Hi,
Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE. For example:
A01 UID FETCH 24 (ENVELOPE)
- 4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "20171206084846.0000478C.0596@example.com" "20171208004435.00006B4F.0014@example.com")) A01 OK Fetch completed (0.000 secs).
The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?
I did test also Reply-To header, then had same response as above.
----- Original Message -----
On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:
Hi,
I tried to see a mail that have a strange From header in bellow URL:
https://www.mailsploit.com/index
Then, I got BODYSTRUCTURE response contain next:
((NIL NIL "service" "paypal.com"))
Are this problem already founded by anyone? So already fixed?
The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?
The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes ENVELOPE). From the IMAP RFC:
The fields of the envelope structure are in the following order: date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and message-id.
Can you paste the whole IMAP command response?
Thanks,
Jeff.
-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp