Mailsploit problem in responce of BODYSTRUCTURE

newer
recover missing messages - files...

older
iPhone no longer authenticating

TACHIBANA Masashi

8 Dec 2017 8 Dec '17

11:47 a.m.

Hi,

I tried to see a mail that have a strange From header in bellow URL:

https://www.mailsploit.com/index

Then, I got BODYSTRUCTURE response contain next:

((NIL NIL "service" "paypal.com"))

Are this problem already founded by anyone? So already fixed?

-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp

Show replies by date

Aki Tuomi

8 Dec 8 Dec

12:02 p.m.

On 08.12.2017 11:47, TACHIBANA Masashi wrote:

...

Hi,

I tried to see a mail that have a strange From header in bellow URL:

https://www.mailsploit.com/index

Then, I got BODYSTRUCTURE response contain next:

((NIL NIL "service" "paypal.com"))

Are this problem already founded by anyone? So already fixed?

-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp

Can you maybe expand a bit why you consider this a problem?

Aki

Josef 'Jeff' Sipek

7:07 p.m.

On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:

...

Hi,

I tried to see a mail that have a strange From header in bellow URL:

https://www.mailsploit.com/index

Then, I got BODYSTRUCTURE response contain next:

((NIL NIL "service" "paypal.com"))

Are this problem already founded by anyone? So already fixed?

The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?

The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes ENVELOPE). From the IMAP RFC:

The fields of the envelope structure are in the following order:
date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and
message-id.

Can you paste the whole IMAP command response?

Thanks,

Jeff.

TACHIBANA Masashi

11 Dec 11 Dec

4:24 a.m.

New subject: Mailsploit problem in responce of ENVELOPE

Hi,

Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE. For example:

A01 UID FETCH 24 (ENVELOPE)

4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "20171206084846.0000478C.0596@example.com" "20171208004435.00006B4F.0014@example.com")) A01 OK Fetch completed (0.000 secs).

...

The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?

I did test also Reply-To header, then had same response as above.

----- Original Message -----

...

On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:

...
Hi,

I tried to see a mail that have a strange From header in bellow URL:

https://www.mailsploit.com/index

Then, I got BODYSTRUCTURE response contain next:

((NIL NIL "service" "paypal.com"))

Are this problem already founded by anyone? So already fixed?

The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?

The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes ENVELOPE). From the IMAP RFC:

The fields of the envelope structure are in the following order: date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and message-id.

Can you paste the whole IMAP command response?

Thanks,

Jeff.

-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp

TACHIBANA Masashi

5:12 a.m.

New subject: Mailsploit problem in responce of ENVELOPE

Hi,

Additionally, I just tried bellow:

