Detect and reject forged "from" fields in submitted msg headers

For non-authenticated SMTP clients, if the "From:" header field contains a "name" which appears to be an email address (i.e. it has an '@' in it), and that address does not match the *actual* address in the "From:" field, reject the mail with an error message about the forged/mismatched address.

Detect and reject forged "from" fields in submitted msg headers
ba8d544c · Rob Swindell · 73edfd4b · ba8d544c
Commit ba8d544c authored 4 years ago by Rob Swindell
--- a/src/sbbs3/mailsrvr.c
+++ b/src/sbbs3/mailsrvr.c
@@ -3659,6 +3659,15 @@ static void smtp_thread(void* arg)
 					subnum=INVALID_SUB;
 					continue;
 				}
+				if(relay_user.number == 0
+					&& strchr(sender, '@') != NULL
+					&& compare_addrs(sender, sender_addr) != 0) {
+					lprintf(LOG_WARNING,"%04d %s %s !FORGED mail header 'FROM' field (%lu total)"
+						,socket, client.protocol, client_id, ++stats.msgs_refused);
+					sockprintf(socket,client.protocol,session, "554 Mail header contains mismatched 'FROM' field");
+					subnum=INVALID_SUB;
+					continue;
+				}
 				char sender_info[512];
 				if(relay_user.number) {
 					SAFEPRINTF(str,"%u",relay_user.number);