Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread giovanni 

On 11/14/22 21:14, Shawn Iverson wrote:

How do I stop this? paypal.com  is in the default DKIM 
whitelist!


Does this work on your sample ?
The body you posted is only partial.

uri__URI_IMG_PAYPAL  
/^https:\/\/www\.paypalobjects\.com\/(?:digitalassets|en_US|ui\-web)\/.{1,64}\.(?:gif|jpg|png)/
meta   __PAYPAL_IMG_NOT_RCVD_PAYP__URI_IMG_PAYPAL && !__HDR_RCVD_PAYPAL
meta   GB_PAYPAL_IMG_NOT_RCVD_PAYP   __PAYPAL_IMG_NOT_RCVD_PAYP && !__HAS_ERRORS_TO && 
!__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP
describe   GB_PAYPAL_IMG_NOT_RCVD_PAYP   Paypal hosted image but message not 
from Paypal
score  GB_PAYPAL_IMG_NOT_RCVD_PAYP   2.500# limit

 Giovanni


OpenPGP_signature
Description: OpenPGP digital signature

Re: PBL and rejects

2022-11-14 Thread Alex 
Hi,

>
> > I'm hoping I can ask this question here. Somehow the PBL considered the
> IP
> > addresses given to us by our ISP (I can share this if needed) as
> ineligible
> > to send email, resulting in any recipient domain that checks the PBL to
> > reject our email,
>
> AIUI, PBL is supposed to be for dynamic-type IP addresses for
> residential service, so if you have business service something seems
> off.
>
> What did your ISP say when you asked them about this?   I would expect
> them to be concerned because giving customers addresses in RBL is
> obviously going to get them sorted into giving not-really-ok service and
> negative recommendations, if that's what is really going on.
>

They denied any knowledge of three /29s being listed or having any
involvement in it happening.

They said they have a spamhaus license, which I'm assuming is for their own
servers, and that they would leverage that to ask a support question, but
they're disclaiming any responsibility.

These aren't new netblocks for us from them, but it seems awfully weird
that we would be operating on these IPs for 2+ years then all of the sudden
have them listed like they're dialup IPs.

The message I received during the delisting process with spamhaus/PBL for
"MyProvider" was:

Outbound Email policy of MyProvider LLC for this IP range
It is the policy of MyProvider LLC that unauthenticated email sent from
this IP address should be sent out only via the designated outbound mail
server allocated to MyProvider LLC customers. To find the hostname of the
correct mail server to use, customers should consult the original signup
documentation or contact MyProvider LLC Technical Support.

I don't know if that's just a boilerplate message or it actually refers to
the precise reason why my IPs were added to the PBL.

Re: PBL and rejects

2022-11-14 Thread Greg Troxel 

Alex  writes:

> I'm hoping I can ask this question here. Somehow the PBL considered the IP
> addresses given to us by our ISP (I can share this if needed) as ineligible
> to send email, resulting in any recipient domain that checks the PBL to
> reject our email,

AIUI, PBL is supposed to be for dynamic-type IP addresses for
residential service, so if you have business service something seems
off.

What did your ISP say when you asked them about this?   I would expect
them to be concerned because giving customers addresses in RBL is
obviously going to get them sorted into giving not-really-ok service and
negative recommendations, if that's what is really going on.


signature.asc
Description: PGP signature

PBL and rejects

2022-11-14 Thread Alex 
Hi,

I'm hoping I can ask this question here. Somehow the PBL considered the IP
addresses given to us by our ISP (I can share this if needed) as ineligible
to send email, resulting in any recipient domain that checks the PBL to
reject our email, including every email sent to a Microsoft 365 domain.
This is also despite having a rule to bypass spam filtering on the M365
side with our own M365 domain - apparently that is not bypassed?

Does anyone know how this might happen? Would my ISP have listed them
intentionally? I've now delisted all of our IPs successfully, and mail is
again flowing, but it obviously resulted in a pretty significant impact on
our delivery.

I'm also trying to confirm I've configured my system properly to best
utilize RBLs.

Any ideas greatly appreciated.

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Martin Gregorie 
On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
> How do I stop this?  paypal.com is in the default DKIM whitelist!
> 
I'd treat it as spam because the domain name in the From header doesn't
match the domain name in the Message-ID header. 

That works for me, with virtually no false mail rejections.

Martin

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
Corrected...

Default Whitelist Exceptions handling -- SJI 11/14/22
shortcircuit USER_IN_DKIM_WHITELIST off
score   USER_IN_DKIM_WHITELIST 0
score   USER_IN_DEF_DKIM_WL 0

header  CUSTOM_FROM_PAYPAL From:addr =~ /paypal\.com/
metaCUSTOM_DKIM_WL_EXCEPTIONS  USER_IN_DKIM_WHITELIST &&
CUSTOM_FROM_PAYPAL
describeCUSTOM_DKIM_WL_EXCEPTIONS  Exception for paypal in DKIM
whitelisting
score   CUSTOM_DKIM_WL_EXCEPTIONS  0.001

metaCUSTOM_DKIM_OK USER_IN_DKIM_WHITELIST &&
!CUSTOM_DKIM_WL_EXCEPTIONS
describeCUSTOM_DKIM_OK All other whitelisted senders
score   CUSTOM_DKIM_OK -100

On Mon, Nov 14, 2022 at 4:38 PM Shawn Iverson 
wrote:

> For those fighting the same battles...
>
> # Default Whitelist Exceptions handling -- SJI 11/14/22
> shortcircuit USER_IN_DKIM_WHITELIST off
> score   USER_IN_DKIM_WHITELIST 0
> score   USER_IN_DEF_DKIM_WL 0
>
> header  CUSTOM_FROM_PAYPAL From:addr =~ /paypal\.com/
> metaCUSTOM_DKIM_WL_EXCEPTIONS  USER_IN_DKIM_WHITELIST &&
> ENA_FROM_PAYPAL
> describeCUSTOM_DKIM_WL_EXCEPTIONS  Exception for paypal in DKIM
> whitelisting
> score   CUSTOM_DKIM_WL_EXCEPTIONS  0.001
>
> metaCUSTOM_DKIM_OK USER_IN_DKIM_WHITELIST &&
> !CUSTOM_DKIM_WL_EXCEPTIONS
> describeCUSTOM_DKIM_OK All other whitelisted senders
> score   CUSTOM_DKIM_OK -100
>
> On Mon, Nov 14, 2022 at 3:56 PM Shawn Iverson 
> wrote:
>
>> So what I'm going to do is turn shortcircuit off for
>> USER_IN_DKIM_WHITELIST
>>
>> Create a meta to catch papal.com as the from address and score
>> appropriately
>> Create a counter meta to score other deserving DKIM-signers appropriately
>>
>> On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
>> wrote:
>>
>>> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
>>> > How do I stop this?  paypal.com is in the default DKIM whitelist!
>>> >
>>>
>>> That message really looks like it came from Paypal and then was
>>> forwarded by Microsoft to your server. Was it really a fake? That's a
>>> lot of headers to fake if so.
>>>
>>> If it was really fake and that paypal-supplied DKIM signature doesn't
>>> validate (I didn't check that), then checking DMARC when you receive
>>> mail and rejecting on p=reject failures would block it.
>>>
>>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
For those fighting the same battles...

# Default Whitelist Exceptions handling -- SJI 11/14/22
shortcircuit USER_IN_DKIM_WHITELIST off
score   USER_IN_DKIM_WHITELIST 0
score   USER_IN_DEF_DKIM_WL 0

header  CUSTOM_FROM_PAYPAL From:addr =~ /paypal\.com/
metaCUSTOM_DKIM_WL_EXCEPTIONS  USER_IN_DKIM_WHITELIST && ENA_FROM_PAYPAL
describeCUSTOM_DKIM_WL_EXCEPTIONS  Exception for paypal in DKIM
whitelisting
score   CUSTOM_DKIM_WL_EXCEPTIONS  0.001

metaCUSTOM_DKIM_OK USER_IN_DKIM_WHITELIST &&
!CUSTOM_DKIM_WL_EXCEPTIONS
describeCUSTOM_DKIM_OK All other whitelisted senders
score   CUSTOM_DKIM_OK -100

On Mon, Nov 14, 2022 at 3:56 PM Shawn Iverson 
wrote:

> So what I'm going to do is turn shortcircuit off for USER_IN_DKIM_WHITELIST
>
> Create a meta to catch papal.com as the from address and score
> appropriately
> Create a counter meta to score other deserving DKIM-signers appropriately
>
> On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
> wrote:
>
>> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
>> > How do I stop this?  paypal.com is in the default DKIM whitelist!
>> >
>>
>> That message really looks like it came from Paypal and then was
>> forwarded by Microsoft to your server. Was it really a fake? That's a
>> lot of headers to fake if so.
>>
>> If it was really fake and that paypal-supplied DKIM signature doesn't
>> validate (I didn't check that), then checking DMARC when you receive
>> mail and rejecting on p=reject failures would block it.
>>
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
Oh yeah?

[@x~]$ grep DEF_WHITELIST
/var/lib/spamassassin/3.004006/updates_spamassassin_org/*
/var/lib/spamassassin/3.004004/updates_spamassassin_org/30_text_de.cf:lang
de describe USER_IN_DEF_WHITELIST Absenderadresse steht in der allgemeinen
weien Liste
/var/lib/spamassassin/3.004004/updates_spamassassin_org/30_text_fr.cf:lang
fr describe USER_IN_DEF_WHITELISTExpditeur dans la liste OK par dfaut
de SpamAssassin
/var/lib/spamassassin/3.004004/updates_spamassassin_org/30_text_pl.cf:lang
pl describe USER_IN_DEF_WHITELISTUytkownik jest wymieniony w domylnej
white-list (biaej licie)
/var/lib/spamassassin/3.004004/updates_spamassassin_org/30_text_pt_br.cf:lang
pt_BR describe USER_IN_DEF_WHITELIST Endereo do From: est na whitelist padro
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:#score
USER_IN_DEF_WHITELIST -15.000 - Moved to 60_whitelist.cf
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_shortcircuit.cf:priority
USER_IN_DEF_WHITELIST -1000
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
   meta USER_IN_DEF_WHITELIST(USER_IN_DEF_WELCOMELIST)
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
   describe USER_IN_DEF_WHITELISTDEPRECATED: See USER_IN_WELCOMELIST
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
   tflags USER_IN_DEF_WHITELIST  userconf nice noautolearn
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
   score USER_IN_DEF_WHITELIST   -15.0
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
 meta USER_IN_DEF_WHITELIST  (USER_IN_DEF_WELCOMELIST)
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
 describe USER_IN_DEF_WHITELIST  DEPRECATED: See
USER_IN_DEF_WELCOMELIST
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
 tflags USER_IN_DEF_WHITELISTuserconf nice noautolearn
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
 score USER_IN_DEF_WHITELIST -15.0
/var/lib/spamassassin/3.004004/updates_spamassassin_org/local.cf:#
shortcircuit USER_IN_DEF_WHITELIST   on

On Mon, Nov 14, 2022 at 4:34 PM Marc  wrote:

>
> There is no such thing as a default whitelist.
>
> > >>
> > >> How do I stop this?  paypal.com   is in the
> > default
> > >> DKIM whitelist!
> > >>
> > >
> > >
> > > score  USER_IN_DKIM_WHITELIST 0
> >
> > would affect *every* mail in the default whitelist and so be a knee-jerk
> > reaction without brain
>

RE: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Marc 

There is no such thing as a default whitelist.

> >>
> >> How do I stop this?  paypal.com   is in the
> default
> >> DKIM whitelist!
> >>
> >
> >
> > score  USER_IN_DKIM_WHITELIST 0
> 
> would affect *every* mail in the default whitelist and so be a knee-jerk
> reaction without brain

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Kevin A. McGrail 
I have also seen the PayPal ecosystem being abused by bad actors sending
things like fake invoices.  I am also +1 to remove the domain from the dkim
wl.

