Re: False Positives from yahoo due to FORGED_MUA_MOZILLA
On Thu, 20 Apr 2017 10:41:21 -0400 Lyle Evans wrote: > I have been getting false positives from Yahoo due to > FORGED_MUA_MOZILLA hitting on a new X-Mailer line added by Yahoo > about 3/31/17 I've been looking into this and IMO Yahoo have exposed a problem with the rule: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7411
Re: False Positives from yahoo due to FORGED_MUA_MOZILLA
> On Thu, 20 Apr 2017, Lyle Evans wrote: > >> At 01:00 PM 4/20/2017, John Hardin wrote: >>> On Thu, 20 Apr 2017, Merijn van den Kroonenberg wrote: >>> >>> > > On Thu, 20 Apr 2017 10:41:21 -0400 >>> > > Lyle Evans wrote: >>> > > >>> > > > I have been getting false positives from Yahoo due to >>> > > > FORGED_MUA_MOZILLA hitting on a new X-Mailer line added by Yahoo >>> > > > about 3/31/17 >>> > > > >>> > > > The X-Mailer line reads: >>> > > > >>> > > > X-Mailer: WebService/1.1.9272 YahooMailNeo Mozilla/5.0 (Windows >>> NT >>> > > > 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) >>> > > > Chrome/56.0.2924.87 Safari/537.36 >>> > > /DCE\)/ >>> > > >>> > > My guess is that they are including the http user-agent header of >>> the >>> > > browser that connected to their webmail server. >>> > >>> > Correct, I also noticed this a few days ago. Maybe the rule could be >>> > changed to exclude yahoo...but maybe other webmail applications do >>> this >>> > too, not sure. >>> >>> Excluding when verified from Yahoo would be the proper approach. >> >> I added && !__FROM_YAHOO_COM (from 20_headers.cf) to FORGED_MUA_MOZILLA >> giving >> >> FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID && >> !__MOZILLA_MSGID && !__FROM_YAHOO_COM ) >> >> I am testing that now, >> any comments or suggestions for improvement are welcome. > > My concern would be how easy it might be to spoof __FROM_YAHOO_COM (which > I'm not at the moment going evaluate...) If it's a basic "From header > includes 'yahoo.com'" rule (which is what the name suggests), you might > want to create a meta of __FROM_YAHOO_COM && (__SPF_PASS || __DKIM_PASS) > (rule names from memory, that's only to suggest the approach) and then use > that instead of the bare __FROM_YAHOO_COM. > I think in this case the ability to spoof/bypass the FORGED_MUA_MOZILLA is not a huge issue. Yahoo does DKIM sign the mail: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1492004654; bh=u/RrXL8wELnsl6uuALJnwAC/TQxfVkCBCHQc7pZDY/A=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=P5zjzMsC0OoZ7c But to make it waterproof we would need to verify if the mail was DKIM signed for d=yahoo.com (and not for a spammer controlled domain). Is it possible to do this somehow? I assume checking for DKIM_VALID_AU is not good enough if users can use a different mail identity in yahoo (I don't know if its possible). SPF_PASS would work but you would need to check if the EnvelopeFrom is from yahoo.com But I think Lyle's rule is already better than nothing and might be good enough, even if it can be spoofed.
Re: False Positives from yahoo due to FORGED_MUA_MOZILLA
At 01:00 PM 4/20/2017, John Hardin wrote: On Thu, 20 Apr 2017, Merijn van den Kroonenberg wrote: On Thu, 20 Apr 2017 10:41:21 -0400 Lyle Evans wrote: I have been getting false positives from Yahoo due to FORGED_MUA_MOZILLA hitting on a new X-Mailer line added by Yahoo about 3/31/17 The X-Mailer line reads: X-Mailer: WebService/1.1.9272 YahooMailNeo Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 /DCE\)/ My guess is that they are including the http user-agent header of the browser that connected to their webmail server. Correct, I also noticed this a few days ago. Maybe the rule could be changed to exclude yahoo...but maybe other webmail applications do this too, not sure. Excluding when verified from Yahoo would be the proper approach. I added && !__FROM_YAHOO_COM (from 20_headers.cf) to FORGED_MUA_MOZILLA giving FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID && !__FROM_YAHOO_COM ) I am testing that now, any comments or suggestions for improvement are welcome. Lyle Evans Unfortunately masscheck is down for migration so any global fix won't go out anytime soon... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Re: False Positives from yahoo due to FORGED_MUA_MOZILLA
At 01:00 PM 4/20/2017, John Hardin wrote: On Thu, 20 Apr 2017, Merijn van den Kroonenberg wrote: On Thu, 20 Apr 2017 10:41:21 -0400 Lyle Evans wrote: I have been getting false positives from Yahoo due to FORGED_MUA_MOZILLA hitting on a new X-Mailer line added by Yahoo about 3/31/17 The X-Mailer line reads: X-Mailer: WebService/1.1.9272 YahooMailNeo Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 /DCE\)/ My guess is that they are including the http user-agent header of the browser that connected to their webmail server. Correct, I also noticed this a few days ago. Maybe the rule could be changed to exclude yahoo...but maybe other webmail applications do this too, not sure. Excluding when verified from Yahoo would be the proper approach. I added && !__FROM_YAHOO_COM (from 20_headers.cf) to FORGED_MUA_MOZILLA giving FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID && !__FROM_YAHOO_COM ) I am testing that now, any comments or suggestions for improvement are welcome. Lyle Evans Unfortunately masscheck is down for migration so any global fix won't go out anytime soon... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Re: False Positives from yahoo due to FORGED_MUA_MOZILLA
On Thu, 20 Apr 2017, Lyle Evans wrote: At 01:00 PM 4/20/2017, John Hardin wrote: On Thu, 20 Apr 2017, Merijn van den Kroonenberg wrote: > > On Thu, 20 Apr 2017 10:41:21 -0400 > > Lyle Evans wrote: > > > > > I have been getting false positives from Yahoo due to > > > FORGED_MUA_MOZILLA hitting on a new X-Mailer line added by Yahoo > > > about 3/31/17 > > > > > > The X-Mailer line reads: > > > > > > X-Mailer: WebService/1.1.9272 YahooMailNeo Mozilla/5.0 (Windows NT > > > 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > > > Chrome/56.0.2924.87 Safari/537.36 > > /DCE\)/ > > > > My guess is that they are including the http user-agent header of the > > browser that connected to their webmail server. > > Correct, I also noticed this a few days ago. Maybe the rule could be > changed to exclude yahoo...but maybe other webmail applications do this > too, not sure. Excluding when verified from Yahoo would be the proper approach. I added && !__FROM_YAHOO_COM (from 20_headers.cf) to FORGED_MUA_MOZILLA giving FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID && !__FROM_YAHOO_COM ) I am testing that now, any comments or suggestions for improvement are welcome. My concern would be how easy it might be to spoof __FROM_YAHOO_COM (which I'm not at the moment going evaluate...) If it's a basic "From header includes 'yahoo.com'" rule (which is what the name suggests), you might want to create a meta of __FROM_YAHOO_COM && (__SPF_PASS || __DKIM_PASS) (rule names from memory, that's only to suggest the approach) and then use that instead of the bare __FROM_YAHOO_COM. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Campuses today are a theatrical mashup of 1984 and Lord of the Flies, performed by people who don't understand these references. -- David Burge --- 3 days until Max Planck's 159th birthday
Re: False Positives from yahoo due to FORGED_MUA_MOZILLA
On Thu, 20 Apr 2017, Merijn van den Kroonenberg wrote: On Thu, 20 Apr 2017 10:41:21 -0400 Lyle Evans wrote: I have been getting false positives from Yahoo due to FORGED_MUA_MOZILLA hitting on a new X-Mailer line added by Yahoo about 3/31/17 The X-Mailer line reads: X-Mailer: WebService/1.1.9272 YahooMailNeo Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 /DCE\)/ My guess is that they are including the http user-agent header of the browser that connected to their webmail server. Correct, I also noticed this a few days ago. Maybe the rule could be changed to exclude yahoo...but maybe other webmail applications do this too, not sure. Excluding when verified from Yahoo would be the proper approach. Unfortunately masscheck is down for migration so any global fix won't go out anytime soon... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is criminal to teach a man not to defend himself when he is the constant victim of brutal attacks. -- Malcolm X (1964) --- 3 days until Max Planck's 159th birthday
Re: False Positives from yahoo due to FORGED_MUA_MOZILLA
On Thu, 20 Apr 2017 17:02:57 +0200 Merijn van den Kroonenberg wrote: > > My guess is that they are including the http user-agent header of > > the browser that connected to their webmail server. > > > > Correct, I also noticed this a few days ago. Maybe the rule could be > changed to exclude yahoo...but maybe other webmail applications do > this too, not sure. I don't get much yahoo mail, is this the norm now?
