There looks to be a false positive with the FORGED_MUA_MOZILLA rule when
sending form Yahoo as shown by the following example:
Message-ID: <831172902.119665.1490778597...@mail.yahoo.com>
X-Mailer: WebService/1.1.9272 YahooMailNeo Mozilla/5.0 (Windows NT 6.3;
Win64; x64) AppleWebKit/537.36 (KHTML,
After reading your reply, I re-examined the message and found the case was
an incorrect Content-Type:
~~~
Content-Type: text/plain; charset=windows-1250;
name="pdfname.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="pdfname.pdf"
~~~
So it was scanning the base64