Hi Justin,

Justin Skazat wrote:
> I'm starting to get reports from users who are saying my code that relies on
> Email::Address is getting spoofed. Here's a small example:
> 
> [...]
> 
> my $from  = q...@example.com <spoofer.addr...@malicious-site.com>};
>
> [...]
> 
> As you can see, it just takes the phrase unquoted to trip this up. The first
> example is most likely incorrect formatting, but still works when it comes to
> sending the messages out for my system to receive it. Ugh.

What is the actual spoofing problem that occurs? Is the problem that it seems to
come from m...@example.com? But that can already easily be done, I can just put

  From: You <m...@example.com>

in my email headers.

> Any tried and true way to catch this spoofing? I think what's happening is
> that Email::Address is parsing the line as if there's two valid addresses,
> since I can also do this:
> 
> $address = ( Email::Address->parse($from) )[1]->address; print $address .
> "\n"; # prints: spoofer.addr...@malicious-site.com

That's a bug. The email addresses should be separated by commas.

> As far as I can grok, having multiple From: addresses doesn't really make
> much sense (is it legal?)

Yes, according to RFC 2822, but they must be separated by commas.

-- 
Matijs

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to