From: service@paypal.comhttps://www.hushmail.com</a> style="display:none"\n\0@mailsploit.com Reply-To: service@paypal.com<iframe onload=alert(document.cookie) src=<a target="_blank" href="https://www.hushmail.com">https://www.hushmail.com</a> style="display:none"\n\0@mailsploit.com</p> <p>Thanks</p> <p>----- Original Message -----</p> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>Hi,</p> <p>Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE. For example:</p> <p>A01 UID FETCH 24 (ENVELOPE)</p> <ul> <li>4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<a target="_blank" href="mailto:20171206084846.0000478C.0596@example.com">20171206084846.0000478C.0596@example.com</a>" "<a target="_blank" href="mailto:20171208004435.00006B4F.0014@example.com">20171208004435.00006B4F.0014@example.com</a>")) A01 OK Fetch completed (0.000 secs).</li> </ul> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?</p> </blockquote><p>I did test also Reply-To header, then had same response as above.</p> <p>----- Original Message -----</p> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:</p> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>Hi,</p> <p>I tried to see a mail that have a strange From header in bellow URL:</p> <p><a target="_blank" href="https://www.mailsploit.com/index">https://www.mailsploit.com/index</a></p> <p>Then, I got BODYSTRUCTURE response contain next:</p> <p>((NIL NIL "service" "paypal.com"))</p> <p>Are this problem already founded by anyone? So already fixed?</p> </blockquote><p>The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?</p> <p>The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes ENVELOPE). From the IMAP RFC:</p> <p>The fields of the envelope structure are in the following order: date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and message-id.</p> <p>Can you paste the whole IMAP command response?</p> <p>Thanks,</p> <p>Jeff.</p> </blockquote><p>-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp</p> </blockquote><p>-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp</p> <p>株式会社クオリティア <a target="_blank" href="http://www.qualitia.co.jp/">http://www.qualitia.co.jp/</a></p> </div> <div class="email-info"> <div class="likeform-wrapper right"> <div class="messagelink pull-right"> <button class="toggle-font btn btn-sm" title="Display in fixed font" data-bs-toggle="tooltip" data-placement="bottom"> <i class="fa fa-font"></i> </button> <a href="/mailman3/archives/list/dovecot@dovecot.org/message/BPBJHJAGVN2FR7AUFFX2TFM3WGQJPERO/" title="Permalink for this message" data-bs-toggle="tooltip" data-placement="bottom"><i class="fa fa-link"></i></a> </div> <form method="post" class="likeform" action="/mailman3/archives/list/dovecot@dovecot.org/message/BPBJHJAGVN2FR7AUFFX2TFM3WGQJPERO/vote"> <input type="hidden" name="csrfmiddlewaretoken" value="ZZhbPgP819gP7JTs40L6v9M3pYAzS7vSnpl4bSfRCXp4xEaRXAMUcsIKN6PqUltx"> <a class="youlike vote disabled" title="You must be logged-in to vote." href="#like" data-vote="1" aria-label="Like thread"> <i class="fa fa-thumbs-o-up"></i> 0 </a> <a class="youdislike vote disabled" title="You must be logged-in to vote." href="#dislike" data-vote="-1" aria-label="Dislike thread"> <i class="fa fa-thumbs-o-down"></i> 0 </a> </form> </div>  <a class="reply reply-mailto" title="Reply" href="#"> <i class="fa fa-reply"></i> Reply </a>   <div class="reply-form-unauthenticated"> <a class="btn btn-sm btn-primary" href="/mailman3/accounts/login/?next=/mailman3/archives/list/dovecot%40dovecot.org/thread/ZFVLDZBELA7XIKFSDHSSMOFWSWUTVI5R/#"> Sign in to reply online </a> <a class="btn btn-sm btn-secondary reply-mailto" href="mailto:dovecot@dovecot.org?Subject=Re%3A%20Mailsploit%20problem%20in%20responce%20of%20ENVELOPE&In-Reply-To=<20171211031225.000034EE.0877%40qualitia.co.jp>" >Use email software</a></li> </div> </div> </div>  </div> <div class="odd reply-level-3">  <div class="email"> <div id="76CLDYAPBYA2SEDMBZ32SBNNXFZ67LZE" class="email-header"> <div class="gravatar-wrapper d-flex"> <div class="gravatar circle"> </div> <div class="email-author d-flex"> <h2 class="name"> TACHIBANA Masashi </h2> </div> </div> <div class="email-date right"> <div class="time"> <span title="Sender's time: Dec. 11, 2017, 12:47 p.m.">5:47 a.m.