1423440 - Mailsploit: Remove @ from real name in From

Status: RESOLVED WONTFIX

(MailNews Core :: MIME, enhancement)

Description

[Ben Bucksch (:BenB)]

This is part of bug 1423430. See there for background.

If there is an @ sign in the real name part of the From, strip it.

It's highly likely to be spoofing some other address. (And yes, I know that some devs use this on bugzilla as a feature :-) . But we're not normal people.)

We may do this in libmime or in the frontend.

Comment 1

[Jorg K (CEST = GMT+2)]

This is clearly a WONFTFIX since this will upset a good part of the user community.

There is nothing wrong with having:
"Men @ Work" <menatwork@example.com>
People use this and complain if it doesn't work, see bug 1359774.

Let's not overreact, please.

Comment 2

[Jorg K (CEST = GMT+2)]

I found some more real life examples:

From: "Bugzilla@Mozilla" <bugzilla-daemon@mozilla.org> - Check that one, BMO e-mail invalid!

Then Yahoo groups send this:
From: "Real name xxx@gmail.com [Barcelona-Freecycle]" <Barcelona-Freecycle-noreply@yahoogroups.com>
From: "Real Name yyy@yahoo.com [freecycle-berlin]" <freecycle-berlin-noreply@yahoogroups.de>

Comment 3

[Ben Bucksch (:BenB)]

Yes. And if the "@" was replaced by " ", that wouldn't be a huge problem.

The problem is that "fred@whitehouse.gov <head.political.communications@spammer.com>" is going to be read as "Fred from the White House" by most users

Comment 4

[Adrian Zaugg]

As long as TB doesn't do the stupid Apple Mail thing called "smart address" this is not so much a problem. Pressing "reply" or "compose message to" or the such is still safe. Inside a quoted part of the from name the "@" is a legal character and therefore should not get removed or replaced. Maybe some users get confused and click on a link in such a message and that's bad, but hopefully this not the majority.