Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

[RW]

On Wed, 3 Oct 2018 12:31:32 -0400
Rob McEwen wrote:


> I really don't think I've done anything unusual with my setup of 
> Thunderbird. Does anyone have other suggestions? Is there anything I
> can do with my Thunderbird settings to mitigate this?

My guess is that your client hasn't updated the the rules in the 16
months since __MOZILLA_MSGID was updated for the new format, or has an
old version of SA that is no longer gets rule updates.

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

[Rob McEwen]

The thread has gone somewhat off-topic, which is partly my own fault. 
The issues with URIBL misusage is a "side note", NOT the main purpose of 
this thread. (again, that is party my fault since I mentioned that to 
begin with). Also, I want to make sure that everyone knows that it was 
my client (NOT ME!) that was using URIBL incorrectly. I'll educate my 
client to hopefully fix that problem soon.


NOW... BACK ON THE MAIN TOPIC:

On 10/2/2018 1:52 PM, Matus UHLAR - fantomas wrote:



Message-ID: <39397904-9830-5010-a3d2-a62af8326...@invaluement.com>


this does seem to match:
MESSAGEID =~ 
/^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m


8h-4h-4h-4h-12h@

hmmm we need to look at

(__LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER ||
__WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER ||
__HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID)



I really don't think I've done anything unusual with my setup of 
Thunderbird. Does anyone have other suggestions? Is there anything I can 
do with my Thunderbird settings to mitigate this?


Thanks!

--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

[Dave Warren]

> On Oct 2, 2018, at 13:49, Bill Cole  
> wrote:
> 
> On 2 Oct 2018, at 13:39, Matus UHLAR - fantomas wrote:
> 
>>> On 2 Oct 2018, at 9:36, Rob McEwen wrote:
 SIDE NOTE: I don't think there was any domain my message that was 
 blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but that 
 only scored 0.001, so that was innocuous. I suspect that that rule is 
 malfunctioning on their end, and then they changed the score to .001 - so 
 just please ignore that for the purpose of this discussion.
>> 
>> On 02.10.18 11:48, Bill Cole wrote:
>>> No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is 
>>> supposed to be a message to a mail admin that they are using URIBL wrong
>> 
>>> A mail filtering system that gets URIBL_BLOCKED hits is broken. A mail 
>>> filtering system that gets them chronically is mismanaged.
>> 
>> Nonsense. There is no such implication here. While URIBL_BLOCKED may and
>> most of the time apparently does mean that system uses DNS server shared
>> with too many clients, any system that receives and checks too much mail may
>> get URIBL_BLOCKED just because they have crossed the limit, withous using it
>> wrong or being broken.
> 
> Operating a system in a manner which chronically crosses that limit is 
> abusive.
> 
> The DNS reply that results in URIBL_BLOCKED is not "free" for the URIBL 
> operators and depending on their software may be as expensive as sending a 
> real reply. It has the advantage over simply dropping abusive queries that it 
> does not impose timeout delays on abusive queriers and sends a clear signal 
> that can and should be acted upon.


The DNSBL operator can also choose to use a frontend firewall/router/etc system 
to redirect the queries to a dedicated server which can reduce the packet per 
second rate that the authoritative DNS servers need to cope with.

Abusive queries can almost definitely be handled much faster by a 
small/dedicated server that does nothing but return one single wild carded 
response, reducing the impact that abusive users can have on the primary 
infrastructure.

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

[Bill Cole]

On 2 Oct 2018, at 13:39, Matus UHLAR - fantomas wrote:


On 2 Oct 2018, at 9:36, Rob McEwen wrote:
SIDE NOTE: I don't think there was any domain my message that was 
blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but 
that only scored 0.001, so that was innocuous. I suspect that that 
rule is malfunctioning on their end, and then they changed the score 
to .001 - so just please ignore that for the purpose of this 
discussion.


On 02.10.18 11:48, Bill Cole wrote:
No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is 
supposed to be a message to a mail admin that they are using URIBL 
wrong


A mail filtering system that gets URIBL_BLOCKED hits is broken. A 
mail filtering system that gets them chronically is mismanaged.


Nonsense. There is no such implication here. While URIBL_BLOCKED may 
and
most of the time apparently does mean that system uses DNS server 
shared
with too many clients, any system that receives and checks too much 
mail may
get URIBL_BLOCKED just because they have crossed the limit, withous 
using it

wrong or being broken.


