I'm starting to get reports from users who are saying my code that relies on 
Email::Address is getting spoofed. Here's a small example: 

use strict; 
use Email::Address; 

my $from  = q...@example.com <spoofer.addr...@malicious-site.com>}; 
my $from2 = q{"m...@example.com" <spoofer.addr...@malicious-site.com>}; 

my $address = ( Email::Address->parse($from) )[0]->address;
print $address . "\n";

my $address2 = ( Email::Address->parse($from2) )[0]->address;
print $address2 . "\n";

As you can see, it just takes the phrase unquoted to trip this up. The first 
example is most likely incorrect formatting, but still works when it comes to 
sending the messages out for my system to receive it. Ugh. 

Any tried and true way to catch this spoofing? I think what's happening is that 
Email::Address is parsing the line as if there's two valid addresses, since I 
can also do this: 

        $address = ( Email::Address->parse($from) )[1]->address;
        print $address . "\n";
        # prints: spoofer.addr...@malicious-site.com

As far as I can grok, having multiple From: addresses doesn't really make much 
sense (is it legal?) If so, there's my workaround. 


Reply via email to