SMTP allows for multiple FROM addresses on the body (not the envelope) according to the RFCs.
Has this feature ever been used for a legitimate purpose?
Is it safe to discard messages that have multiple FROM addresses?
SMTP allows for multiple FROM addresses on the body (not the envelope) according to the RFCs.
Has this feature ever been used for a legitimate purpose?
Is it safe to discard messages that have multiple FROM addresses?
RFC 822 actually gives an example of this usage. It required (Section 4.4) that the Sender: header be present when it was used.
A.2.7. Agent for member of a committee George's secretary sends out a message which was authored jointly by all the members of a committee. Note that the name of the committee cannot be specified, since <group> names are not permitted in the From field. From: Jones@Host, Smith@Other-Host, Doe@Somewhere-Else Sender: Secy@SHost
RFC 2822, which obsoleted it, continued to explicitly allow this particular construction (Section 3.6.2).
from = "From:" mailbox-list CRLF mailbox-list = (mailbox *("," mailbox)) / obs-mbox-list
In the current standard, RFC 5322, this is unchanged, and multiple addresses are still explicitly allowed (Section 3.6.2).
The from field consists of the field name "From" and a comma- separated list of one or more mailbox specifications. If the from field contains more than one mailbox specification in the mailbox- list, then the sender field, containing the field name "Sender" and a single mailbox specification, MUST appear in the message.
Was it ever useful? Yes, and it still is, for exactly the sort of scenario shown in the ancient example. Messages with multiple authors are supposed to have all of them listed in the From: header, with the Sender: set to the person who actually hit Send in their email program.
The originator fields indicate the mailbox(es) of the source of the message. The "From:" field specifies the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message. For example, if a secretary were to send a message for another person, the mailbox of the secretary would appear in the "Sender:" field and the mailbox of the actual author would appear in the "From:" field. If the originator of the message can be indicated by a single mailbox and the author and transmitter are identical, the "Sender:" field SHOULD NOT be used. Otherwise, both fields SHOULD appear.
In practice on the public Internet, messages in which this is done are uncommon, though they do occur especially in enterprise and academic environments where it's much more common for one person to send email on behalf of another, or of a group.
I've never actually seen spam that does this (and got through all my other controls). I would generally consider it unsafe to discard or raise the spam score of such a message.
I have not seen multiple addresses in the From field used for legitimate purposes. The few cases I have seen were on spam, and had multiple copies of the same address.
I don't know of any message composition software which support lists in this context. The cases I consider it to could be appropriate are relatively few, and in my experience are handled in other ways.
I have added a spam rule to my system that add a high score to From headers with multiple addresses. To be compliant, it would not be correct to refuse mail on the only this basis. If they pass other Spam checks, you may want to quarantining messages while evaluating whether you need to or want to accept such messages.
EDIT: I have reviewed Michael Hampton's well researched answer. It appears that if the From header contains a list, a valid Sender header is required. I believe such a filter would have caught the spam that passed though a forwarding address. A list in the From header without a Sender header would be in violation of the intended purpose of allowing the list.
I have run preliminary tests on a three common mail composition tools; Microsoft Outlook, Thunderbird, and GMail. None of these appear to support lists in the From field. Only Outlook appears to support sending email on behalf of another user.