form impersonation re ID: 2920762 about dada-mail HOT 6 CLOSED

So,

"Microsoft Team" [email protected]">[email protected]

is the spoofing address ?

Is that exactly how it is in the source? It looks strange (may be strange). I think to post code, you just have to wrap the stuff in pre tags, or indent out.

http://github.github.com/github-flavored-markdown/

from dada-mail.

justin, here is the whole message that is in the archive, I am not sure I understand the top portion, but then I see the from [email protected] posting to [email protected] which should not be allowed, right?

Date: Wed, 17 Feb 2010 17:45:27 -0800
From: [email protected]
To: [email protected]
Reply-To: [email protected]
X-Priority: 3
List: eenetwork
List-Archive: 
List-ID: 
List-Owner: 
List-Post: 
List-Subscribe: 
List-Unsubscribe: 
List-URL: 
X-BeenThere: [email protected]
Message-ID: <[email protected]>
Precedence: auto_reply
X-Mailer: Pro Dada 4.0.2 
Subject: [] Your email requires verification
 verify#jrVQmg7vu5rfj1C3qY4RcPEquFVKyat5


(If you wish to reply to the entire list change  the "From" to [email protected])

The message you sent requires that you verify that this is a real (non-spam). To complete this verification, simply reply to this message and leave the subject line intact.

NOTE: You ONLY have to do this once. All future emails will then be accepted.

The headers of the message sent from your address are shown below:

From [email protected] Wed Feb 17 17:45:27 2010
Received: from 201.94.162.134 (port=1357 helo=OAWEPGWF)
 by vps2033.inmotionhosting.com with esmtp (Exim 4.68)
 (envelope-from )
 id 1NhvRU-000696-Uc; Wed, 17 Feb 2010 17:45:27 -0800
Received: from 201.94.162.134 by ns.ccu.cz; Wed, 17 Feb 2010 22:44:12 -0300
Message-ID: <000d01cab03b$def90060$6400a8c0@annotatingk78>
From: "Microsoft Team" 
To: 
Subject: Conflicker.B Infection Alert
Date: Wed, 17 Feb 2010 22:44:12 -0300
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_NextPart_000_0006_01CAB03B.DEF90060"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Spam-Status: No, score=1.0
X-Spam-Score: 10
X-Spam-Bar: +
X-Spam-Flag: NO

from dada-mail.

No, you're right: there's two things that shouldn't already be allowed: The List Address in the To: part, as well as two From: addresses.

I had to remove that, Received: line (maybe that's what's screwing things up? Weird...), but if I do and run the same tests that are in Dada Bridge, it does flag it:

    #!/usr/bin/perl -w 
    use strict; 


    use Email::Address; 
    use MIME::Parser; 
    use MIME::Entity; 

    my $Plugin_Config = 
    {
        Check_Multiple_From_Addresses => 1, 
    };
    my $errors = {}; 
    my $verbose = 1; 



    my $msg = 'From [email protected] Wed Feb 17 17:45:27 2010
    Message-ID: 000d01cab03b$def90060$6400a8c0@annotatingk78
    From: "Microsoft Team" [email protected]">[email protected]
    To: [email protected]">[email protected]
    Subject: Conflicker.B Infection Alert
    Date: Wed, 17 Feb 2010 22:44:12 -0300
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0006_01CAB03B.DEF90060" X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.2180
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    X-Spam-Status: No, score=1.0
    X-Spam-Score: 10
    X-Spam-Bar: +
    X-Spam-Flag: NO

    Body. Boy Howdy!
    ';


    my $parser = MIME::Parser->new(); 
    my $entity = $parser->parse_data($msg); 

    #print $entity->as_string;



    # These checks make sure that multiple From: headers and addresses don't exist
    if ( $Plugin_Config->{Check_Multiple_From_Addresses} == 1 ) {
         eval {
            if ( $entity->head->count('From') > 1 ) {
                print "\t\tMessage has more than one 'From' header? Unsupported email message - will reject!\n"
                    if $verbose;
                $errors->{multiple_from_addresses} = 1;
            }
            else { 
                my @count = Email::Address->parse($entity->head->get( 'From', 0)); 
                if(scalar(@count) > 1){ 
                    print "\t\tMessage has more than one 'From' header? Unsupported email message - will reject!\n"
                        if $verbose;
                    $errors->{multiple_from_addresses} = 1;
                }
            }
        };
        if($@){ 
            print "\t\tError with multiple from address check! Marking as a problem! - $@"
                if $verbose; 
            $errors->{multiple_from_addresses} = 1;

        }
    }

    print q{ $entity->head->get( 'From', 0) } . $entity->head->get( 'From', 0) . "\n"; 

    print q{$entity->head->count('From') } . $entity->head->count('From') . "\n"; 

    my @count = Email::Address->parse($entity->head->get( 'From', 0));
    print q{ scalar(@count) }. scalar(@count); 

    print 'ERRORS: ' . "\n"; 
    if(keys %$errors){ 

        foreach(keys %$errors){ 
            print $_ . ' => ' . $errors->{$_} . "\n"; 
        }
    }
    else { 
        print "... none found.\n"; 
    }

Make sure you're using the Dada Bridge from 4.0.2? If so, lemme know and we can figure some more stuff out.

Do you have any sort of SpamAssassin support on your server? This is something that would have been easily been caught by that (and could be worked with Dada Bridge, if it didn't automatically get caught)

from dada-mail.

Sorry, that script would print:

Message has more than one 'From' header? Unsupported email message - will reject!
 $entity->head->get( 'From', 0) "Microsoft Team" [email protected]">[email protected]

$entity->head->count('From') 1
 scalar(@count) 2ERRORS: 
multiple_from_addresses => 1

from dada-mail.

I am running 4.02 and yes I do have Spam Assassin turned on.

from dada-mail.

I'm closing this as it's a bit overdue, not sure if the current version still has the reported problem (if it did, please open a new bug)

from dada-mail.