You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matus UHLAR - fantomas <uh...@fantomas.sk> on 2021/07/13 15:42:15 UTC
FORGED_MUA_MOZILLA for horde-submitted mail
Hello,
I received a mail that hit FORGED_MUA_MOZILLA when in fact mail was
submitted via horde webmail:
Received: from 1.example.net (unknown [192.168.100.114])
(Authenticated sender: redacted)
by 2.example.net (Postfix) with ESMTPA id 77F972DB78F
for <xx...@example.com>; Mon, 12 Jul 2021 14:23:04 +0200 (CEST)
Received: from qqq.sk
(qqq.sk [192.0.2.1]) by example.org (Horde
Framework) with HTTPS; Mon, 12 Jul 2021 14:23:03 +0200
Date: Mon, 12 Jul 2021 14:23:03 +0200
Message-ID: <20...@example.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID)
header __MOZILLA_MUA User-Agent =~ /^mozilla\b/i
header __MOZILLA_MSGID MESSAGEID =~ /^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m
meta __UNUSABLE_MSGID (__LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID && __GROUPSIO_GATED)
perhaps this should be expanded with check for horde webmail?
looks like we've had the same problem a few years ago with icewarp webmail:
https://mail-archives.apache.org/mod_mbox/spamassassin-users/201810.mbox/<7c094ffa-a1ee-b844-10b7-eca766c21275%40invaluement.com>
(i have access to a few icewarp servers, I can check that somewhere)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
Re: FORGED_MUA_MOZILLA for horde-submitted mail
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>Matus UHLAR - fantomas wrote:
>>I have just checked, both do:
>>
>>User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
>> Firefox/60.0 SeaMonkey/2.53.8
>>User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
>> Thunderbird/78.11.0
On 17.07.21 01:08, Jared Hall wrote:
>Thank you, Matus. I have been using SeaMonkey for a few months now.
>It never sent any User-Agent header until Monday. Very Strange.
>"Looks like I picked the wrong week to quit sniffing glue".
np - in the meantime I found it was a hook on the horde server.
bad idea probably, but I don't wonder someone tried to pass that info to
message.
I expected mailers to put their info into X-Mailer: and I see more of them use
User-Agent...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.
Re: FORGED_MUA_MOZILLA for horde-submitted mail
Posted by Jared Hall <ja...@jaredsec.com>.
Matus UHLAR - fantomas wrote:
>
> I have just checked, both do:
>
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
> Firefox/60.0 SeaMonkey/2.53.8
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
> Thunderbird/78.11.0
>
Thank you, Matus. I have been using SeaMonkey for a few months now.
It never sent any User-Agent header until Monday. Very Strange. "Looks
like I picked the wrong week to quit sniffing glue".
-- Jared Hall
Re: FORGED_MUA_MOZILLA for horde-submitted mail
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>Matus UHLAR - fantomas wrote:
>>Message-ID: <20...@example.net>
>>User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
>> (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
>>
>>
>>meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID &&
>>!__MOZILLA_MSGID)
>>header __MOZILLA_MUA User-Agent =~ /^mozilla\b/i
>>header __MOZILLA_MSGID MESSAGEID =~ /^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m
>>meta __UNUSABLE_MSGID (__LYRIS_EZLM_REMAILER ||
>>__GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION ||
>>__IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID ||
>>__SYMPATICO_MSGID && __GROUPSIO_GATED)
On 13.07.21 13:12, Jared Hall wrote:
>This IS a forged Mozilla MUA header. The User-Agent field in your
>"Email" is from a Web Browser, not a Mail User-Agent.
it is from mozilla or compatible - apparently User-Agent: HTTP header sent
by browser ended up unmodified in mail.
>If Horde wants to retain Web Browser headers, they can do so and wrap
>them up in a References Email header.
apparently not References, that's supposed to contain referenced message-ids.
perhaps you meant other header?
X-Mailer?
>Doesn't sound like Horde. Maybe more like a misconfiguration issue?
that's possible - I have filled up a ticket.
>The only Mozilla MUA I know of is Thunderbird, and I regex on that
>personally. The spin-off SeaMonkey doesn't set a User-Agent field.
I have just checked, both do:
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0 SeaMonkey/2.53.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.11.0
(note that the one in OP is not from my client)
>It's not a Mozilla MSGID.
>
>Only question I'd have is on MSGID.
message-id was generated by horde, but horde didn't generate the User-Agent.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: FORGED_MUA_MOZILLA for horde-submitted mail
Posted by Jared Hall <ja...@jaredsec.com>.
Matus UHLAR - fantomas wrote:
>
> Message-ID: <20...@example.net>
> User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
>
>
> meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID &&
> !__MOZILLA_MSGID)
> header __MOZILLA_MUA User-Agent =~ /^mozilla\b/i
> header __MOZILLA_MSGID MESSAGEID =~
> /^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m
> meta __UNUSABLE_MSGID (__LYRIS_EZLM_REMAILER ||
> __GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION ||
> __IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID ||
> __SYMPATICO_MSGID && __GROUPSIO_GATED)
This IS a forged Mozilla MUA header. The User-Agent field in your
"Email" is from a Web Browser, not a Mail User-Agent.
If Horde wants to retain Web Browser headers, they can do so and wrap
them up in a References Email header.
Doesn't sound like Horde. Maybe more like a misconfiguration issue?
The only Mozilla MUA I know of is Thunderbird, and I regex on that
personally. The spin-off SeaMonkey doesn't set a User-Agent field.
It's not a Mozilla MSGID.
Only question I'd have is on MSGID.
$0.02,
-- Jared Hall