Operating a system in a manner which chronically crosses that limit is 
abusive.


The DNS reply that results in URIBL_BLOCKED is not "free" for the URIBL 
operators and depending on their software may be as expensive as sending 
a real reply. It has the advantage over simply dropping abusive queries 
that it does not impose timeout delays on abusive queriers and sends a 
clear signal that can and should be acted upon.

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

[John Hardin]

On Tue, 2 Oct 2018, Matus UHLAR - fantomas wrote:


On 2 Oct 2018, at 9:36, Rob McEwen wrote:
SIDE NOTE: I don't think there was any domain my message that was 
blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but that 
only scored 0.001, so that was innocuous. I suspect that that rule is 
malfunctioning on their end, and then they changed the score to .001 - so 
just please ignore that for the purpose of this discussion.


On 02.10.18 11:48, Bill Cole wrote:
No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is 
supposed to be a message to a mail admin that they are using URIBL wrong 


A mail filtering system that gets URIBL_BLOCKED hits is broken. A mail 
filtering system that gets them chronically is mismanaged.


Nonsense. There is no such implication here. While URIBL_BLOCKED may and
most of the time apparently does mean that system uses DNS server shared
with too many clients, any system that receives and checks too much mail may
get URIBL_BLOCKED just because they have crossed the limit, withous using it
wrong or being broken.


And just to actually provide useful information to the OP:

Tell them that they need to set up a local, recursive, 
***NON-FORWARDING*** DNS server for the use of SA (and likely their MTA).


Searching for URIBL_BLOCKED in the mailing list archives will cover it in 
*excruciating* detail. It's a VFAQ.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Win95: Where do you want to go today?
  Vista: Where will Microsoft allow you to go today?
---
 551 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

[Matus UHLAR - fantomas]

On 10/2/2018 9:59 AM, Matus UHLAR - fantomas wrote:

can you post the headers?
or at least the Message-Id?


On 02.10.18 11:07, Rob McEwen wrote:
Here is the message as THEIR system saw it (with my client's info 
masked)  - but it looks like their Kerio (or the customer's email 
client?) might be not be storing everything as it was originally sent? 


it's possible. It _could_ cause the problem. 


...but this is what my client sent me, fwiw:


Received: from mail.powerviewmail.com 
([204.9.77.40])

by with ESMTPS
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits))
for ;
Mon, 1 Oct 2018 15:17:10 +0200
DKIM-Signature: a=rsa-sha256; t=1538399816; x=1539004616; 
s=ivm_invaluement; d=invaluement.com ; 
c=relaxed/relaxed; v=1; 
bh=C6QzEUsPRf8EoiIEIhSF1hnXxy9JIlmjGFO/079v4QQ=; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:In-Reply-To:References;

b=V5Sv2lZUWL4P29pcEVY6r/8uFRcuNL1hR794r6M1TJZcvw+i4vTgrvWf+CKSN/F1f2FS/0CdF4UCux+dS/vFjj3X9fdmwv9jpizZqwvJseyCYEmT2HItdeqo0NfNIoQwziEPDMgYS3f35iWlcb7wqrPjfx5EslHr+oC0eoeGBaA=
Received: from [204.9.77.40] ([204.9.77.40])
        by mail.powerviewmail.com 
(IceWarp 12.0.2.1 x64) with ASMTP id 
201810010916565985

        for ; Mon, 01 Oct 2018 09:16:


No message-id here, but also no X-Spam headers.

Here is an excerpt from the headers, copied from the message in my 
Thunderbird "sent" folder:


unwrapped:


Message-ID: <39397904-9830-5010-a3d2-a62af8326...@invaluement.com>


this does seem to match:
MESSAGEID =~ 
/^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m

8h-4h-4h-4h-12h@

hmmm we need to look at

(__LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER ||
__WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER ||
__HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID)




--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

[Rob McEwen]

Bill,

Even though this part wasn't the main purpose of the thread, that is still very 
helpful information. I will pass that along to my client so that they can 
hopefully fix their configuration problem with regards to their usage of URIBL.

Thanks!