Re: False Positives from yahoo due to FORGED_MUA_MOZILLA
> On Thu, 20 Apr 2017 10:41:21 -0400 > Lyle Evans wrote: > >> I have been getting false positives from Yahoo due to >> FORGED_MUA_MOZILLA hitting on a new X-Mailer line added by Yahoo >> about 3/31/17 >> >> The X-Mailer line reads: >> >> X-Mailer: WebService/1.1.9272 YahooMailNeo Mozilla/5.0 (Windows NT >> 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) >> Chrome/56.0.2924.87 Safari/537.36 > /DCE\)/ > > My guess is that they are including the http user-agent header of the > browser that connected to their webmail server. > Correct, I also noticed this a few days ago. Maybe the rule could be changed to exclude yahoo...but maybe other webmail applications do this too, not sure.
Re: False Positives from yahoo due to FORGED_MUA_MOZILLA
On Thu, 20 Apr 2017 10:41:21 -0400 Lyle Evans wrote: > I have been getting false positives from Yahoo due to > FORGED_MUA_MOZILLA hitting on a new X-Mailer line added by Yahoo > about 3/31/17 > > The X-Mailer line reads: > > X-Mailer: WebService/1.1.9272 YahooMailNeo Mozilla/5.0 (Windows NT > 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/56.0.2924.87 Safari/537.36 /DCE\)/ My guess is that they are including the http user-agent header of the browser that connected to their webmail server.
False Positives from yahoo due to FORGED_MUA_MOZILLA
I have been getting false positives from Yahoo due to FORGED_MUA_MOZILLA
hitting on a new X-Mailer line added by Yahoo
about 3/31/17
The X-Mailer line reads:
X-Mailer: WebService/1.1.9272 YahooMailNeo Mozilla/5.0 (Windows NT
10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/56.0.2924.87 Safari/537.36
and the Messagid reads:
Message-ID: <909353831.1397505.1490989414...@mail.yahoo.com>
It is triggering the rule FORGED_MUA_MOZILLA from 20_meta_tests.cf
header __MOZILLA_MUA X-Mailer =~ /\bMozilla\b/
header __MOZILLA_MSGID MESSAGEID =~
/^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m
meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID &&
!__MOZILLA_MSGID)
describe FORGED_MUA_MOZILLAForged mail pretending to be from Mozilla
50_scores.cf: score FORGED_MUA_MOZILLA 2.399 1.596 2.399 2.309
I realize that its just 2.309 points but throw in a few other
miscellaneous hits and you get a
False Positive. (I'll make another post about one of the miscellaneous hits.)
Where __UNUSABLE_MSGID is defined in 20_ratware.cf
# first define situations where servers rewrite message id so we
can't use message id to detect forgeries
header __HOTMAIL_BAYDAV_MSGID MESSAGEID =~
/^<[A-Z]{3}\d+-(?:DAV|SMTP)\d+[A-Z0-9]{25}\@phx\.gbl>$/m
header __IPLANET_MESSAGING_SERVER Received =~ /iPlanet Messaging Server/
header __LYRIS_EZLM_REMAILER List-Unsubscribe =~
/<mailto:(?:leave-\S+|\S+-unsubscribe)\@\S+>$/
header __SYMPATICO_MSGIDMESSAGEID =~
/^<BAYC\d+-PASMTP\d+[A-Z0-9]{25}\@CEZ\.ICE>$/m
header __WACKY_SENDMAIL_VERSION Received =~ /\/CWT\/DCE\)/
meta __UNUSABLE_MSGID (__LYRIS_EZLM_REMAILER ||
__GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION ||
__IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID)
My questions are is anybody else seeing this?
Why the @#$%! is Yahoo doing this?
What is the best fix?
I have temporarily removed the rule.
Thanks
Lyle Evans
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