</span> </div> </div> <div class="subject"> New subject: Mailsploit problem in responce of ENVELOPE </div> </div>  <div class="email-body "> <p>Hi,</p> <p>I'm sorry, I had been tested by miss From/Reply-To,</p> <p>If From/Reply-To addresses are bellow:</p> <p>From: =?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com Reply-To: =?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com</p> <p>ENVELOPE will come bellow:</p> <p>A01 UID FETCH 25 (ENVELOPE)</p> <ul> <li>5 FETCH (UID 25 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test3" ((NIL NIL "=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=" "mailsploit.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=" "mailsploit.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<a target="_blank" href="mailto:20171206084846.0000478C.0596@example.com">20171206084846.0000478C.0596@example.com</a>" "<a target="_blank" href="mailto:20171208004435.00006B4F.0014@example.com">20171208004435.00006B4F.0014@example.com</a>")) A01 OK Fetch completed (0.000 secs).</li> </ul> <p>It seems correct response.</p> <p>Thank you.</p> <p>----- Original Message -----</p> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>Hi,</p> <p>Additionally, I just tried bellow:</p> <p>From: service@paypal.com<iframe onload=alert(document.cookie) src=<a target="_blank" href="https://www.hushmail.com">https://www.hushmail.com</a> style="display:none"\n\0@mailsploit.com Reply-To: service@paypal.com<iframe onload=alert(document.cookie) src=<a target="_blank" href="https://www.hushmail.com">https://www.hushmail.com</a> style="display:none"\n\0@mailsploit.com</p> <p>Thanks</p> <p>----- Original Message -----</p> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>Hi,</p> <p>Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE. For example:</p> <p>A01 UID FETCH 24 (ENVELOPE)</p> <ul> <li>4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<a target="_blank" href="mailto:20171206084846.0000478C.0596@example.com">20171206084846.0000478C.0596@example.com</a>" "<a target="_blank" href="mailto:20171208004435.00006B4F.0014@example.com">20171208004435.00006B4F.0014@example.com</a>")) A01 OK Fetch completed (0.000 secs).</li> </ul> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?</p> </blockquote><p>I did test also Reply-To header, then had same response as above.</p> <p>----- Original Message -----</p> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:</p> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>Hi,</p> <p>I tried to see a mail that have a strange From header in bellow URL:</p> <p><a target="_blank" href="https://www.mailsploit.com/index">https://www.mailsploit.com/index</a></p> <p>Then, I got BODYSTRUCTURE response contain next:</p> <p>((NIL NIL "service" "paypal.com"))</p> <p>Are this problem already founded by anyone? So already fixed?</p> </blockquote><p>The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?</p> <p>The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes ENVELOPE). From the IMAP RFC:</p> <p>The fields of the envelope structure are in the following order: date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and message-id.</p> <p>Can you paste the whole IMAP command response?</p> <p>Thanks,</p> <p>Jeff.