Regards, KAM

On Mon, Nov 14, 2022, 16:01 Shawn Iverson  wrote:

> Bottom line is I don't think paypal deserves to be default whitelisted in
> recent history.  I've received a lot of spam actually from paypal and
> judiciously report it to phish...@paypal.com with no apparent action or
> response.
>
> On Mon, Nov 14, 2022 at 3:56 PM Shawn Iverson 
> wrote:
>
>> So what I'm going to do is turn shortcircuit off for
>> USER_IN_DKIM_WHITELIST
>>
>> Create a meta to catch papal.com as the from address and score
>> appropriately
>> Create a counter meta to score other deserving DKIM-signers appropriately
>>
>> On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
>> wrote:
>>
>>> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
>>> > How do I stop this?  paypal.com is in the default DKIM whitelist!
>>> >
>>>
>>> That message really looks like it came from Paypal and then was
>>> forwarded by Microsoft to your server. Was it really a fake? That's a
>>> lot of headers to fake if so.
>>>
>>> If it was really fake and that paypal-supplied DKIM signature doesn't
>>> validate (I didn't check that), then checking DMARC when you receive
>>> mail and rejecting on p=reject failures would block it.
>>>
>>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
Bottom line is I don't think paypal deserves to be default whitelisted in
recent history.  I've received a lot of spam actually from paypal and
judiciously report it to phish...@paypal.com with no apparent action or
response.

On Mon, Nov 14, 2022 at 3:56 PM Shawn Iverson 
wrote:

> So what I'm going to do is turn shortcircuit off for USER_IN_DKIM_WHITELIST
>
> Create a meta to catch papal.com as the from address and score
> appropriately
> Create a counter meta to score other deserving DKIM-signers appropriately
>
> On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
> wrote:
>
>> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
>> > How do I stop this?  paypal.com is in the default DKIM whitelist!
>> >
>>
>> That message really looks like it came from Paypal and then was
>> forwarded by Microsoft to your server. Was it really a fake? That's a
>> lot of headers to fake if so.
>>
>> If it was really fake and that paypal-supplied DKIM signature doesn't
>> validate (I didn't check that), then checking DMARC when you receive
>> mail and rejecting on p=reject failures would block it.
>>
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
So what I'm going to do is turn shortcircuit off for USER_IN_DKIM_WHITELIST

Create a meta to catch papal.com as the from address and score appropriately
Create a counter meta to score other deserving DKIM-signers appropriately

On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
wrote:

> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
> > How do I stop this?  paypal.com is in the default DKIM whitelist!
> >
>
> That message really looks like it came from Paypal and then was
> forwarded by Microsoft to your server. Was it really a fake? That's a
> lot of headers to fake if so.
>
> If it was really fake and that paypal-supplied DKIM signature doesn't
> validate (I didn't check that), then checking DMARC when you receive
> mail and rejecting on p=reject failures would block it.
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
The DKIM signature looks valid.

On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
wrote:

> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
> > How do I stop this?  paypal.com is in the default DKIM whitelist!
> >
>
> That message really looks like it came from Paypal and then was
> forwarded by Microsoft to your server. Was it really a fake? That's a
> lot of headers to fake if so.
>
> If it was really fake and that paypal-supplied DKIM signature doesn't
> validate (I didn't check that), then checking DMARC when you receive
> mail and rejecting on p=reject failures would block it.
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
Are you asking me to rescore these back to 0?  That will take some effort
to do, but if that's what it takes...

On Mon, Nov 14, 2022 at 3:42 PM Marc  wrote:

> >
> > How do I stop this?  paypal.com   is in the default
> > DKIM whitelist!
> >
> >
>
>
> score  USER_IN_DKIM_WHITELIST 0
>
> ?
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Alan Hodgson 
On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
> How do I stop this?  paypal.com is in the default DKIM whitelist!
> 

That message really looks like it came from Paypal and then was
forwarded by Microsoft to your server. Was it really a fake? That's a
lot of headers to fake if so.

If it was really fake and that paypal-supplied DKIM signature doesn't
validate (I didn't check that), then checking DMARC when you receive
mail and rejecting on p=reject failures would block it.

RE: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Marc 
> 
> How do I stop this?  paypal.com   is in the default
> DKIM whitelist!
> 
> 


score  USER_IN_DKIM_WHITELIST 0

?

Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
How do I stop this?  paypal.com is in the default DKIM whitelist!