Rob McEwen


Sent from my Verizon Motorola Droid
On Oct 2, 2018 11:48 AM, Bill Cole  
wrote:
>
> On 2 Oct 2018, at 9:36, Rob McEwen wrote: 
>
> > SIDE NOTE: I don't think there was any domain my message that was 
> > blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but 
> > that only scored 0.001, so that was innocuous. I suspect that that 
> > rule is malfunctioning on their end, and then they changed the score 
> > to .001 - so just please ignore that for the purpose of this 
> > discussion. 
>
> No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is 
> supposed to be a message to a mail admin that they are using URIBL wrong 
> and will nevewr get a useful answer without either (1) paying for a feed 
> to support their usage volume or (2) using their own recursive resolver 
> instead of forwarding queries to the likes of Google, OpenDNS, & 
> CloudFlare. 
>
> A mail filtering system that gets URIBL_BLOCKED hits is broken. A mail 
> filtering system that gets them chronically is mismanaged. 

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

[Bill Cole]

On 2 Oct 2018, at 9:36, Rob McEwen wrote:

SIDE NOTE: I don't think there was any domain my message that was 
blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but 
that only scored 0.001, so that was innocuous. I suspect that that 
rule is malfunctioning on their end, and then they changed the score 
to .001 - so just please ignore that for the purpose of this 
discussion.


No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is 
supposed to be a message to a mail admin that they are using URIBL wrong 
and will nevewr get a useful answer without either (1) paying for a feed 
to support their usage volume or (2) using their own recursive resolver 
instead of forwarding queries to the likes of Google, OpenDNS, & 
CloudFlare.


A mail filtering system that gets URIBL_BLOCKED hits is broken. A mail 
filtering system that gets them chronically is mismanaged.

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

[Rob McEwen]

On 10/2/2018 9:59 AM, Matus UHLAR - fantomas wrote:

can you post the headers?
or at least the Message-Id?



Matus... first, THANKS for your help with this!

Here is the message as THEIR system saw it (with my client's info 
masked)  - but it looks like their Kerio (or the customer's email 
client?) might be not be storing everything as it was originally sent? 
...but this is what my client sent me, fwiw:



Received: from mail.powerviewmail.com 
([204.9.77.40])

by with ESMTPS
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits))
for ;
Mon, 1 Oct 2018 15:17:10 +0200
DKIM-Signature: a=rsa-sha256; t=1538399816; x=1539004616; 
s=ivm_invaluement; d=invaluement.com ; 
c=relaxed/relaxed; v=1; bh=C6QzEUsPRf8EoiIEIhSF1hnXxy9JIlmjGFO/079v4QQ=; 
h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:In-Reply-To:References;

b=V5Sv2lZUWL4P29pcEVY6r/8uFRcuNL1hR794r6M1TJZcvw+i4vTgrvWf+CKSN/F1f2FS/0CdF4UCux+dS/vFjj3X9fdmwv9jpizZqwvJseyCYEmT2HItdeqo0NfNIoQwziEPDMgYS3f35iWlcb7wqrPjfx5EslHr+oC0eoeGBaA=
Received: from [204.9.77.40] ([204.9.77.40])
        by mail.powerviewmail.com 
(IceWarp 12.0.2.1 x64) with ASMTP id 
201810010916565985

        for ; Mon, 01 Oct 2018 09:16:


Here is an excerpt from the headers, copied from the message in my 
Thunderbird "sent" folder:



References: <55521fa7.8080...@invaluement.com> 
<7c8ad385-8b3d-74d9-7d34-ca2ca9236...@invaluement.com> 
 
<1b8ad5ec-18b7-90db-5cad-d86ffa5aa...@invaluement.com> Message-ID: 
<39397904-9830-5010-a3d2-a62af8326...@invaluement.com> 
Disposition-Notification-To: Rob McEwen  Date: Mon, 
1 Oct 2018 09:16:55 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; 
WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 
In-Reply-To: <1b8ad5ec-18b7-90db-5cad-d86ffa5aa...@invaluement.com> 
Content-Type: multipart/mixed; 
boundary="54AEB3A413950E8E0A41E1A8" Content-Language: en-US




The time difference makes sense because their time zone is 6 hours ahead of 
mine.


--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032

Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

[Matus UHLAR - fantomas]

On 02.10.18 09:36, Rob McEwen wrote:
A client of mine wasn't getting my own hand-typed messages. 
Unfortunately, they had their SA set to block on a score of 3 (which 
is aggressive), and this particular rule hit plus a tiny bit of other 
things put it above 3. But what is weird - is that it was hitting on 
hand typed-messages from me - that I sent directly from my 
latest-version of Thunderbird. So this was NOT "forged" at all! (Also, 
I suspect that the bayes hit was due to previous such messages from me 
getting blocked and feeding his bayes?)