</p> </blockquote><p>-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp</p> </blockquote><p>-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp</p> <p>株式会社クオリティア <a target="_blank" href="http://www.qualitia.co.jp/">http://www.qualitia.co.jp/</a></p> </blockquote><p>-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp</p> <p>株式会社クオリティア <a target="_blank" href="http://www.qualitia.co.jp/">http://www.qualitia.co.jp/</a></p> </div> <div class="email-info"> <div class="likeform-wrapper right"> <div class="messagelink pull-right"> <button class="toggle-font btn btn-sm" title="Display in fixed font" data-bs-toggle="tooltip" data-placement="bottom"> <i class="fa fa-font"></i> </button> <a href="/mailman3/archives/list/dovecot@dovecot.org/message/76CLDYAPBYA2SEDMBZ32SBNNXFZ67LZE/" title="Permalink for this message" data-bs-toggle="tooltip" data-placement="bottom"><i class="fa fa-link"></i></a> </div> <form method="post" class="likeform" action="/mailman3/archives/list/dovecot@dovecot.org/message/76CLDYAPBYA2SEDMBZ32SBNNXFZ67LZE/vote"> <input type="hidden" name="csrfmiddlewaretoken" value="ZZhbPgP819gP7JTs40L6v9M3pYAzS7vSnpl4bSfRCXp4xEaRXAMUcsIKN6PqUltx"> <a class="youlike vote disabled" title="You must be logged-in to vote." href="#like" data-vote="1" aria-label="Like thread"> <i class="fa fa-thumbs-o-up"></i> 0 </a> <a class="youdislike vote disabled" title="You must be logged-in to vote." href="#dislike" data-vote="-1" aria-label="Dislike thread"> <i class="fa fa-thumbs-o-down"></i> 0 </a> </form> </div>  <a class="reply reply-mailto" title="Reply" href="#"> <i class="fa fa-reply"></i> Reply </a>   <div class="reply-form-unauthenticated"> <a class="btn btn-sm btn-primary" href="/mailman3/accounts/login/?next=/mailman3/archives/list/dovecot%40dovecot.org/thread/ZFVLDZBELA7XIKFSDHSSMOFWSWUTVI5R/#"> Sign in to reply online </a> <a class="btn btn-sm btn-secondary reply-mailto" href="mailto:dovecot@dovecot.org?Subject=Re%3A%20Mailsploit%20problem%20in%20responce%20of%20ENVELOPE&In-Reply-To=<20171211034636.00003E46.0035%40qualitia.co.jp>" >Use email software</a></li> </div> </div> </div>  </div> <div class="even reply-level-4">  <div class="email"> <div id="D4UTQKSPSZQP36Q7SBEOV3WZFD6PP6DE" class="email-header"> <div class="gravatar-wrapper d-flex"> <div class="gravatar circle"> </div> <div class="email-author d-flex"> <h2 class="name"> <a href="/mailman3/archives/users/7e9ab542cc234ef097935c03b2e1905d/" title="See the profile for Aki Tuomi" >Aki Tuomi</a> </h2> </div> </div> <div class="email-date right"> <div class="time"> <span title="Sender's time: Dec. 11, 2017, 10:06 a.m.">10:06 a.m.</span> </div> </div> <div class="subject"> New subject: Mailsploit problem in responce of ENVELOPE </div> </div>  <div class="email-body "> <p>This is a good chance to remind people that you can report SECURITY issues using these methods:</p> <p> - <a target="_blank" href="https://hackerone.com/dovecot/">https://hackerone.com/dovecot/</a> (preferred channel) - emailing to info@dovecot.fi (or Timo or me directly)</p> <p>This way we can handle the security issues correctly and safely, and as a bonus, if you find an actual security issue, we can award you with a bounty! =)</p> <p>Aki</p> <p>On 11.12.2017 05:47, TACHIBANA Masashi wrote:</p> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>Hi,</p> <p>I'm sorry, I had been tested by miss From/Reply-To,</p> <p>If From/Reply-To addresses are bellow:</p> <p>From: =?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com Reply-To: =?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com</p> <p>ENVELOPE will come bellow:</p> <p>A01 UID FETCH 25 (ENVELOPE)</p> <ul> <li>5 FETCH (UID 25 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test3" ((NIL NIL "=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=" "mailsploit.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=" "mailsploit.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<a target="_blank" href="mailto:20171206084846.0000478C.0596@example.com">20171206084846.0000478C.0596@example.com</a>" "<a target="_blank" href="mailto:20171208004435.00006B4F.0014@example.com">20171208004435.00006B4F.0014@example.com</a>")) A01 OK Fetch completed (0.000 secs).