Hi,
We had pending windows restart from updates on our machine and as a result ClamAV stopped working (this may also have been to do with the Mailenable update we did recently) and we started noticing that we were receiving emails with viruses/trojans (unsurprising). However what it did highlight is that Mailenable was accepting and delivering mail with what I would think is an invalid/malformed header for the From header.
Date: Tue, 02 Oct 2018 01:18:41 -0300
From: XYZ Ltd <cleaning_xyz@hotmail.com> <Pjara@itecsa.cl>
To: xyz@xyz.co.uk
Message-ID: <6858522983867018459.126097AC81965D43@xyz.co.uk>
Subject: [virus VBA/TrojanDownloader.Agent.KUI trojan] Invoice-Detail
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_10325_87610016.724245881115290630"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
This when displayed in a client (Thunderbird in this case) presented itself as, XYZ Ltd <"cleaning_xyz@hotmail.comPjara"@itecsa.cl>
Giving the illusion that it's a familiar email address.
I'm not an RFC junkie so not familiar with the particular rules for From: but always thought only one was permitted?
Any ideas how to prevent/reject these emails as at the moment only ClamAV are holding these emails back and it would be more efficient to reject based on malformed than after a scan which is a waste of resource. Local or resolvable DNS lookup is already active and this passed that test.
Malformed From Address being accepted for inbound AND now outbound!
Malformed From Address being accepted for inbound AND now outbound!
Last edited by PeteBatin on Wed Nov 14, 2018 9:25 am, edited 1 time in total.
-
MailEnable-Ian
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: Malformed From Address being accepted
Hi,
Technically a "From" address can have multiple addresses, however they need to be separated by a comma. Therefore the "From" in your example is malformed. The issue though is that it looks like the IMAP service is not formatting the From address correctly when synced to the Thunderbird client because of the missing comma. We have added this to our issue register to be further reviewed by our developers.
Technically a "From" address can have multiple addresses, however they need to be separated by a comma. Therefore the "From" in your example is malformed. The issue though is that it looks like the IMAP service is not formatting the From address correctly when synced to the Thunderbird client because of the missing comma. We have added this to our issue register to be further reviewed by our developers.
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support
Re: Malformed From Address being accepted
Hi Ian,
Thanks for your response and the information.
Do you have any ideas how these emails can be blocked/rejected at a server level? Even if it is technically possible to have more than one From, it's still the first time I've seen this in all the years I've been in the industry and they have all contained viruses/trojans which are getting past ClamAV which is kept up to date.
Thanks for your response and the information.
Do you have any ideas how these emails can be blocked/rejected at a server level? Even if it is technically possible to have more than one From, it's still the first time I've seen this in all the years I've been in the industry and they have all contained viruses/trojans which are getting past ClamAV which is kept up to date.
Re: Malformed From Address being accepted
Hi again Ian,
It seems as though this might be becoming the spammers weapon of choice, someone else has just posted the same problem.
https://www.mailenable.com/forum/viewto ... =7&t=42616
It seems as though this might be becoming the spammers weapon of choice, someone else has just posted the same problem.
https://www.mailenable.com/forum/viewto ... =7&t=42616
Re: Malformed From Address being accepted
This is still ongoing.
We've also noticed this can happen in a reversed scenario where a mailbox has been compromised within Mailenable and emails are sent with two from addresses again without separation from a comma.
I need to be able to prevent the sending and receipt of these types of mail, any ideas? In all my years I've never received an email with more than one from address and highly doubt my clients will have either, those that I have recently have all been spam/scams so I'm happy to block these in their entirety how can I achieve this inbound and outbound?
We've also noticed this can happen in a reversed scenario where a mailbox has been compromised within Mailenable and emails are sent with two from addresses again without separation from a comma.
I need to be able to prevent the sending and receipt of these types of mail, any ideas? In all my years I've never received an email with more than one from address and highly doubt my clients will have either, those that I have recently have all been spam/scams so I'm happy to block these in their entirety how can I achieve this inbound and outbound?
Re: Malformed From Address being accepted for inbound AND now outbound!
Has there been any progress with this or does anyone have any ideas what I could enter manually as a filter?
It's become embarrassing now as I've just received an email that uses one of our old domains as the from address trying to get us to pay a fictitious invoice and it just happens to use an email from a member of our staff that does invoicing! If our clients start receiving the same email this is going to cause huge problems as some of our clients are likely to fall for this.
I really need some advice on this one guys. Headers below our info has been substituted with ourserverdomain.co.uk and ourdomain.co.uk.
When the email arrives and displays in mail client the from address is displayed as the following "Staff Member Name <ourstaffmember@ourolddomain.commartie"@divtransport.co.za>
Ian I know you said technically two/multiple from addresses is valid, but it is malformed without the comma and it is a completely undesired behaviour that is only being used to exploit, I have never seen/experienced a genuine use of this. I'm going to submit this as a defect as well as I know these forums are more community based, get busy and aren't always manned/looked at (hope that's ok).
It's become embarrassing now as I've just received an email that uses one of our old domains as the from address trying to get us to pay a fictitious invoice and it just happens to use an email from a member of our staff that does invoicing! If our clients start receiving the same email this is going to cause huge problems as some of our clients are likely to fall for this.
I really need some advice on this one guys. Headers below our info has been substituted with ourserverdomain.co.uk and ourdomain.co.uk.
When the email arrives and displays in mail client the from address is displayed as the following "Staff Member Name <ourstaffmember@ourolddomain.commartie"@divtransport.co.za>
Ian I know you said technically two/multiple from addresses is valid, but it is malformed without the comma and it is a completely undesired behaviour that is only being used to exploit, I have never seen/experienced a genuine use of this. I'm going to submit this as a defect as well as I know these forums are more community based, get busy and aren't always manned/looked at (hope that's ok).
Code: Select all
Received: with MailEnable Postoffice Connector; Thu, 6 Dec 2018 09:40:33 +0000
Received-SPF: pass (ourserverdomain.co.uk: domain of divtransport.co.za designates 154.0.172.40 as permitted sender)
client-ip=154.0.172.40
Received: from host5.axxesslocal.co.za ([154.0.172.40]) by ourserverdomain.co.uk with
MailEnable ESMTP; Thu, 6 Dec 2018 09:40:27 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=divtransport.co.za; s=default; h=Content-Type:MIME-Version:Subject:
Message-ID:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=mpAaF+QY9i/K12UmvXnpmsh7Yd2FplAA7Lygw/E8QUY=; b=CV+fjl8oekgWaD4+++Ly7mkcI
czCSafh6MfAv1bNQBpm01Mzd8sUTPf/1PNcJqqJ+MlmVXP6oDX8eYaSTTYg0lSMz4O1GlcWmkQslG
J8yVa8Wi1sAuoiJxJTTRh+jXrBhkJcH84JI7NnqyC2sTAP4CT22EKTTV17QKd0iGAae2+rf/59jP4
hNU0RcFW1N9ci+vm5mAEIsqLuWw2sPlkqhivyhB8LVOj0+50xAe3JjgFdymdtnnxfZhLCRvgK36GA
UWA5TaWOjGHhpNXxNHP0VC0fPMheuVRc97xvqK42vsHSDDu8NSYnSlE1yoo0z+ydzYzO6+5Ea6Kzg
2j1ZLmLoA==;
Received: from [182.73.35.182] (port=56619 helo=10.8.48.44)
by host5.axxesslocal.co.za with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <martie@divtransport.co.za>)
id 1gUq8k-0006nS-TG
for myaddress@ourdomain.co.uk; Thu, 06 Dec 2018 11:40:16 +0200
Date: Thu, 06 Dec 2018 15:10:23 +0530
From: Our Staff Member <ourstaffmember@ourolddomain.com> <martie@divtransport.co.za>
To: myaddress@ourdomain.co.uk
Message-ID: <3210111488928919115.ED694A98A6B3A05E@ourdomain.co.uk>
Subject: Change the order of payment for your services
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_48559_2752839952.26223448514252476371"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host5.axxesslocal.co.za
X-AntiAbuse: Original Domain - ourdomain.co.uk
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - divtransport.co.za
X-Get-Message-Sender-Via: host5.axxesslocal.co.za: authenticated_id: martie@divtransport.co.za
X-Authenticated-Sender: host5.axxesslocal.co.za: martie@divtransport.co.za
X-Source:
X-Source-Args:
X-Source-Dir:
X-Envelope-Sender: martie@divtransport.co.za
X-ME-Bayesian: 0.000000
Return-Path: <martie@divtransport.co.za>