Any suggestions? Could my client be using a very old version of SA - 
where this is fixed already? (they are using SA from Kerio).


Here are the headers:

X-Kerio-Anti-Spam:  Build: [Engines: 2.15.8.1169, Stamp: 3], Multi: 
[Enabled, t: (0.12,0.017258)], BW: [Enabled, t: (0.13)], RTDA: 
[Enabled, t: (0.052863), Hit: No, Details: v2.7.15; Id: 
15.1i65djr.1conscun2.ocr1k], total: 0(700)

X-Spam-Status: Yes, hits=3.8 required=3.0
tests=KERIO_ANTI_SPAM: -0.000, AWL: -0.000, BAYES_50: 1.567,
FORGED_MUA_MOZILLA: 2.309, HTML_MESSAGE: 0.001, URIBL_BLOCKED: 0.001,
TOTAL_SCORE: 3.878,autolearn=no

Suggestions?


can you post the headers?
or at least the Message-Id?

metaFORGED_MUA_MOZILLA  (__MOZILLA_MUA && !__UNUSABLE_MSGID && 
!__MOZILLA_MSGID)
header  __MOZILLA_MUA   User-Agent =~ /^mozilla\b/i
header  __MOZILLA_MSGID MESSAGEID =~ 
/^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m
meta__UNUSABLE_MSGID(__LYRIS_EZLM_REMAILER || 
__GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION || 
__IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID)
header  __HOTMAIL_BAYDAV_MSGID  MESSAGEID =~ 
/^<[A-Z]{3}\d+-(?:DAV|SMTP)\d+[A-Z0-9]{25}\@phx\.gbl>$/m
header  __IPLANET_MESSAGING_SERVER  Received =~ /iPlanet Messaging Server/
header  __LYRIS_EZLM_REMAILER   List-Unsubscribe =~ 
/$/
header  __SYMPATICO_MSGID   MESSAGEID =~ 
/^$/m
header  __WACKY_SENDMAIL_VERSIONReceived =~ /\/CWT\/DCE\)/


SIDE NOTE: I don't think there was any domain my message that was 
blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but 
that only scored 0.001, so that was innocuous. I suspect that that 
rule is malfunctioning on their end, and then they changed the score 
to .001 - so just please ignore that for the purpose of this 
discussion.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes. 

FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my latest-version Thunderbird)

[Rob McEwen]

A client of mine wasn't getting my own hand-typed messages. 
Unfortunately, they had their SA set to block on a score of 3 (which is 
aggressive), and this particular rule hit plus a tiny bit of other 
things put it above 3. But what is weird - is that it was hitting on 
hand typed-messages from me - that I sent directly from my 
latest-version of Thunderbird. So this was NOT "forged" at all! (Also, I 
suspect that the bayes hit was due to previous such messages from me 
getting blocked and feeding his bayes?)


Any suggestions? Could my client be using a very old version of SA - 
where this is fixed already? (they are using SA from Kerio).


Here are the headers:

X-Kerio-Anti-Spam:  Build: [Engines: 2.15.8.1169, Stamp: 3], Multi: 
[Enabled, t: (0.12,0.017258)], BW: [Enabled, t: (0.13)], RTDA: 
[Enabled, t: (0.052863), Hit: No, Details: v2.7.15; Id: 
15.1i65djr.1conscun2.ocr1k], total: 0(700)

X-Spam-Status: Yes, hits=3.8 required=3.0
tests=KERIO_ANTI_SPAM: -0.000, AWL: -0.000, BAYES_50: 1.567,
FORGED_MUA_MOZILLA: 2.309, HTML_MESSAGE: 0.001, URIBL_BLOCKED: 0.001,
TOTAL_SCORE: 3.878,autolearn=no

Suggestions?

SIDE NOTE: I don't think there was any domain my message that was 
blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but that 
only scored 0.001, so that was innocuous. I suspect that that rule is 
malfunctioning on their end, and then they changed the score to .001 - 
so just please ignore that for the purpose of this discussion.


--
Rob McEwen
https://www.invaluement.com