</li> </ul> <p>It seems correct response.</p> <p>Thank you.</p> <p>----- Original Message -----</p> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>Hi,</p> <p>Additionally, I just tried bellow:</p> <p>From: service@paypal.com<iframe onload=alert(document.cookie) src=<a target="_blank" href="https://www.hushmail.com">https://www.hushmail.com</a> style="display:none"\n\0@mailsploit.com Reply-To: service@paypal.com<iframe onload=alert(document.cookie) src=<a target="_blank" href="https://www.hushmail.com">https://www.hushmail.com</a> style="display:none"\n\0@mailsploit.com</p> <p>Thanks</p> <p>----- Original Message -----</p> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>Hi,</p> <p>Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE. For example:</p> <p>A01 UID FETCH 24 (ENVELOPE)</p> <ul> <li>4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<a target="_blank" href="mailto:20171206084846.0000478C.0596@example.com">20171206084846.0000478C.0596@example.com</a>" "<a target="_blank" href="mailto:20171208004435.00006B4F.0014@example.com">20171208004435.00006B4F.0014@example.com</a>")) A01 OK Fetch completed (0.000 secs).</li> </ul> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header? I did test also Reply-To header, then had same response as above.</p> </blockquote><p>----- Original Message -----</p> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:</p> <div class="quoted-switch"><a href="#">...</a></div><blockquote class="blockquote quoted-text"><p>Hi,</p> <p>I tried to see a mail that have a strange From header in bellow URL:</p> <p><a target="_blank" href="https://www.mailsploit.com/index">https://www.mailsploit.com/index</a></p> <p>Then, I got BODYSTRUCTURE response contain next:</p> <p>((NIL NIL "service" "paypal.com"))</p> <p>Are this problem already founded by anyone? So already fixed? The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?</p> </blockquote><p>The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes ENVELOPE). From the IMAP RFC:</p> <p>The fields of the envelope structure are in the following order: date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and message-id.</p> <p>Can you paste the whole IMAP command response?</p> <p>Thanks,</p> <p>Jeff.</p> </blockquote><p>-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp</p> </blockquote><p>-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp</p> <p>株式会社クオリティア <a target="_blank" href="http://www.qualitia.co.jp/">http://www.qualitia.co.jp/</a></p> </blockquote><p>-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp</p> <p>株式会社クオリティア <a target="_blank" href="http://www.qualitia.co.jp/">http://www.qualitia.co.jp/</a></p> </blockquote> </div> <div class="email-info"> <div class="likeform-wrapper right"> <div class="messagelink pull-right"> <button class="toggle-font btn btn-sm" title="Display in fixed font" data-bs-toggle="tooltip" data-placement="bottom"> <i class="fa fa-font"></i> </button> <a href="/mailman3/archives/list/dovecot@dovecot.org/message/D4UTQKSPSZQP36Q7SBEOV3WZFD6PP6DE/" title="Permalink for this message" data-bs-toggle="tooltip" data-placement="bottom"><i class="fa fa-link"></i></a> </div> <form method="post" class="likeform" action="/mailman3/archives/list/dovecot@dovecot.org/message/D4UTQKSPSZQP36Q7SBEOV3WZFD6PP6DE/vote"> <input type="hidden" name="csrfmiddlewaretoken" value="ZZhbPgP819gP7JTs40L6v9M3pYAzS7vSnpl4bSfRCXp4xEaRXAMUcsIKN6PqUltx"> <a class="youlike vote disabled" title="You must be logged-in to vote." href="#like" data-vote="1" aria-label="Like thread"> <i class="fa fa-thumbs-o-up"></i> 0 </a> <a class="youdislike vote disabled" title="You must be logged-in to vote." href="#dislike" data-vote="-1" aria-label="Dislike thread"> <i class="fa fa-thumbs-o-down"></i> 0 </a> </form> </div>  <a class="reply