X-Spam-Status: No, score=-107.7 required=6.0 tests=DKIM_VALID,DKIM_VALID_AU,
,FREEMAIL_FROM,SHORTCIRCUIT,SPF_HELO_PASS,
USER_IN_DEF_DKIM_WL,USER_IN_DKIM_WHITELIST shortcircuit=ham
autolearn=disabled version=3.4.4
X-Spam-Relay-Country: US US US US
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (
mail-lo2gbr01on2073.outbound.protection.outlook.com [40.107.10.73])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by xx (Postfix) with ESMTPS id 4BF1F1480FCB
for ; Mon, 14 Nov 2022 13:02:57 -0600 (CST)
Authentication-Results: 
dkim=pass (2048-bit key) header.d=paypal.com header.i=@paypal.com
header.b="r6hmfVu3"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 
b=OVohkgjr3UJbiohxx1KCrPdnaD1WXK9mrLMvZ4VloK9eudd9Gkh7tImMPXIN1iOrETjNj59A47N+uJqf4kZFPVUGJS6KAdzWZczL7LiBaIsg1uSQwoD60Z7heKEjC5cfOLsXZhwf0nhhwzbXpjXltGfYn0Jd8VQGxT64hKtfyVoP9JpRyF6h8I9FnCxfVvRbP4i8iYk5zkdvi4I9eR7z4dXeB9vLwZv5hb6nIt6le9lMJriMoM11QYHcLlqZqj9S8L1pN9ynLzAVezxmWmH9YDKyB9aKf4vJP32HHLmzPCCgnqplW6xObPUI5Wt5HagqD+ImpgKMQ1JgM86tq+Tuzg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com
;
 s=arcselector9901;
 
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=o8/9XRPNBSb6rQV6HcDwELycPOzUJqxucQ/nMDyby+o=;
 
b=XYTuQtEngNxrDz/McbFCv0GHj1RQ59jBE0nCMgxzQivSL51NnzAFIjsVs0BMxFtLPZmdwxx6fRBkRe6OLtpjUzut7MBMX0jYenXqsHZfLodWIT51fjG6JcEO1LPFvIJkl0WHl9w+agVHgUZy+c7TcADN5IdHh+/wDy5Pyh8iuEAE7g4+fPPaehKGfwLzqZJ+TdZKyXgbxbCMUCYrRjQvkV2xUqI+cTwZolauv847RlgIUqwG9OWiImbcruwIexjn+cOb1eidxluPnHVXILS/+AH6TVAz7oIsoCXB8rjBFrVCyGU1HTAYvLTDN31F7/QDMbDaiAHGTtbbvvAT7eZqig==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 173.0.84.228) smtp.rcpttodomain=duta788.onmicrosoft.com
 smtp.mailfrom=paypal.com; dmarc=pass (p=reject sp=reject pct=100)
action=none
 header.from=paypal.com; dkim=pass (signature was verified)
 header.d=paypal.com; arc=none (0)
Resent-From: 
Received: from CWLP123MB6161.GBRP123.PROD.OUTLOOK.COM
(2603:10a6:400:1a5::13)
 by LO0P123MB5990.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:280::12) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5813.17; Mon, 14 Nov
 2022 19:02:54 +
Received: from CWLP123CA0130.GBRP123.PROD.OUTLOOK.COM (2603:10a6:401:87::22)
 by CWLP123MB6161.GBRP123.PROD.OUTLOOK.COM (2603:10a6:400:1a5::13) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5813.17; Mon, 14 Nov
 2022 19:02:52 +
Received: from CWLGBR01FT040.eop-gbr01.prod.protection.outlook.com
 (2603:10a6:401:87:cafe::11) by CWLP123CA0130.outlook.office365.com
 (2603:10a6:401:87::22) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5813.17 via Frontend
 Transport; Mon, 14 Nov 2022 19:02:52 +
Authentication-Results: spf=pass (sender IP is 173.0.84.228)
 smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
 header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;
Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates
 173.0.84.228 as permitted sender) receiver=protection.outlook.com;
 client-ip=173.0.84.228; helo=mx3.slc.paypal.com; pr=C
Received: from mx3.slc.paypal.com (173.0.84.228) by
 CWLGBR01FT040.mail.protection.outlook.com (10.152.40.168) with Microsoft
SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5813.12 via Frontend Transport; Mon, 14 Nov 2022 19:02:51 +
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1;
c=relaxed/relaxed;
q=dns/txt; i=@paypal.com; t=1668452569;
h=From:From:Subject:Date:To:MIME-Version:Content-Type;
bh=o8/9XRPNBSb6rQV6HcDwELycPOzUJqxucQ/nMDyby+o=;
b=r6hmfVu3PlK5UN/X+kDNdo8TkUbOkfVn6+tT3VtTr30ic5BMR9vuyrZED4ARPF74
eywsS4yJTH3S3EB0IBX5yao3SN0WFNR23EUszb8LWgSpL0lz4+ZGqAfbjWP6UvI8
2XVzbjiT2tDP2ONkvM5e9g06CuC1VH2Bte5+S/Qke61W8OaagNu8sIcu6MNfoUiO
b/esckpPfghQtqDs693+pxDtuk9SBrbf14qZ2ih9eVV/38dRdz5B22pq8Kfws9yZ
hjvQlCDfovONXEEf6+lD1rs9p0NvKEIeIK/BFxbUmShXAyL3/LlYVLELEwzQ/mnl
zoIwzGQJ9u8i005oZVUnJA==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Mon, 14 Nov 2022 11:02:49 -0800
Message-ID: <67.91.14851.9D092736@ccg13mail05>
X-PP-REQUESTED-TIME: 1668452563268
X-PP-Email-transmission-Id: ed77fc42-644e-11ed-9b35-3cecef442a74
PP-Correlation-Id: f452526a2e2b2
Subject: Billing Department updated your invoice ( ALS56730 )
X-MaxCode-Template: PPC001082
To: PayPal User 
From: "serv...@paypal.com" 
X-Email-Type-Id: PPC001082
MIME-Version: 1.0
X-PP-Priority: 0-none-false
AMQ-Delivery-Message-Id: nullval
X-XPT-XSL-Name: nullval
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: adbfa5e6-3343-4fe0-8aa8-9f0cc484823f:0

