I have been getting false positives from Yahoo due to FORGED_MUA_MOZILLA
hitting on a new X-Mailer line added by Yahoo
about 3/31/17

The X-Mailer line reads:

X-Mailer: WebService/1.1.9272 YahooMailNeo Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

and the Messagid reads:

Message-ID: <909353831.1397505.1490989414...@mail.yahoo.com>


It is triggering the rule FORGED_MUA_MOZILLA from 20_meta_tests.cf


header __MOZILLA_MUA           X-Mailer =~ /\bMozilla\b/
header __MOZILLA_MSGID MESSAGEID =~ /^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID)
describe FORGED_MUA_MOZILLA    Forged mail pretending to be from Mozilla

50_scores.cf: score FORGED_MUA_MOZILLA 2.399 1.596 2.399 2.309

I realize that its just 2.309 points but throw in a few other miscellaneous hits and you get a
False Positive. (I'll make another post about one of the miscellaneous hits.)

Where __UNUSABLE_MSGID is defined in 20_ratware.cf
# first define situations where servers rewrite message id so we can't use message id to detect forgeries

header __HOTMAIL_BAYDAV_MSGID MESSAGEID =~ /^<[A-Z]{3}\d+-(?:DAV|SMTP)\d+[A-Z0-9]{25}\@phx\.gbl>$/m

header __IPLANET_MESSAGING_SERVER Received =~ /iPlanet Messaging Server/

header __LYRIS_EZLM_REMAILER List-Unsubscribe =~ /<mailto:(?:leave-\S+|\S+-unsubscribe)\@\S+>$/

header __SYMPATICO_MSGID MESSAGEID =~ /^<BAYC\d+-PASMTP\d+[A-Z0-9]{25}\@CEZ\.ICE>$/m

header __WACKY_SENDMAIL_VERSION Received =~ /\/CWT\/DCE\)/

meta __UNUSABLE_MSGID (__LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID)

My questions are is anybody else seeing this?
Why the @#$%! is Yahoo doing this?
What is the best fix?
I have temporarily removed the rule.

Thanks
Lyle Evans



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Reply via email to