reply-mailto" title="Reply" href="#"> <i class="fa fa-reply"></i> Reply </a>   <div class="reply-form-unauthenticated"> <a class="btn btn-sm btn-primary" href="/mailman3/accounts/login/?next=/mailman3/archives/list/dovecot%40dovecot.org/thread/ZFVLDZBELA7XIKFSDHSSMOFWSWUTVI5R/#"> Sign in to reply online </a> <a class="btn btn-sm btn-secondary reply-mailto" href="mailto:dovecot@dovecot.org?Subject=Re%3A%20Mailsploit%20problem%20in%20responce%20of%20ENVELOPE&In-Reply-To=<ae2613a4-cc3a-03aa-8ed3-dc5ee5109add%40dovecot.fi>" >Use email software</a></li> </div> </div> </div>  </div> </div> </div> </div> <div class="col-12 col-md-3"> <div class="anchor-link"> <a id="stats"></a> </div>  <section id="thread-overview-info">  <div id="thread-date-info" class="row"> <div class="col"> <span class="days-num">2538</span> <div class="days-text"> Age (days ago) </div> </div> <div class="col"> <span class="days-num">2541</span> <div class="days-text"> Last active (days ago) </div> </div> </div>  <p> <a href="/mailman3/archives/list/dovecot@dovecot.org/" class="btn btn-outline-primary btn-sm"> List overview </a> </p> <p class="thread-overview-details"> <div> <i class="fa fa-fw fa-comment"></i> 6 comments </div> <div> <i class="fa fa-fw fa-user"></i> 3 participants </div> </p> <form id="fav_form" name="favorite" method="post" class="favorite" action="/mailman3/archives/list/dovecot@dovecot.org/thread/ZFVLDZBELA7XIKFSDHSSMOFWSWUTVI5R/favorite"> <input type="hidden" name="csrfmiddlewaretoken" value="ZZhbPgP819gP7JTs40L6v9M3pYAzS7vSnpl4bSfRCXp4xEaRXAMUcsIKN6PqUltx"> <input type="hidden" name="action" value="add" /> <p> <a href="#AddFav" class="notsaved disabled" title="You must be logged-in to have favorites."> <i class="fa fa-fw fa-star"></i>Add to favorites</a> <a href="#RmFav" class="saved"> <i class="fa fa-fw fa-star"></i>Remove from favorites</a> </p> </form> <div id="tags"> <h3 id="tag-title">tags </h3> </div> <div id="participants"> <h3 id="participants_title">participants (3)</h3> <ul class="list-unstyled"> <li class="d-flex"> <div class="participant-gravatar circle"></div> <div class="participant-name d-flex align-items-center"> <span>Aki Tuomi</span> </div> </li> <li class="d-flex"> <div class="participant-gravatar circle"></div> <div class="participant-name d-flex align-items-center"> <span>Josef 'Jeff' Sipek</span> </div> </li> <li class="d-flex"> <div class="participant-gravatar circle"></div> <div class="participant-name d-flex align-items-center"> <span>TACHIBANA Masashi</span> </div> </li> </ul> </div> </section> </div> </div> </div>  </div>  <footer class="footer"> <div class="container"> <p class="text-muted"> <img class="logo" alt="HyperKitty" src="/mailman3/static/hyperkitty/img/logo.png" /> Powered by <a href="http://hyperkitty.readthedocs.org">HyperKitty</a> version 1.3.9. </p> </div> </footer> <script src="/mailman3/static/hyperkitty/libs/jquery/jquery-3.6.0.min.js"></script> <script src="/mailman3/static/hyperkitty/libs/jquery/jquery-ui-1.13.1.min.js"></script> <script src="/mailman3/static/CACHE/js/output.80e003825acc.js"></script> <script> // Add the .js-enabled class to the body so we can style the elements // depending on whether Javascript is enabled. $(document).ready(function(){ $("body").addClass("js-enabled"); $(".gravatar").addClass("rounded-circle"); }); </script> <script type="text/javascript"> $(document).ready(function() { //enable tooltips for thread buttons $("btn#next-thread").tooltip(); $("btn#prev-thread").tooltip(); setup_category(); setup_tags(); setup_favorites(); // Hide quotes by default in the thread view fold_quotes("div.container-xxl"); // Load the replies update_thread_replies("/mailman3/archives/list/dovecot@dovecot.org/thread/ZFVLDZBELA7XIKFSDHSSMOFWSWUTVI5R/replies?sort=thread&last_view="); setup_unreadnavbar("#unreadnavbar"); setup_thread_keyboard_shortcuts(); }); </script> </body> </html>