[opendmarc-users] Unable to parse From header field
Urban Loesch
bind at enas.net
Wed May 20 05:42:57 PDT 2015
Hi,
I', running opendmarc 1.3.1+dfsg-1.
Today a customer got some phishing mail regarding to "dhl.com".
I found the following error in opendmarc log:
...
May 19 10:05:28 mil1 opendkim[5429]: 3lrVBc5GtLz11LwX: mail.isp55.de [213.139.150.150] not internal
May 19 10:05:28 mil1 opendkim[5429]: 3lrVBc5GtLz11LwX: not authenticated
May 19 10:05:28 mil1 opendmarc[519]: 3lrVBc5GtLz11LwX: unable to parse From header field
...
After some searching I found out that opendmarc does not recognize some combinations in the "From:" field.
For example:
...
From: "paket at dhl.com" <hkmlease>
...
or
...
From: ''paket at dhl.com'' <hkmlease>
(strange windows like double quote signs)
...
passes the filter without getting blocked.
I'm still waiting for the original mail from my customer for further analysis.
This behaviour makes it easy to create some crappy formatted mail to bypass opendmarc.
I have no idea if this is bug or not. What do you think about it?
Best
Urban Loesch
More information about the opendmarc-users
mailing list