[Bug 8394] New: From header is ignored if Resent-From is present

Sun, 10 May 2026 15:42:08 -0700 

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8394

            Bug ID: 8394
           Summary: From header is ignored if Resent-From is present
           Product: Spamassassin
           Version: 4.0.2
          Hardware: PC
                OS: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Libraries
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: Undefined

It was decided some 20+ years ago that Resent-* headers should take precedence
over the normal From & To headers. See bugs 672 & 1600. However, I think things
have changed since then. 

First, RFC 5322 states:

"Resent fields are strictly informational.  They MUST NOT be used in the normal
processing of replies or other such automatic actions on messages."

Second, there's no way to authenticate Resent-From the way DMARC provides
authentication for the From header, so they are very easily spoofed. 

Third, the RFC is a little vague about when these headers should be used. It
says they should be used when a message is "reintroduced by a user into the
transport system" and goes on to say that this is a different operation from
"forwarding". However, some mail systems (e.g. M365) insert a Resent-From
header when a message is forwarded, and some don't (e.g. Google).

The practical impact today is in PerMsgStatus::all_from_addrs(): as soon as a
Resent-From appears, SA discards From, Envelope-Sender, Resent-Sender,
X-Envelope-From, and EnvelopeFrom and returns only the Resent-From address.
Every consumer of all_from_addrs() inherits that blind spot:

    - WLBLEval: welcomelist_from / blocklist_from / *_FROM_ADDRLIST_* no
      longer match the original author on resent mail, so a legitimate
      sender on a user's welcomelist loses the hit the moment the message
      is forwarded through M365, and a known-bad sender on a blocklist
      can sidestep it the same way.
    - DNSEval: check_rbl_from_host / check_rbl_from_domain stop querying
      the original sender's host/domain.
    - FreeMail: check_freemail_from misses freemail original senders
      behind a non-freemail resender.
    - HashBL: the ALLFROM pseudo-header loses the original author.
    - AccessDB: From-based access lookups stop covering the real sender.

Rather than flipping the precedence the other way (which would have its own
regressions), the attached patch simply appends Resent-From:first:addr to the
existing list instead of replacing it. 

I'll commit in a few days if I don't hear any complaints.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to