On Jan 5, 2010, at 12:17 AM, Matijs van Zuijlen wrote:
> What is the actual spoofing problem that occurs?
The spoofing occurs, since the system receives mail with a From: header like
this:
From: m...@example.com <spoofer.addr...@malicious-site.com>
Which looks like a From: line with a comment, and then the email address (in
brackets)
If I use the code I posted:
my $address = ( Email::Address->parse($from) )[0]->address;
print $address . "\n";
The address that gets returned is, $address - what's in the comment field, not
the actual address. Certain actions are taken, depending on what address gets
mailed to, so the spoofing address (spoofer.addr...@malicious-site.com) is
gaining access to privileges that the other address has (m...@example.com).
> Is the problem that it seems to
> come from m...@example.com?
Yes.
> But that can already easily be done, I can just put
>
> From: You <m...@example.com>
>
> in my email headers.
OK - what should I do about that? What's the general wisdom to help thwart
that? Use the Sender: header? Both? Something more fancy?
>> $address = ( Email::Address->parse($from) )[1]->address; print $address .
>> "\n"; # prints: spoofer.addr...@malicious-site.com
>
> That's a bug. The email addresses should be separated by commas.
>
I agree - but it's what I'm receiving from someone sending messages to the
system - I can't control it, I'm just trying to catch it.
Justin
On Jan 5, 2010, at 12:17 AM, Matijs van Zuijlen wrote:
> Hi Justin,
>
> Justin Skazat wrote:
>> I'm starting to get reports from users who are saying my code that relies on
>> Email::Address is getting spoofed. Here's a small example:
>>
>> [...]
>>
>> my $from = q...@example.com <spoofer.addr...@malicious-site.com>};
>>
>> [...]
>>
>> As you can see, it just takes the phrase unquoted to trip this up. The first
>> example is most likely incorrect formatting, but still works when it comes to
>> sending the messages out for my system to receive it. Ugh.
>
> What is the actual spoofing problem that occurs? Is the problem that it seems
> to
> come from m...@example.com? But that can already easily be done, I can just
> put
>
> From: You <m...@example.com>
>
> in my email headers.
>
>> Any tried and true way to catch this spoofing? I think what's happening is
>> that Email::Address is parsing the line as if there's two valid addresses,
>> since I can also do this:
>>
>> $address = ( Email::Address->parse($from) )[1]->address; print $address .
>> "\n"; # prints: spoofer.addr...@malicious-site.com
>
> That's a bug. The email addresses should be separated by commas.
>
>> As far as I can grok, having multiple From: addresses doesn't really make
>> much sense (is it legal?)
>
> Yes, according to RFC 2822, but they must be separated by commas.
>
> --
> Matijs
>
