I'm starting to get reports from users who are saying my code that relies on
Email::Address is getting spoofed. Here's a small example:
#!/usr/bin/perl
use strict;
use Email::Address;
my $from = q...@example.com <spoofer.addr...@malicious-site.com>};
my $from2 = q{"m...@example.com" <spoofer.addr...@malicious-site.com>};
my $address = ( Email::Address->parse($from) )[0]->address;
print $address . "\n";
my $address2 = ( Email::Address->parse($from2) )[0]->address;
print $address2 . "\n";
As you can see, it just takes the phrase unquoted to trip this up. The first
example is most likely incorrect formatting, but still works when it comes to
sending the messages out for my system to receive it. Ugh.
Any tried and true way to catch this spoofing? I think what's happening is that
Email::Address is parsing the line as if there's two valid addresses, since I
can also do this:
$address = ( Email::Address->parse($from) )[1]->address;
print $address . "\n";
# prints: spoofer.addr...@malicious-site.com
As far as I can grok, having multiple From: addresses doesn't really make much
sense (is it legal?) If so, there's my workaround.
Justin
