Tricksy From Field

As you might see in the above screenshot there are two emails in the Sent folder despite them being addressed to and received by account holder.

We double checked the email headers to see if what we saw in the displayed From/To fields was correct, and as you can see in the screenshots the “From” field has a weird structure:

From: Mary, mindy@________.com (2) <info@nrccvictory.com>

Date: Tue, Nov 13, 2018 at 2:36 PM

Subject: Urgent: Confirm your vote

To: mindy ________ <mindy@________.com>

So it appears that by structuring the From field to contain the recipient’s address along with other text the GMail app reads the From field for filtering/inbox organization purposes and sorts the email as though it were sent from mindy@________.com despite it clearly also having the originating mailbox as info@nrccvictory.com .

Wide Open For Abuse

Admittedly, RFC 2822 3.6.2 prohibits this. In fact, trying to create the email manually without quotes around the “name” in the "name" <email> structure of the from format does properly error out when trying to send to GMail.

In this particular case it could be anything from a poorly written form-fill application to a malicious phishing campaign.

But the confusion being injected into the average user experience is an open door for malicious actors.

Imagine, for instance, the scenario where a custom email could be crafted that mimics previous emails the sender has legitimately sent out containing various links.

A person might, when wanting to remember what the links were, go back into their sent folder to find an example: disaster!

Don’t get me wrong, the user should still verify the details at the top of the email and might catch on that something is odd —but we know it only takes a small percentage of due-diligence failure to have a big environment effect.

Googling around for a bit didn’t turn up any obvious hits on other users’ reporting this issue, so just to be safe I’ve reported it.

Test Cases

To make the demonstration easier I enabled headers in mutt on one of my Linux boxes with sendmail, and sent some test cases:

Check #1: the From field contained root, tim@cotten.io <root@senderdomainhere.com>

Check #2: the From field contained "root, tim@cotten.io" <root@senderdomainhere.com>

Here’s how they showed up in Gmail: