{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/517845#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nEmail message header syntax can be exploited to bypass authentication protocols such as SPF, DKIM, and DMARC. These exploits enable attackers to deliver spoofed emails that appear to originate from trusted sources. Recent research has explored using the originator fields, such as `From:` and `Sender:`, to deliver spoofed emails that appear to come from trusted sources. Attackers can abuse these fields to impersonate an originator email address for nefarious purposes.\r\n\r\n### Description\r\nEmail is a primary medium for both personal and business communication. In recent years, mechanisms such as DKIM, SPF, and DMARC have been developed to verify the identity of email senders; however, end-to-end secure email remains an unsolved challenge. \r\n\r\nA previous disclosure, dubbed [SMTP Smuggling](https://kb.cert.org/vuls/id/302671), highlighted ways in which a sender's identity could be spoofed while abusing the SMTP protocol as defined in RFC 5321. Further research shows that email message headers, as defined in the Internet Message Format (RFC 5322, updated by RFC 6854), can also be used to spoof the identity of an email sender. \r\n\r\nIn a typical scenario, an email passes SPF, DKIM, and DMARC checks, and there is one sender with an envelope header `MAIL FROM` field that matches the mail header `From:` and optional `Sender:` fields. RFC 6854 defines how an email may be sent on behalf of a group, putting multiple email addresses in the mail header `From:` field.\r\n\r\nUsing specialized syntax, an attacker can insert multiple addresses in the mail header `From:` field. Many email clients will parse the `From:` field to only display the last email address, so a recipient will not know that the email is supposedly from multiple addresses. In this way, an attacker can pretend to be someone familiar to the user.\r\n\r\nMore specifically, user `attacker@example.com` could send an email with the `From:` field formatted as `<attacker@example.com>:<spoofed@example.com>`. The receiving server may display `spoofed@example.com` as the sender. Additionally, the sending server may add DKIM signatures and forward the email in a way that aligns with SPF policies, causing the receiving system to treat the message as trusted.  \r\n\r\nThese crafted email headers can take several forms, using combinations of quotation marks and angle-address notation (e.g., `<attacker@example.com>`), as discussed in Solnser's 2024 blog post: [https://blog.slonser.info/posts/email-attacks/](https://blog.slonser.info/posts/email-attacks/). Attackers can also use the null sender `<>`, or \"null reverse path,\" as specified in RFC 5321 Section 4.5, further complicating genuine sender authentication.\r\n\r\n### Impact\r\nAn attacker can craft email headers to impersonate other users, bypassing DMARC policies and sender verification enforced by a domain owner. Research has demonstrated that multiple email service providers are susceptible to this type of attack.\r\n\r\n### Solution\r\n#### Email Service Providers and Administrators\r\nEmail service providers should implement measures to ensure that authenticated outgoing email headers are properly verified before signing or relaying messages. Additionally, software built using the Mail Filter (milter) protocol, such as [Milterfrom version 1.0.4](https://github.com/magcks/milterfrom/pulls), has recent updates to better verify authenticated senders for milter-compliant email servers.\r\n\r\n#### Email End Users\r\nBecause email sender verification remains challenging, users should exercise caution when responding to emails requesting sensitive information or clicking links that may download or install malicious software. Users that want to verify the originator of an email before clicking links or sharing sensitive information can check the original headers for the From: and Sender: fields by viewing the \"Original Message\" or \"Message Source,\" depending on the email client.\r\n\r\n### Acknowledgements\r\nThanks to Hao Wang and Caleb Sargent from PayPal for reporting these issues. This document was written by Vijay Sarvepalli and Renae Metcalf.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Actually, Fastmail is not susceptible to this spoofing, in practice.  We detect that there is an ambiguous From header and mark the message for quarantine.  In our testing, we found that sometimes other signals were sufficient to override the quarantine policy, so mail reached the inbox — but it was not a function of the ambiguous From header.  We believe we can improve the handling of this case, though, and will look into doing so.","title":"Vendor statment from FastMail"},{"category":"other","text":"We plan to update this as we approach the new disclosure date with links to documents after we have implemented planned changes","title":"Vendor statment from Google"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/517845"},{"url":"https://kb.cert.org/vuls/id/244112","summary":"https://kb.cert.org/vuls/id/244112"},{"url":"https://kb.cert.org/vuls/id/302671","summary":"https://kb.cert.org/vuls/id/302671"},{"url":"https://datatracker.ietf.org/doc/html/rfc6854","summary":"https://datatracker.ietf.org/doc/html/rfc6854"},{"url":"https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/","summary":"https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/"},{"url":"https://blog.slonser.info/posts/email-attacks/","summary":"https://blog.slonser.info/posts/email-attacks/"},{"url":"https://learn.microsoft.com/en-us/archive/blogs/tzink/what-do-we-mean-when-we-refer-to-the-sender-of-an-email","summary":"https://learn.microsoft.com/en-us/archive/blogs/tzink/what-do-we-mean-when-we-refer-to-the-sender-of-an-email"}],"title":"Authenticated SMTP users may spoof other identities due to ambiguous “From” header interpretation","tracking":{"current_release_date":"2025-10-28T14:35:52+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#517845","initial_release_date":"2025-10-28 14:35:52.717048+00:00","revision_history":[{"date":"2025-10-28T14:35:52+00:00","number":"1.20251028143552.1","summary":"Released on 2025-10-28T14:35:52+00:00"}],"status":"final","version":"1.20251028143552.1"}},"vulnerabilities":[{"title":"Ambiguities in mail headers (such as text format and implemented grammatical rules) can be exploited to bypass authentication protocols such as SPF, DKIM, and DMARC, enabling attackers to deliver spoofed emails that appear to originate from trusted sources.","notes":[{"category":"summary","text":"Ambiguities in mail headers (such as text format and implemented grammatical rules) can be exploited to bypass authentication protocols such as SPF, DKIM, and DMARC, enabling attackers to deliver spoofed emails that appear to originate from trusted sources."}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#517845"}],"product_status":{"known_affected":["CSAFPID-c58e3a9a-3504-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-c58d5b8e-3504-11f1-8422-122e2785dc9f","CSAFPID-c58dca7e-3504-11f1-8422-122e2785dc9f","CSAFPID-c58e0b06-3504-11f1-8422-122e2785dc9f","CSAFPID-c58e7e9c-3504-11f1-8422-122e2785dc9f","CSAFPID-c58ec7a8-3504-11f1-8422-122e2785dc9f","CSAFPID-c58efc00-3504-11f1-8422-122e2785dc9f","CSAFPID-c58f326a-3504-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"FastMail","product":{"name":"FastMail Products","product_id":"CSAFPID-c58d5b8e-3504-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Google","product":{"name":"Google Products","product_id":"CSAFPID-c58d9aa4-3504-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Axigen","product":{"name":"Axigen Products","product_id":"CSAFPID-c58dca7e-3504-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Postfix","product":{"name":"Postfix Products","product_id":"CSAFPID-c58e0b06-3504-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-c58e3a9a-3504-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Cisco","product":{"name":"Cisco Products","product_id":"CSAFPID-c58e7e9c-3504-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Siemens","product":{"name":"Siemens Products","product_id":"CSAFPID-c58ec7a8-3504-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"IONOS","product":{"name":"IONOS Products","product_id":"CSAFPID-c58efc00-3504-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Bird","product":{"name":"Bird Products","product_id":"CSAFPID-c58f326a-3504-11f1-8422-122e2785dc9f"}}]}}