Murray S. Kucherawy wrote:
8.15. Attacks Involving Extra Header Fields
...
Many email components, including MTAs, MSAs, MUAs and filtering
modules, implement message format checks only loosely. This is done
out of years of industry pressure to be liberal in what is accepted
into the mail stream for the sake of reducing support costs;
improperly formed messages are often silently fixed in transit,
delivered unrepaired, or displayed inappropriately (e.g., by showing
only one of multiple From: fields).
May only nit about this statement is that its more simple than being
under pressure, liberal or to reduce cost - in the anals of electronic
mail, across all networks, only ONE FROM is expected. Therefore, I
have my doubts any mail software was ever designed to hold a "list" or
a collection of more than one From: header simply because it wasn't
never expected - by design.
Now, whether software check for message validity, why they did so and
how wide spread this checking is done, probably has to do more about
how robust the software is to watch for illegal RFC 822/2822/5322
messages.
The irony here is that the original issue posting was due to software
that allowed illegal submission of a DKIM signed message but when it
wasn't signed, the software kicked out the illegal messages.
So its more about how the current edge software deal with it. Its how
they integrate it with DKIM and they need to dot all the eyes, cross
all the t's in their integration. If they have software control of
their DKIM stuff, its probably a good idea to make their the Verifier
and Signer has a One From DKIM Rule concept as cited in my previous
post and the specs should make that very clear.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html