Mailing List Archive

FORGED_MUA_MOZILLA for horde-submitted mail
Hello,

I received a mail that hit FORGED_MUA_MOZILLA when in fact mail was
submitted via horde webmail:

Received: from 1.example.net (unknown [192.168.100.114])
(Authenticated sender: redacted)
by 2.example.net (Postfix) with ESMTPA id 77F972DB78F
for <xxx@example.com>; Mon, 12 Jul 2021 14:23:04 +0200 (CEST)
Received: from qqq.sk
(qqq.sk [192.0.2.1]) by example.org (Horde
Framework) with HTTPS; Mon, 12 Jul 2021 14:23:03 +0200
Date: Mon, 12 Jul 2021 14:23:03 +0200
Message-ID: <20210712140000.Horde.zzzzzzzzzz@example.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36


meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID)
header __MOZILLA_MUA User-Agent =~ /^mozilla\b/i
header __MOZILLA_MSGID MESSAGEID =~ /^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m
meta __UNUSABLE_MSGID (__LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID && __GROUPSIO_GATED)


perhaps this should be expanded with check for horde webmail?

looks like we've had the same problem a few years ago with icewarp webmail:

https://mail-archives.apache.org/mod_mbox/spamassassin-users/201810.mbox/<7c094ffa-a1ee-b844-10b7-eca766c21275%40invaluement.com>

(i have access to a few icewarp servers, I can check that somewhere)


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
Re: FORGED_MUA_MOZILLA for horde-submitted mail [ In reply to ]
Matus UHLAR - fantomas wrote:
>
> Message-ID: <20210712140000.Horde.zzzzzzzzzz@example.net>
> User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
>        (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
>
>
> meta    FORGED_MUA_MOZILLA    (__MOZILLA_MUA && !__UNUSABLE_MSGID &&
> !__MOZILLA_MSGID)
> header    __MOZILLA_MUA        User-Agent =~ /^mozilla\b/i
> header    __MOZILLA_MSGID        MESSAGEID =~
> /^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m
> meta    __UNUSABLE_MSGID    (__LYRIS_EZLM_REMAILER ||
> __GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION ||
> __IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID ||
> __SYMPATICO_MSGID && __GROUPSIO_GATED)

This IS a forged Mozilla MUA header.  The User-Agent field in your
"Email" is from a Web Browser, not a Mail User-Agent.

If Horde wants to retain Web Browser headers, they can do so and wrap
them up in a References Email header.
Doesn't sound like Horde.  Maybe more like a misconfiguration issue? 
The only Mozilla MUA I know of is Thunderbird, and I regex on that
personally.  The spin-off SeaMonkey doesn't set a User-Agent field.

It's not a Mozilla MSGID.

Only question I'd have is on MSGID.

$0.02,

-- Jared Hall
Re: FORGED_MUA_MOZILLA for horde-submitted mail [ In reply to ]
>Matus UHLAR - fantomas wrote:
>>Message-ID: <20210712140000.Horde.zzzzzzzzzz@example.net>
>>User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
>>?????? (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
>>
>>
>>meta??? FORGED_MUA_MOZILLA??? (__MOZILLA_MUA && !__UNUSABLE_MSGID &&
>>!__MOZILLA_MSGID)
>>header??? __MOZILLA_MUA??????? User-Agent =~ /^mozilla\b/i
>>header??? __MOZILLA_MSGID??????? MESSAGEID =~ /^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m
>>meta??? __UNUSABLE_MSGID??? (__LYRIS_EZLM_REMAILER ||
>>__GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION ||
>>__IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID ||
>>__SYMPATICO_MSGID && __GROUPSIO_GATED)

On 13.07.21 13:12, Jared Hall wrote:
>This IS a forged Mozilla MUA header.? The User-Agent field in your
>"Email" is from a Web Browser, not a Mail User-Agent.

it is from mozilla or compatible - apparently User-Agent: HTTP header sent
by browser ended up unmodified in mail.

>If Horde wants to retain Web Browser headers, they can do so and wrap
>them up in a References Email header.

apparently not References, that's supposed to contain referenced message-ids.
perhaps you meant other header?
X-Mailer?

>Doesn't sound like Horde.? Maybe more like a misconfiguration issue??

that's possible - I have filled up a ticket.

>The only Mozilla MUA I know of is Thunderbird, and I regex on that
>personally.? The spin-off SeaMonkey doesn't set a User-Agent field.

I have just checked, both do:

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0 SeaMonkey/2.53.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.11.0

(note that the one in OP is not from my client)

>It's not a Mozilla MSGID.
>
>Only question I'd have is on MSGID.

message-id was generated by horde, but horde didn't generate the User-Agent.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: FORGED_MUA_MOZILLA for horde-submitted mail [ In reply to ]
Matus UHLAR - fantomas wrote:
>
> I have just checked, both do:
>
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
> ?????? Firefox/60.0 SeaMonkey/2.53.8
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
> ?????? Thunderbird/78.11.0
>

Thank you, Matus.? I have been using SeaMonkey for a few months now.??
It never sent any User-Agent header until Monday.? Very Strange.? "Looks
like I picked the wrong week to quit? sniffing glue".

-- Jared Hall
Re: FORGED_MUA_MOZILLA for horde-submitted mail [ In reply to ]
>Matus UHLAR - fantomas wrote:
>>I have just checked, both do:
>>
>>User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
>>?????? Firefox/60.0 SeaMonkey/2.53.8
>>User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
>>?????? Thunderbird/78.11.0

On 17.07.21 01:08, Jared Hall wrote:
>Thank you, Matus.? I have been using SeaMonkey for a few months now.??
>It never sent any User-Agent header until Monday.? Very Strange.?
>"Looks like I picked the wrong week to quit? sniffing glue".

np - in the meantime I found it was a hook on the horde server.
bad idea probably, but I don't wonder someone tried to pass that info to
message.

I expected mailers to put their info into X-Mailer: and I see more of them use
User-Agent...

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.