34

SMTP allows for multiple FROM addresses on the body (not the envelope) according to the RFCs.

Has this feature ever been used for a legitimate purpose?

Is it safe to discard messages that have multiple FROM addresses?

makerofthings7
  • 8,821
  • 28
  • 115
  • 196
  • Could you quote the relevant rfc? – AnFi Nov 12 '13 at 19:22
  • @AndrzejA.Filip From what I remember, in the x822 series it was never explicitly permitted or refused. Later revisions did mention it, but I'll have to scan each one to look for it. Note I'm talking about the headers, not the envelope – makerofthings7 Nov 12 '13 at 19:55
  • FWIW, Gmail does not accept messages with multiple addresses in from, they will respond with a "550 5.7.1 Messages with multiple addresses in From: header are not accepted." So while it may be "allowed" by the RFC I think we can safely say it's no longer allowed in the real world. And Office365 will accept the message, but only show the first email address and only reply to the first (treated as if there was only one). – WaldenL Nov 13 '19 at 16:50

2 Answers2

34

RFC 822 actually gives an example of this usage. It required (Section 4.4) that the Sender: header be present when it was used.

     A.2.7.  Agent for member of a committee
     
             George's secretary sends out a message which was authored
        jointly by all the members of a committee.  Note that the name
        of the committee cannot be specified, since <group> names  are
        not permitted in the From field.
 
            From:   Jones@Host,
                    Smith@Other-Host,
                    Doe@Somewhere-Else
            Sender: Secy@SHost

RFC 2822, which obsoleted it, continued to explicitly allow this particular construction (Section 3.6.2).

from            =       "From:" mailbox-list CRLF

mailbox-list    =       (mailbox *("," mailbox)) / obs-mbox-list

In the current standard, RFC 5322, this is unchanged, and multiple addresses are still explicitly allowed (Section 3.6.2).

   The from field consists of the field name "From" and a comma-
   separated list of one or more mailbox specifications.  If the from
   field contains more than one mailbox specification in the mailbox-
   list, then the sender field, containing the field name "Sender" and a
   single mailbox specification, MUST appear in the message.

Was it ever useful? Yes, and it still is, for exactly the sort of scenario shown in the ancient example. Messages with multiple authors are supposed to have all of them listed in the From: header, with the Sender: set to the person who actually hit Send in their email program.

   The originator fields indicate the mailbox(es) of the source of the
   message.  The "From:" field specifies the author(s) of the message,
   that is, the mailbox(es) of the person(s) or system(s) responsible
   for the writing of the message.  The "Sender:" field specifies the
   mailbox of the agent responsible for the actual transmission of the
   message.  For example, if a secretary were to send a message for
   another person, the mailbox of the secretary would appear in the
   "Sender:" field and the mailbox of the actual author would appear in
   the "From:" field.  If the originator of the message can be indicated
   by a single mailbox and the author and transmitter are identical, the
   "Sender:" field SHOULD NOT be used.  Otherwise, both fields SHOULD
   appear.

In practice on the public Internet, messages in which this is done are uncommon, though they do occur especially in enterprise and academic environments where it's much more common for one person to send email on behalf of another, or of a group.

I've never actually seen spam that does this (and got through all my other controls). I would generally consider it unsafe to discard or raise the spam score of such a message.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • I got spam that is using this trick to try to hide the actual from address. For example, I got mail from `yahoo.com` where `From` had something like `user@domain.com, some fillter text `. I assume that yahoo allowed the user to enter `user@domain.com, some fillter text` as their "real" name. – Mikko Rantalainen Jun 10 '16 at 06:28
  • I received a (very obvious) phishing email with multiple addresses in the "From" header as well and came across this answer. – Nathan Osman Apr 04 '20 at 23:24
5

I have not seen multiple addresses in the From field used for legitimate purposes. The few cases I have seen were on spam, and had multiple copies of the same address.

I don't know of any message composition software which support lists in this context. The cases I consider it to could be appropriate are relatively few, and in my experience are handled in other ways.

I have added a spam rule to my system that add a high score to From headers with multiple addresses. To be compliant, it would not be correct to refuse mail on the only this basis. If they pass other Spam checks, you may want to quarantining messages while evaluating whether you need to or want to accept such messages.

EDIT: I have reviewed Michael Hampton's well researched answer. It appears that if the From header contains a list, a valid Sender header is required. I believe such a filter would have caught the spam that passed though a forwarding address. A list in the From header without a Sender header would be in violation of the intended purpose of allowing the list.

I have run preliminary tests on a three common mail composition tools; Microsoft Outlook, Thunderbird, and GMail. None of these appear to support lists in the From field. Only Outlook appears to support sending email on behalf of another user.

BillThor
  • 27,354
  • 3
  • 35
  • 69