[Rspamd-Users] Fwd: Prevent sender address spoofing envelope/header FROM

G.W. Haywood rspamd at jubileegroup.co.uk
Fri Feb 9 13:25:09 UTC 2024


Hi there,

On Fri, 9 Feb 2024, Taco de Wolff wrote:

> Coming back to this question, instead of rejecting, perhaps we can correct
> the user's mistake? I've noticed the DMARC munging module and it would
> perhaps be a good idea to use (something like that) instead.
>
> Reformulating the problem for outbound authenticated users: we have a user
> that sends a mail using an envelope from address of noreply at domain.com but
> specifies a header from address of someone at gmail.com (spoofing!). This
> happened with a client that has a contact form that sets the header from
> address to the e-mail address specified in the form, so that the client
> receives mails as if they came from the person filling out the form (bad
> configuration). ...

The 'From' field is intended to identify the author of the message.

https://datatracker.ietf.org/doc/html/rfc5322#section-3.6.2

The RFC doesn't specify what mechanisms will be used by the author to
create the message, only that the author is given in the 'From' field.

The way I read it, if somebody uses a Website to create an email and
that site causes this person's email address to appear in the 'From'
field of the email which it then sends, that is correct behaviour and
not 'spoofing'.

Whether it's sensible behaviour is another question.  If they can,
malicious users *will* deliberately use Web forms to send mail which
appears to be from addresses which they are not entitled to use.  This
is usually handled by a challenge-response mechanism in the Website;
before it sends mail FROM the user, the Website first sends mail TO
the user, and expects a response.  Absent the expected response, no
other mail is sent.  In this way malicious parties can't use random
email addresses for which they can't receive mail.

This may be a case for use of the 'Sender' field, where the Website is
in effect acting as the author's agent or secretary, and needs to have
its own mailbox - for example that of the Website's owner.

I understand that SPF/DKIM/DMARC are layered on top of all this, but
there's no point building on top of dodgy foundations.

-- 

73,
Ged.


More information about the Users mailing list