I have been getting false positives from Yahoo due to FORGED_MUA_MOZILLA
hitting on a new X-Mailer line added by Yahoo
about 3/31/17
The X-Mailer line reads:
X-Mailer: WebService/1.1.9272 YahooMailNeo Mozilla/5.0 (Windows NT
10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/56.0.2924.87 Safari/537.36
and the Messagid reads:
Message-ID: <909353831.1397505.1490989414...@mail.yahoo.com>
It is triggering the rule FORGED_MUA_MOZILLA from 20_meta_tests.cf
header __MOZILLA_MUA X-Mailer =~ /\bMozilla\b/
header __MOZILLA_MSGID MESSAGEID =~
/^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m
meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID &&
!__MOZILLA_MSGID)
describe FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla
50_scores.cf: score FORGED_MUA_MOZILLA 2.399 1.596 2.399 2.309
I realize that its just 2.309 points but throw in a few other
miscellaneous hits and you get a
False Positive. (I'll make another post about one of the miscellaneous hits.)
Where __UNUSABLE_MSGID is defined in 20_ratware.cf
# first define situations where servers rewrite message id so we
can't use message id to detect forgeries
header __HOTMAIL_BAYDAV_MSGID MESSAGEID =~
/^<[A-Z]{3}\d+-(?:DAV|SMTP)\d+[A-Z0-9]{25}\@phx\.gbl>$/m
header __IPLANET_MESSAGING_SERVER Received =~ /iPlanet Messaging Server/
header __LYRIS_EZLM_REMAILER List-Unsubscribe =~
/<mailto:(?:leave-\S+|\S+-unsubscribe)\@\S+>$/
header __SYMPATICO_MSGID MESSAGEID =~
/^<BAYC\d+-PASMTP\d+[A-Z0-9]{25}\@CEZ\.ICE>$/m
header __WACKY_SENDMAIL_VERSION Received =~ /\/CWT\/DCE\)/
meta __UNUSABLE_MSGID (__LYRIS_EZLM_REMAILER ||
__GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION ||
__IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID)
My questions are is anybody else seeing this?
Why the @#$%! is Yahoo doing this?
What is the best fix?
I have temporarily removed the rule.
Thanks
Lyle Evans
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
