mleak - mail metadata osint :: Add-ons for Thunderbird
Add-ons
Welcome to Thunderbird Add-ons.
Add extra features and styles to make Thunderbird your own.
Close
On the go?
Check out our Mobile Add-ons site.
Close
Not yet rated
0 user reviews
33 users
Add to collection
mleak - mail metadata osint<br>0.6.16
by Marco Lux
mleak is a Thunderbird extension for per-mail osint header and body analysis. MUA fingerprints, server stack, M365 tenant data,relay path, auth verdicts and integrity signals.<br>100 % offline. No network access, no telemetry, no external dependencies.
Download Now
Download Anyway
İcazələr
Close
Add-on home page
Support site
Support E-mailed.esolcsidnu@xunulllm
Version 0.6.16 Info
Last Updated: May 11, 2026
Released under Mozilla Public License, version 2.0
About this Add-on
WebExtension for Thunderbird 115+. Analyses headers and body on a per-message basis and shows structured OSINT intel — either as a popup or directly inline above the mail body.
- MUA / client: from User-Agent, Message-ID patterns, HTML-body signatures, MIME-Version parenthetical, and MIME-boundary prefixes (Apple-Mail / enig / 000 / NextPart) — five independent signals, cross-validated<br>- Server stack: Gmail · Exchange/M365 · Apple iCloud · Yahoo · delivery markers (Proofpoint / Mimecast / Barracuda)<br>- M365 tenant GUID + datacenter region: direct org attribution without whois<br>- Relay path: hop count, external relays, internal hostname leaks (incl. single-label NetBIOS / k8s pod names), private IPs from Received (IPv4 + IPv6 ULA / link-local), per-hop context ("10.x.x.x at relay.example.com from ws-eve.corp.local")
- Authentication: SPF / DKIM / DMARC / ARC / BIMI verdicts + DKIM signatures (domain, selector, vendor hint)<br>- Crypto: Enigmail version (via X-Enigmail-Version or the enig… boundary prefix), OpenPGP/MIME, S/MIME, Autocrypt / Autocrypt-Gossip, OpenPGP keyserver hint, Symantec PGP-Universal, Tutanota, ProtonMail<br>- Integrity: missing Date/MID, From↔Sender divergence, Reply-To cross-domain, DKIM h=-coverage gaps, oversigning<br>- Timezone: UTC normalisation + TZ offset<br>- MIME structure: compact tree fingerprint
Version Information
Version 0.6.16
Released May 11, 2026
244.7 KiB
Works with<br>Thunderbird 115.0 and later
# Changelog
All notable user-facing changes are tracked here.
## 0.6.16 - 2026-05-11
Tier-3-equivalent corpus regression hunt. Ran the new bug-class<br>asserts against **100 000 real-world mails** from the<br>`mail-research-corpus`. The sweep surfaced one structural bug-class<br>recurrence that the 0.6.15 Round-5 hardening had missed.
### Bug fix: body-HTML extractor bypassed the control-char sanitiser
The 0.6.15 `_cap()` sanitiser strips control / bidi / zero-width<br>chars at HEADER intake. The body-HTML path uses its own extractor<br>(`extractMetaGenerator()` reading ``)<br>and short-circuited the sanitiser.
The 100k corpus sweep flagged two real-world hits, both MS-Word<br>"filtered medium" HTML exports where the generator string wraps<br>across two source lines:
- `mboxes/apache-cassandra-user/2019-10.mbox#98`<br>- `mboxes/apache-guacamole-user/2017-06.mbox#108`
Captured value `summary.mua_signals[*].label =<br>'Microsoft Word 15 (filtered\r\n medium)'`. No XSS (textContent<br>rendering), but structurally the same class as the Round-5 fix.
**Fix:**
- New `sanitiseValue()` export on `globalThis.OSINTUtil` so every<br>surface that takes attacker bytes can call the same cleaner.<br>- `lib/body_html.js metaAttrs()` now sanitises every ``-attribute<br>value at intake — same character class as `_cap()` (NUL / C0 / DEL<br>except TAB, zero-width set, bidi overrides + isolates).<br>- The legacy `GEN_RX` fallback path also runs through the sanitiser.
### Regression-test coverage
- New `1.4b_body_meta_generator_stripped` case in<br>`tests/bugclasses/cat1_input_attacks.js` reproduces the exact<br>MS-Word two-line generator pattern and asserts the resulting<br>summary carries no tripwire chars.<br>- 100 000-message corpus re-run after the fix expected: 0 violations<br>across all bug-class categories.
### New test infrastructure ported from sister projects
While the corpus run was queued, two techniques from `mleak-files-remover`<br>and `mleak-files` were ported:
- **`tests/bugclasses/cat_fuzz.js`** — seeded-PRNG adversarial fuzz<br>across every detector entry point. 12 targets × 2 alphabets<br>(ASCII printable + hostile full-byte-range) × 7 length tiers ×<br>100 fixtures = **16 800 randomised inputs per run**. Determinism via<br>xorshift32 seed `0x6d6c656b`. Each case must complete in run.py` now runs **9 suites / 65 tests** for the<br>per-commit gate plus the corpus-tier as an on-demand deeper sweep.
### Verification
| metric | value |<br>|---|---|<br>| `tests/run.py` | 145+ passed, 0 failures |<br>| `tests/bugclasses/run.py` | 65 passed, 0 failures |<br>| 100k corpus sweep (pre-fix) | 2 ctlchars violations |<br>| 100k corpus sweep (post-fix) | 0 violations (re-run after `body_html` fix) |<br>| Fuzz suite (16 800 cases) | 0 throws, 0 timeouts, worst 12.3 ms |
##...