[Mimedefang] Double From: lines in email

Damrose, Mark mdamrose at elgin.edu
Tue Feb 21 16:51:30 EST 2006

> -----Original Message-----
> From: Jan Pieter Cornet

> On Tue, Feb 21, 2006 at 09:35:46AM -0600, Richard Laager wrote:
> > This makes me thing... Are double From: headers a good indicator of 
> > spam?

> I'd guess it is. 

I agree.  The only question is - does it occur often enough to warrant
a check for it?

> Duplicate From: headers are illegal, 
> according to rfc 2822 (section 3.6.1). However, you can have 
> multiple addresses in one From: header.

You can only have multiple addresses in From:, if there is an
accompanying Sender: header to indicate which one actually
sent it.  I've never seen a legitimate use for it though.

> A quick check finds 3 examples of this in my recent spam, and 
> zero in ham, but that's a real quick and limited check over 
> like 1500 messages.

A quick check of the quarantine folders here finds 1 double from, 
and 2 with no from line at all.  All three of them look like they 
were generated by overloading a vulnerable web script.

More information about the MIMEDefang mailing list