On Wed, Oct 13, 2010 at 4:48 PM, Phil Pennock <exim-users@???> wrote:
> On 2010-10-13 at 08:13 -0700, Todd Lyons wrote:
>> In the IETF-DKIM mailing list, it came to light that an attacker could
>> send a properly signed email with the attacker's domain, but prepend a
>> second From: header that says it's from someone@???, and MUA's
>> will show the second From. It doesn't screw up the signature because
>> the original From: is what is used to verify the signature. At issue
>> is that RFC 5532 requires that an email have only one From: header.
> Thanks.
> http://bugs.exim.org/show_bug.cgi?id=1030 filed, you shouldn't have had
> to do this.
Thanks Phil. As pointed out in the bug, I fat fingered the RFC id,
it's actually RFC 5322 (I'm correcting it for mailing list archive
purposes). I'll spend some time ruminating on the request for use
cases in the bug description and add my 2 cents there when I feel I
have something worthwhile.
--
Regards... Todd
I seek the truth...it is only persistence in self-delusion and
ignorance that does harm. -- Marcus Aurealius
