Hi,
Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE.
For example:
A01 UID FETCH 24 (ENVELOPE)
* 4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900"
"test2" ((NIL NIL "service" "paypal.com"))
(("dev1" NIL "dev1-bounces" "example.com")) ((NIL
NIL "service" "paypal.com")) (("user1" NIL
"user1" "example.com")) (("dev1" NIL
"dev1" "example.com")) NIL
"<20171206084846.0000478C.0596 at example.com>"
"<20171208004435.00006B4F.0014 at example.com>"))
A01 OK Fetch completed (0.000 secs).
> The metasploit generated emails contain a fake Reply-To header. Are you
> sure that the above isn't the Reply-To header?
I did test also Reply-To header, then had same response as above.
----- Original Message -----> On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:
> > Hi,
> >
> > I tried to see a mail that have a strange From header in bellow URL:
> >
> > mailsploit.com/index
> >
> > Then, I got BODYSTRUCTURE response contain next:
> >
> > ((NIL NIL "service" "paypal.com"))
> >
> > Are this problem already founded by anyone?
> > So already fixed?
>
> The metasploit generated emails contain a fake Reply-To header. Are you
> sure that the above isn't the Reply-To header?
>
> The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL
includes
> ENVELOPE). From the IMAP RFC:
>
> The fields of the envelope structure are in the following order:
> date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and
> message-id.
>
> Can you paste the whole IMAP command response?
>
> Thanks,
>
> Jeff.
>
--
TACHIBANA Masashi QUALITIA CO., LTD.
mailto:tachibana at qualitia.co.jp