Zimbra Forums

Hi all,

we see an increased number of spams/phinshing mails with from: header lines (not envelope!) like this:

From: John Doe <john.doe@example.com> <some@address.com>
or:
From: "John Doe <john.doe@example.com>" <some@address.com>

The Zimbra WebUI displays this mail as being sent from "John Doe <john.doe@example.com>". The user has no indication that some@address.com might be the real sender. The only way to find out about this is to inspect the headers with "Show Original".

While it is allowed to have multiple addresses in the From: line (by RCP 822 and even by the latest SMTP RFC 5322) I have never seen any legitimate Mail with more than one address in the From: header. As our users are totally confused with these mails and these message layout is used for personalized phishing (where John Doe <john.doe@example.com> is replaced with an existing, real live person who was in recent contact with the receiver) I want to reject those mails ideally on Postfix level.

Is there a good way to do this? The only thing that comes to my mind is a postfix header_checks and try to catch theses mails with a regex. But this could be difficult as the From: line is often base64 encoded as well...

Regards
Thomas

Hello, I have the same problem here and noticed that are two addresses in from header.
Did you find a solution?
I can't find a way to reject those mails.
Maybe defining a regex match in config file, but don't know where.
Any suggestion?
Thanks

We're seeing this issue as well. Still pondering about the proper solution, probably either a SpamAssassin rule or a Postfix header check.

Unfortunately I did not find a good solution for this problem. You could try to put a regex in /opt/zimbra/conf/postfix_header_checks.in like this:

/From:.*"+.".+<.*@+.*>.*<.*@+.*>|From:.+<.*@+.*>.*<.*@+.*>/ REJECT We do not accept multiple addresses in from line

But beware, this is untested!

And again: this will probably not help if the From: line contains base64 encoded strings...

Regards
Thomas

The latter should be enough already, even for base64 encoded From headers:



I'd probably change it to



though.

Why? Unless I'm mistaken the spammers don't send us multiple From values but a single, invalid From value instead. Note the missing comma, here's an example from a mail I received:



So we can just ignore the display name and just look for two consecutive addresses in angle brackets. The angle brackets themselves must appear only once and must be quoted if used in a display name.

Spammers could start adding comments in normal brackets between or after these angle brackets but this should work for now.

msquadrat wrote:Why? Unless I'm mistaken the spammers don't send us multiple From values but a single, invalid From value instead. Note the missing comma, here's an example from a mail I received:

Code: Select all

From: <versandbestaetigung@amazon.de> <mabarno@inexus.com.uy>

I have also seen spam with comma separated From: values. The Zimbra Webclient will only show one of them which is missleading. However, I think the regexp approach is worth a try.

Regards
Thomas