Re: How to incorporate network blocks

2022-11-14 Thread Grant Taylor via users 

On 11/11/22 10:10 AM, Bill Cole wrote:

 From my bashrc...

# type cidrcon
cidrcon is a function
cidrcon ()
{
 for a in $*;
 do
 echo $a;
 done | perl -e "use Net::CIDR::Lite;  \$cidr = Net::CIDR::Lite->new(<>) ; \$_ = join 
(\"\n\",\$cidr->list) ; print \"\$_\n\";"
}


Oh ... (minimally) obfuscated Perl one liner.

N.B. My Perl is rusty.

Let's try deobfuscating and interpreting.


use Net::CIDR::Lite;


Load the Net::CIDR::Lite module.


$cidr = Net::CIDR::Lite->new(<>);


Instantiate an instance of the Net::CIDR::Lite module.

It also looks like you're reading from STDIN via "<>".  Is that correct?

I feel like that's a Perlish short cut to opening the STDIN.  I have 
almost always used an "open" statement for such.



$_ = join ("\n",$cidr->list);


Set the unnamed variable to the output of the list output from the 
Net::CIDR::Lite object using new lines.



print "$_\n";


Print the unnamed variable with a trailing new line.

I /think/.

Am I close?

Obviously requires Perl and the Net::CIDR::Lite module. I do not 
recall why the implementation is so weird, but I've been using it 
for decades(!?)


The deobfuscated code doesn't seem weird to me.

I suspect some of the weirdness comes from transforming it into a one 
liner and escaping things as necessary to pass it from shell to Perl.


I guess it may be a little weird that the cidrcon() shell function takes 
multiple parameters and prints each of them on a line to pass into Perl.


I wonder if it was easier / simpler to do -- what I call -- the rotation 
(from one line with multiple parameters to multiple lines with one 
parameter) in shell than to deal with them in Perl.


Thank you for sharing Bill.  --  Your message has been waiting for me to 
read, analyze, assimilate, and reply.  ;-)




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature