[Mimedefang] Double From: lines in email
Damrose, Mark
mdamrose at elgin.edu
Tue Feb 21 16:51:30 EST 2006
> -----Original Message-----
> From: Jan Pieter Cornet
> On Tue, Feb 21, 2006 at 09:35:46AM -0600, Richard Laager wrote:
> > This makes me thing... Are double From: headers a good indicator of
> > spam?
> I'd guess it is.
I agree. The only question is - does it occur often enough to warrant
a check for it?
> Duplicate From: headers are illegal,
> according to rfc 2822 (section 3.6.1). However, you can have
> multiple addresses in one From: header.
You can only have multiple addresses in From:, if there is an
accompanying Sender: header to indicate which one actually
sent it. I've never seen a legitimate use for it though.
> A quick check finds 3 examples of this in my recent spam, and
> zero in ham, but that's a real quick and limited check over
> like 1500 messages.
A quick check of the quarantine folders here finds 1 double from,
and 2 with no from line at all. All three of them look like they
were generated by overloading a vulnerable web script.
More information about the MIMEDefang
mailing list