On Jan 5, 2010, at 12:17 AM, Matijs van Zuijlen wrote: > What is the actual spoofing problem that occurs?
The spoofing occurs, since the system receives mail with a From: header like this: From: m...@example.com <spoofer.addr...@malicious-site.com> Which looks like a From: line with a comment, and then the email address (in brackets) If I use the code I posted: my $address = ( Email::Address->parse($from) )[0]->address; print $address . "\n"; The address that gets returned is, $address - what's in the comment field, not the actual address. Certain actions are taken, depending on what address gets mailed to, so the spoofing address (spoofer.addr...@malicious-site.com) is gaining access to privileges that the other address has (m...@example.com). > Is the problem that it seems to > come from m...@example.com? Yes. > But that can already easily be done, I can just put > > From: You <m...@example.com> > > in my email headers. OK - what should I do about that? What's the general wisdom to help thwart that? Use the Sender: header? Both? Something more fancy? >> $address = ( Email::Address->parse($from) )[1]->address; print $address . >> "\n"; # prints: spoofer.addr...@malicious-site.com > > That's a bug. The email addresses should be separated by commas. > I agree - but it's what I'm receiving from someone sending messages to the system - I can't control it, I'm just trying to catch it. Justin On Jan 5, 2010, at 12:17 AM, Matijs van Zuijlen wrote: > Hi Justin, > > Justin Skazat wrote: >> I'm starting to get reports from users who are saying my code that relies on >> Email::Address is getting spoofed. Here's a small example: >> >> [...] >> >> my $from = q...@example.com <spoofer.addr...@malicious-site.com>}; >> >> [...] >> >> As you can see, it just takes the phrase unquoted to trip this up. The first >> example is most likely incorrect formatting, but still works when it comes to >> sending the messages out for my system to receive it. Ugh. > > What is the actual spoofing problem that occurs? Is the problem that it seems > to > come from m...@example.com? But that can already easily be done, I can just > put > > From: You <m...@example.com> > > in my email headers. > >> Any tried and true way to catch this spoofing? I think what's happening is >> that Email::Address is parsing the line as if there's two valid addresses, >> since I can also do this: >> >> $address = ( Email::Address->parse($from) )[1]->address; print $address . >> "\n"; # prints: spoofer.addr...@malicious-site.com > > That's a bug. The email addresses should be separated by commas. > >> As far as I can grok, having multiple From: addresses doesn't really make >> much sense (is it legal?) > > Yes, according to RFC 2822, but they must be separated by commas. > > -- > Matijs >