Re: False Positives from yahoo due to FORGED_MUA_MOZILLA

Thu, 20 Apr 2017 15:30:31 -0700 

On Thu, 20 Apr 2017, Lyle Evans wrote:


At 01:00 PM 4/20/2017, John Hardin wrote:

On Thu, 20 Apr 2017, Merijn van den Kroonenberg wrote:

> > On Thu, 20 Apr 2017 10:41:21 -0400
> > Lyle Evans wrote:
> > > > > I have been getting false positives from Yahoo due to 
> > > FORGED_MUA_MOZILLA hitting on a new X-Mailer line added by Yahoo
> > > about 3/31/17
> > > > > > The X-Mailer line reads: > > > > > > X-Mailer: WebService/1.1.9272 YahooMailNeo Mozilla/5.0 (Windows NT 
> > > 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
> > > Chrome/56.0.2924.87 Safari/537.36
> > /DCE\)/
> > > > My guess is that they are including the http user-agent header of the 
> > browser that connected to their webmail server.
> > Correct, I also noticed this a few days ago. Maybe the rule could be 
> changed to exclude yahoo...but maybe other webmail applications do this
> too, not sure.

Excluding when verified from Yahoo would be the proper approach.


I added && !__FROM_YAHOO_COM (from 20_headers.cf) to FORGED_MUA_MOZILLA
giving
FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID && !__FROM_YAHOO_COM ) 

I am testing that now,
any comments or suggestions for improvement are welcome.
My concern would be how easy it might be to spoof __FROM_YAHOO_COM (which I'm not at the moment going evaluate...) If it's a basic "From header includes 'yahoo.com'" rule (which is what the name suggests), you might want to create a meta of __FROM_YAHOO_COM && (__SPF_PASS || __DKIM_PASS) (rule names from memory, that's only to suggest the approach) and then use that instead of the bare __FROM_YAHOO_COM. 

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Campuses today are a theatrical mashup of
  1984 and Lord of the Flies, performed by people
  who don't understand these references.               -- David Burge
-----------------------------------------------------------------------
 3 days until Max Planck's 159th birthday

Reply via email to