Multiple addresses in From: Line

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
thomas.klaube
Posts: 32
Joined: Sat Nov 30, 2013 5:17 am
Location: Stuttgart
ZCS/ZD Version: 8.6.0 P6
Contact:

Multiple addresses in From: Line

Postby thomas.klaube » Wed Dec 19, 2018 1:43 pm

Hi all,

we see an increased number of spams/phinshing mails with from: header lines (not envelope!) like this:

From: John Doe <john.doe@example.com> <some@address.com>
or:
From: "John Doe <john.doe@example.com>" <some@address.com>

The Zimbra WebUI displays this mail as being sent from "John Doe <john.doe@example.com>". The user has no indication that some@address.com might be the real sender. The only way to find out about this is to inspect the headers with "Show Original".

While it is allowed to have multiple addresses in the From: line (by RCP 822 and even by the latest SMTP RFC 5322) I have never seen any legitimate Mail with more than one address in the From: header. As our users are totally confused with these mails and these message layout is used for personalized phishing (where John Doe <john.doe@example.com> is replaced with an existing, real live person who was in recent contact with the receiver) I want to reject those mails ideally on Postfix level.

Is there a good way to do this? The only thing that comes to my mind is a postfix header_checks and try to catch theses mails with a regex. But this could be difficult as the From: line is often base64 encoded as well...

Regards
Thomas


gsanguinetti
Posts: 1
Joined: Mon Jan 28, 2019 5:16 pm

Re: Multiple addresses in From: Line

Postby gsanguinetti » Mon Jan 28, 2019 5:19 pm

Hello, I have the same problem here and noticed that are two addresses in from header.
Did you find a solution?
I can't find a way to reject those mails.
Maybe defining a regex match in config file, but don't know where.
Any suggestion?
Thanks
User avatar
msquadrat
Advanced member
Advanced member
Posts: 183
Joined: Mon Oct 14, 2013 10:09 am

Re: Multiple addresses in From: Line

Postby msquadrat » Tue Jan 29, 2019 8:45 am

We're seeing this issue as well. Still pondering about the proper solution, probably either a SpamAssassin rule or a Postfix header check.
User avatar
thomas.klaube
Posts: 32
Joined: Sat Nov 30, 2013 5:17 am
Location: Stuttgart
ZCS/ZD Version: 8.6.0 P6
Contact:

Re: Multiple addresses in From: Line

Postby thomas.klaube » Tue Jan 29, 2019 10:42 am

Unfortunately I did not find a good solution for this problem. You could try to put a regex in /opt/zimbra/conf/postfix_header_checks.in like this:

/From:.*"+.".+<.*@+.*>.*<.*@+.*>|From:.+<.*@+.*>.*<.*@+.*>/ REJECT We do not accept multiple addresses in from line

But beware, this is untested!

And again: this will probably not help if the From: line contains base64 encoded strings...

Regards
Thomas
User avatar
msquadrat
Advanced member
Advanced member
Posts: 183
Joined: Mon Oct 14, 2013 10:09 am

Re: Multiple addresses in From: Line

Postby msquadrat » Tue Jan 29, 2019 10:54 am

The latter should be enough already, even for base64 encoded From headers:

Code: Select all

From:.+<.*@+.*>.*<.*@+.*>


I'd probably change it to

Code: Select all

^From:.*<[^>]+> *<[^>]+> *$


though.

Why? Unless I'm mistaken the spammers don't send us multiple From values but a single, invalid From value instead. Note the missing comma, here's an example from a mail I received:

Code: Select all

From: <versandbestaetigung@amazon.de> <mabarno@inexus.com.uy>


So we can just ignore the display name and just look for two consecutive addresses in angle brackets. The angle brackets themselves must appear only once and must be quoted if used in a display name.

Spammers could start adding comments in normal brackets between or after these angle brackets but this should work for now.
User avatar
thomas.klaube
Posts: 32
Joined: Sat Nov 30, 2013 5:17 am
Location: Stuttgart
ZCS/ZD Version: 8.6.0 P6
Contact:

Re: Multiple addresses in From: Line

Postby thomas.klaube » Wed Jan 30, 2019 4:26 pm

msquadrat wrote:Why? Unless I'm mistaken the spammers don't send us multiple From values but a single, invalid From value instead. Note the missing comma, here's an example from a mail I received:

Code: Select all

From: <versandbestaetigung@amazon.de> <mabarno@inexus.com.uy>



I have also seen spam with comma separated From: values. The Zimbra Webclient will only show one of them which is missleading. However, I think the regexp approach is worth a try.

Regards
Thomas

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 14 guests