[Mimedefang] More than one From address

kd6lvw at yahoo.com kd6lvw at yahoo.com
Tue Aug 23 16:12:07 EDT 2011 

--- On Tue, 8/23/11, Todd Aiken <todd.aiken at ubishops.ca> wrote:
> In the past 24 hours, I've received a ton of spam at our site.  The spam
> seems to be coming from the same source, in that I see the spammer using
> our domain name as a from address, but they are also using multiple From
> addresses in the same message!  I believe that this is non-standard, but
> it's giving our Exchange server a ton of trouble.  Our Linux gateways are
> correctly classifying the mail as spam, but the transport rules on our
> Exchange server that filter based on the X-Spam-Level header are not
> triggering because of the multiple From addresses, and the spam ends up in
> everyone's Inbox.  Is there any easy way I can add something into my
> MIMEDefang's configuration to detect and reject messages that come in with
> more than one From address?

Not so fast.  The "From:" header may have more than one address.  However, "Sender:" may not.  It doesn't happen often, but it is permitted - RFC 5322, Section 3.6.2:

3.6.2.  Originator Fields

   The originator fields of a message consist of the from field, the
   sender field (when applicable), and optionally the reply-to field.
   The from field consists of the field name "From" and a comma-
   separated list of one OR MORE mailbox specifications.  If the from
   field contains more than one mailbox specification in the mailbox-
   list, then the sender field, containing the field name "Sender" and a
   single mailbox specification, MUST appear in the message.  In either
   case, an optional reply-to field MAY also be included, which contains
   the field name "Reply-To" and a comma-separated list of one or more
   addresses.

   from            =   "From:" mailbox-list CRLF

   sender          =   "Sender:" mailbox CRLF

   reply-to        =   "Reply-To:" address-list CRLF

...  [Capitalization added above to "OR MORE" for emphasis.]


Therefore, if you have multiple from addresses but no sender field, then the message may be rejected for violating the ABNF required syntax.  The same would apply to the "Resent-*" set of headers as well.

More information about the MIMEDefang mailing list