> On Thu, 20 Apr 2017, Lyle Evans wrote: > >> At 01:00 PM 4/20/2017, John Hardin wrote: >>> On Thu, 20 Apr 2017, Merijn van den Kroonenberg wrote: >>> >>> > > On Thu, 20 Apr 2017 10:41:21 -0400 >>> > > Lyle Evans wrote: >>> > > >>> > > > I have been getting false positives from Yahoo due to >>> > > > FORGED_MUA_MOZILLA hitting on a new X-Mailer line added by Yahoo >>> > > > about 3/31/17 >>> > > > >>> > > > The X-Mailer line reads: >>> > > > >>> > > > X-Mailer: WebService/1.1.9272 YahooMailNeo Mozilla/5.0 (Windows >>> NT >>> > > > 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) >>> > > > Chrome/56.0.2924.87 Safari/537.36 >>> > > /DCE\)/ >>> > > >>> > > My guess is that they are including the http user-agent header of >>> the >>> > > browser that connected to their webmail server. >>> > >>> > Correct, I also noticed this a few days ago. Maybe the rule could be >>> > changed to exclude yahoo...but maybe other webmail applications do >>> this >>> > too, not sure. >>> >>> Excluding when verified from Yahoo would be the proper approach. >> >> I added && !__FROM_YAHOO_COM (from 20_headers.cf) to FORGED_MUA_MOZILLA >> giving >> >> FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID && >> !__MOZILLA_MSGID && !__FROM_YAHOO_COM ) >> >> I am testing that now, >> any comments or suggestions for improvement are welcome. > > My concern would be how easy it might be to spoof __FROM_YAHOO_COM (which > I'm not at the moment going evaluate...) If it's a basic "From header > includes 'yahoo.com'" rule (which is what the name suggests), you might > want to create a meta of __FROM_YAHOO_COM && (__SPF_PASS || __DKIM_PASS) > (rule names from memory, that's only to suggest the approach) and then use > that instead of the bare __FROM_YAHOO_COM. >
I think in this case the ability to spoof/bypass the FORGED_MUA_MOZILLA is not a huge issue. Yahoo does DKIM sign the mail: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1492004654; bh=u/RrXL8wELnsl6uuALJnwAC/TQxfVkCBCHQc7pZDY/A=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=P5zjzMsC0OoZ7c<snip> But to make it waterproof we would need to verify if the mail was DKIM signed for d=yahoo.com (and not for a spammer controlled domain). Is it possible to do this somehow? I assume checking for DKIM_VALID_AU is not good enough if users can use a different mail identity in yahoo (I don't know if its possible). SPF_PASS would work but you would need to check if the EnvelopeFrom is from yahoo.com But I think Lyle's rule is already better than nothing and might be good enough, even if it can be spoofed.
