly acknowle= dge.<br><br></p><p><span> </span></p><p>Thank you<br><br><br></p> <p><span style=3D"font-size: 11pt;"><span style=3D"font-family: Calibri,san= s-serif;"><strong><span style=3D"font-size: 8pt;"><span style=3D'font-famil= y: "Tahoma",sans-serif;'><span style=3D"color: rgb(89, 89, 89);">Srda&#269;= an pozdrav/ Kind regards</span></span></span></strong></span></span></p><p><span style=3D"font-size: 11pt;"><span style=3D"font-family: Calibri,san= s-serif;"><strong><span style=3D"font-size: 8pt;"><span style=3D'font-famil= y: "Tahoma",sans-serif;'><span style=3D"color: rgb(89, 89, 89);">Biljana BO= &#381;I&#262;</span></span></span></strong><br> <span style=3D"font-size: 8pt;"><span style=3D'font-family: "Tahoma",sans-s= erif;'><span style=3D"color: rgb(89, 89, 89);"><em>Saradnik</em></span></sp= an></span></span></span></p> <p><br> <span style=3D"font-size: 11pt;"><span style=3D"font-family: Calibri,sans-s= erif;"> <a style=3D"color: rgb(5, 99, 193); text-decoration: underline;" href=3D"ht= tps://nam02.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fsojaprote= in.rs%2F&amp;data=3D04%7C01%7CBiljana.Bozic%40adm.com%7Cd6da3094071b4e62e67= d08d9d9aeed50%7C2f55bf3242d444b3a8c2930ac8b182b2%7C0%7C0%7C6377801677329403= 04%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h= aWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=3DPfdk8gV7lD4rl7Oyl7bvNdwomabkXMMt3CoOJ= C8ByCA%3D&amp;reserved=3D0"><em><span style=3D"font-size: 8pt;"> <span style=3D'font-family: "Tahoma",sans-serif;'><span style=3D"color: rgb= (89, 89, 89);"><img id=3D"Picture_x0020_7" style=3D"border: 0px currentColo= r; border-image: none; width: 240px; height: 66px;" src=3D"C:\Users\Adminis= trator\AppData\Local\Temp\2\eM Client temporary files\mswdht5q.jpg"></span>= </span></span></em></a></span></span></p> <p><span style=3D"font-size: 11pt;"><span style=3D"font-family: Calibri,san= s-serif;"><strong><em><span style=3D'font-family: "Tahoma",sans-serif;'><sp= an style=3D"color: red;">Our office will be closed on 11th November due to = a National holiday.<br><br> <span style=3D"font-size: 11pt;"><span style=3D"font-family: Calibri,sans-s= erif;"><span style=3D"font-size: 8pt;"><span style=3D'font-family: "Tahoma"= ,sans-serif;'><span style=3D"color: rgb(89, 89, 89);"><strong>SOJAPROTEIN D= OO</strong><br> Industrijska 1<br> 21220 Be&#269;ej, Srbija<br> <br> tel: +381 (21) 6811 707<br> mob: +381 (66) 802 2372</span></span></span></span></span></span></span></e=m></strong></span></span></p> <p><span style=3D"font-size: 11pt;"><span style=3D"font-family: Calibri,san= s-serif;"><span style=3D"font-size: 8pt;"><span style=3D'font-family: "Taho= ma",sans-serif;'><span style=3D"color: rgb(89, 89, 89);">mail: <a style=3D"= color: rgb(5, 99, 193); text-decoration: underline;" href=3D"mailto:biljana= =2Ebozic@adm.com">biljana.bozic@adm.com</a><br> web: <a style=3D"color: rgb(5, 99, 193); text-decoration: underline;" href= =3Dhttp://www.sojaprotein.rs/"]"http://www.sojaprotein.rs/"><span style=3D"color: blue;">http://www.sojaprotei="]www.sojaprotei= n.rs</span></a></span></span></span></span></span></p> <p><br> <span style=3D"font-size: 11pt;"><span style=3D"font-family: Calibri,sans-s= erif;"><img id=3D"Picture_x0020_2" style=3D"width: 730px; height: 198px;" s= rc=3D"C:\Users\Administrator\AppData\Local\Temp\2\eM Client temporary files= \mr2h4r2a.png"></span></span></p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p><br> <br> <span style=3D"font-family: Arial,Helvetica,sans-serif;"><span style=3D"col= or: black;"><span style=3D"font-size: medium;">Confidentiality Notice:<br> This message may contain confidential or privileged information, or informa= tion that is otherwise exempt from disclosure. If you are not the intended = recipient, you should promptly delete it and should not disclose, copy or d= istribute it to others.</span></span></span></p> </body></html> ------=_NextPart_000_0012_3811D078.9728D954

#################################### HTML ####################################




Maybe the link in the link is this one? :

<a style=3D"color: rgb(5, 99, 193); text-decoration: underline;" href=3D"ht= tps://nam02.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fsojaprote= in.rs%2F&amp;data=3D04%7C01%7CBiljana.Bozic%40adm.com%7Cd6da3094071b4e62e67= d08d9d9aeed50%7C2f55bf3242d444b3a8c2930ac8b182b2%7C0%7C0%7C6377801677329403= 04%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h= aWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=3DPfdk8gV7lD4rl7Oyl7bvNdwomabkXMMt3CoOJ= C8ByCA%3D&amp;reserved=3D0"><em><span style=3D"font-size: 8pt;"> <span style=3D'font-family: "Tahoma",sans-serif;'><span style=3D"color: rgb= (89, 89, 89);"><img id=3D"Picture_x0020_7" style=3D"border: 0px currentColo= r; border-image: none; width: 240px; height: 66px;" src=3D"C:\Users\Adminis= trator\AppData\Local\Temp\2\eM Client temporary files\mswdht5q.jpg"></span>= </span></span></em></a>

There's a url= query parameter in that link.

Also, it seems the user is sending mail from a windows computer using a mail client named eM Client?

Best,

--
Yassine -- sysadm


Le 11/13/22 à 12:14 PM, Paul Stead a écrit :
Hello,
This rule is indicating that the To/From headers look a bit weird, as well as having a "double URL" - a URL within the email has a URL embedded within it. From runon is a sub rule looking for correct spacing on the From header.

It is the combination of these that is causing the rule to fire. If this is an email you're sending it would indicate the need to look at fixing the From & To headers in said email.

Paul

On Sun, 13 Nov 2022 at 10:47, Yassine Chaouche <a.chaouche@algerian-radio.dz> wrote:
Hello all,

I was wondering what this rule means?
the description reads :
Double-url and To no arrows, from runon.

Pretty cryptic to the unlearned.

Best,

-- Yassine -- sysadm


Re: PDS_DBL_URL_TNB_RUNON [ In reply to ]
Pretty obviously a spam, I'm surprized that it didn't get a lot of "fake order" type of points.

Here is the (or at least one) double URL that it caught:

;" href=3D"ht= tps://nam02.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fsojaprote= in.rs