From ba8d544c7f1a3340dd967fd1a35c237fc1927daa Mon Sep 17 00:00:00 2001
From: Rob Swindell <rob@synchro.net>
Date: Wed, 4 Nov 2020 19:47:56 -0800
Subject: [PATCH] Detect and reject forged "from" fields in submitted msg
 headers

For non-authenticated SMTP clients, if the "From:" header field contains a "name" which appears to be an email address (i.e. it has an '@' in it), and that address does not match the *actual* address in the "From:" field, reject the mail with an error message about the forged/mismatched address.
---
 src/sbbs3/mailsrvr.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/sbbs3/mailsrvr.c b/src/sbbs3/mailsrvr.c
index 5d328a4488..1ec0ed29eb 100644
--- a/src/sbbs3/mailsrvr.c
+++ b/src/sbbs3/mailsrvr.c
@@ -3659,6 +3659,15 @@ static void smtp_thread(void* arg)
 					subnum=INVALID_SUB;
 					continue;
 				}
+				if(relay_user.number == 0
+					&& strchr(sender, '@') != NULL
+					&& compare_addrs(sender, sender_addr) != 0) {
+					lprintf(LOG_WARNING,"%04d %s %s !FORGED mail header 'FROM' field (%lu total)"
+						,socket, client.protocol, client_id, ++stats.msgs_refused);
+					sockprintf(socket,client.protocol,session, "554 Mail header contains mismatched 'FROM' field");
+					subnum=INVALID_SUB;
+					continue;
+				}
 				char sender_info[512];
 				if(relay_user.number) {
 					SAFEPRINTF(str,"%u",relay_user.number);
-- 
GitLab