Hi Justin, Justin Skazat wrote: > I'm starting to get reports from users who are saying my code that relies on > Email::Address is getting spoofed. Here's a small example: > > [...] > > my $from = q...@example.com <spoofer.addr...@malicious-site.com>}; > > [...] > > As you can see, it just takes the phrase unquoted to trip this up. The first > example is most likely incorrect formatting, but still works when it comes to > sending the messages out for my system to receive it. Ugh.
What is the actual spoofing problem that occurs? Is the problem that it seems to come from m...@example.com? But that can already easily be done, I can just put From: You <m...@example.com> in my email headers. > Any tried and true way to catch this spoofing? I think what's happening is > that Email::Address is parsing the line as if there's two valid addresses, > since I can also do this: > > $address = ( Email::Address->parse($from) )->address; print $address . > "\n"; # prints: spoofer.addr...@malicious-site.com That's a bug. The email addresses should be separated by commas. > As far as I can grok, having multiple From: addresses doesn't really make > much sense (is it legal?) Yes, according to RFC 2822, but they must be separated by commas. -- Matijs
Description: OpenPGP digital signature