Page 1 of 1

Multiple addresses in From: Line

Posted: Wed Dec 19, 2018 1:43 pm
by thomas.klaube
Hi all,

we see an increased number of spams/phinshing mails with from: header lines (not envelope!) like this:

From: John Doe <john.doe@example.com> <some@address.com>
or:
From: "John Doe <john.doe@example.com>" <some@address.com>

The Zimbra WebUI displays this mail as being sent from "John Doe <john.doe@example.com>". The user has no indication that some@address.com might be the real sender. The only way to find out about this is to inspect the headers with "Show Original".

While it is allowed to have multiple addresses in the From: line (by RCP 822 and even by the latest SMTP RFC 5322) I have never seen any legitimate Mail with more than one address in the From: header. As our users are totally confused with these mails and these message layout is used for personalized phishing (where John Doe <john.doe@example.com> is replaced with an existing, real live person who was in recent contact with the receiver) I want to reject those mails ideally on Postfix level.

Is there a good way to do this? The only thing that comes to my mind is a postfix header_checks and try to catch theses mails with a regex. But this could be difficult as the From: line is often base64 encoded as well...

Regards
Thomas

Re: Multiple addresses in From: Line

Posted: Mon Jan 28, 2019 5:19 pm
by gsanguinetti
Hello, I have the same problem here and noticed that are two addresses in from header.
Did you find a solution?
I can't find a way to reject those mails.
Maybe defining a regex match in config file, but don't know where.
Any suggestion?
Thanks

Re: Multiple addresses in From: Line

Posted: Tue Jan 29, 2019 8:45 am
by msquadrat
We're seeing this issue as well. Still pondering about the proper solution, probably either a SpamAssassin rule or a Postfix header check.

Re: Multiple addresses in From: Line

Posted: Tue Jan 29, 2019 10:42 am
by thomas.klaube
Unfortunately I did not find a good solution for this problem. You could try to put a regex in /opt/zimbra/conf/postfix_header_checks.in like this:

/From:.*"+.".+<.*@+.*>.*<.*@+.*>|From:.+<.*@+.*>.*<.*@+.*>/ REJECT We do not accept multiple addresses in from line

But beware, this is untested!

And again: this will probably not help if the From: line contains base64 encoded strings...

Regards
Thomas

Re: Multiple addresses in From: Line

Posted: Tue Jan 29, 2019 10:54 am
by msquadrat
The latter should be enough already, even for base64 encoded From headers:

Code: Select all

From:.+<.*@+.*>.*<.*@+.*>


I'd probably change it to

Code: Select all

^From:.*<[^>]+> *<[^>]+> *$


though.

Why? Unless I'm mistaken the spammers don't send us multiple From values but a single, invalid From value instead. Note the missing comma, here's an example from a mail I received:

Code: Select all

From: <versandbestaetigung@amazon.de> <mabarno@inexus.com.uy>


So we can just ignore the display name and just look for two consecutive addresses in angle brackets. The angle brackets themselves must appear only once and must be quoted if used in a display name.

Spammers could start adding comments in normal brackets between or after these angle brackets but this should work for now.

Re: Multiple addresses in From: Line

Posted: Wed Jan 30, 2019 4:26 pm
by thomas.klaube
msquadrat wrote:Why? Unless I'm mistaken the spammers don't send us multiple From values but a single, invalid From value instead. Note the missing comma, here's an example from a mail I received:

Code: Select all

From: <versandbestaetigung@amazon.de> <mabarno@inexus.com.uy>



I have also seen spam with comma separated From: values. The Zimbra Webclient will only show one of them which is missleading. However, I think the regexp approach is worth a try.

Regards
Thomas