[Users] Rewrite URLs in message obfuscated by Outlook's safelinks stuff

[Milan Obuch]

On Mon, 18 Mar 2024 17:41:02 -0400
George Avrunin <avrunin at comcast.net> wrote:

> I was a long-time user of claws-mail until a couple of years ago when
> my university forced us to use their mail service rather than our
> department servers.  The campus mail service runs Outlook, though
> faculty can choose to receive mail through GMail, which I did.
> However, the campus and Google require OAUTH2 and blocked our
> university Google Workspace accounts from setting up claws-mail as a
> project, so I couldn't use claws with my university email account. I
> therefore switched to using Thunderbird, which is officially
> unsupported but works with both my university email and my personal
> accounts and, unlike the GMail web interface, allows me to move
> messages between accounts.
> 
> I am now fully retired and don't receive emails with student
> information.  So I am planning to forward my university GMail account
> to a personal account and return to using claws-mail for everything
> except sending from my university account.   Then, within claws, I can
> move emails to the appropriate folders on the dovecot server on my
> home machine and deal with them as I would like (and not store them in
> GMail). While I am doing this, however, I would like to address
> another problem with the university email.

Hi,

I'd like to ask some more details about your intended setup. First,
where is your personal account served? Your mail is sent from
comcast.net domain, no clue for me here. Also, how should messages get
forwarded from GMail account to your personal account, protocol-wise,
and next, how should they being transferred to your home machine?
Dovecot is just IMAP/POP3 server, probably something else is planned
for message transfer here.

My preference for any mail message modification is running some script
as part of mail delivery process, if you have some possibility to do
so. I'd expect your home machine is under your complete control, so you
should be able to do it here. Lacking details, no better suggestion
could be done at the moment.

> They use Outlook's safelinks service, which rewrites email messages to
> send all URLs in messages through
> nam10.safelinks.protection.outlook.com.  (They claim this is for
> security, but it also lets Microsoft monitor all the links you click
> on...) .  So, for example, the URL
> https://ncses.nsf.gov/indicators?utm_medium=email&utm_source=govdelivery
> which appeared in a recent message from the US National Science
> Foundation, shows in my email as 
> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fncses.nsf.gov%2Findicators%3Futm_medium%3Demail%26utm_source%3Dgovdelivery&data=05%7C02%7Cavrunin%40cns.umass.edu%7Ce6c6579bb4e04efbe41308dc4421f492%7C7bd08b0b33954dc194bbd0b2e56a497f%7C0%7C0%7C638460160763273466%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=eZXjISDka%2Fiqee09LbeG%2B%2BCDHsaIFVO1UHE4DDfOl1w%3D&reserved=0
> ] 
> This is unpleasant and hard to translate mentally to the real URL in
> order to decide whether to click on it or not (which probably makes it
> less secure, but the box-checkers in the campus IT security office
> don't see it that way).   The changes Outlook makes are in the actual
> message source (in text and html parts).
> 
> I would like to rewrite these obfuscated URLs back to their original
> form but I'm not sure of the best way to do this.   I have found a
> number of different python scripts, for example (e.g.,
> https://pypi.org/project/antisafelinks/,
> https://github.com/infosecB/normalize-atp-safelink/blob/master/normalize_atpsafelink.py,
> https://stackoverflow.com/questions/46504003/decoding-microsoft-safelink-url-in-python,
> though I haven't read any of the code carefully) that can do this in
> some fashion. Can these, or some modification of one of them, be used
> with the python plugin for claws? Or is there a better way to get the
> URLs rewritten? Send the messages through something like
> procmail/formail? 

First, see above - my gut feeling is I would do it as part of mail
message delivery process. If that's not possible and modifying message
in mail user agent (Claws Mail in your case) is your only option, it's
possible. At the moment I have no complete solution for you, only a
note there is att_remover plugin. I think the way it removes
attachments is simply complete message rewrite. There is nothing on the
topic on Claws Mail's web page, and I do not use this plugin, so no
experience with it.

> If the python plugin can be used, can someone  point me to some
> examples of using it to modify mail messages (as opposed to modifying
> compose buffers, for instance).  I haven't done much programming in
> recent years and have never done anything serious in python, so lots
> of detail about any suggestion (python or not) would help me.

Python plugin allows you to get filename for a message, in theory you
could use that info to modify the file any way you like. There is a
problem, however, if you use IMAP for accessing mailbox, filename is
just for local cache of your message, and any modification done here is
probably not transferred to server. My quick tests seem to confirm this.

> If it matters, I'm currently running claws-mail 4.2.0 on Fedora 39.  

Are you able to build Claws Mail from sources yourself? If yes, then I
see a possibility to use some patch to modify Claws Mail's behaviour
any way you like if everything else fails...

One comment/question to H. Merijn Brand's response - how is
rm_disclaim.pl script being used? When does it run? Is it an action
script for Claws Mail or something else?

Regards,
Milan