Hi,
Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE.
For example:
A01 UID FETCH 24 (ENVELOPE)
* 4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900"
"test2" ((NIL NIL "service" "paypal.com"))
(("dev1" NIL "dev1-bounces" "example.com")) ((NIL
NIL "service" "paypal.com")) (("user1" NIL
"user1" "example.com")) (("dev1" NIL
"dev1" "example.com")) NIL
"<20171206084846.0000478C.0596 at example.com>"
"<20171208004435.00006B4F.0014 at example.com>"))
A01 OK Fetch completed (0.000 secs).
> The metasploit generated emails contain a fake Reply-To header. Are you
> sure that the above isn't the Reply-To header?
I did test also Reply-To header, then had same response as above.
----- Original Message -----> On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:
> > Hi,
> >
> > I tried to see a mail that have a strange From header in bellow URL:
> >
> > https://www.mailsploit.com/index
> >
> > Then, I got BODYSTRUCTURE response contain next:
> >
> > ((NIL NIL "service" "paypal.com"))
> >
> > Are this problem already founded by anyone?
> > So already fixed?
>
> The metasploit generated emails contain a fake Reply-To header. Are you
> sure that the above isn't the Reply-To header?
>
> The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL
includes
> ENVELOPE). From the IMAP RFC:
>
> The fields of the envelope structure are in the following order:
> date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and
> message-id.
>
> Can you paste the whole IMAP command response?
>
> Thanks,
>
> Jeff.
>
--
TACHIBANA Masashi QUALITIA CO., LTD.
mailto:tachibana at qualitia.co.jp
Hi, Additionally, I just tried bellow: From: service at paypal.com<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\0 at mailsploit.com Reply-To: service at paypal.com<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\0 at mailsploit.com Thanks ----- Original Message -----> Hi, > > Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE. > For example: > > A01 UID FETCH 24 (ENVELOPE) > * 4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<20171206084846.0000478C.0596 at example.com>" "<20171208004435.00006B4F.0014 at example.com>")) > A01 OK Fetch completed (0.000 secs). > > > The metasploit generated emails contain a fake Reply-To header. Are you > > sure that the above isn't the Reply-To header? > > I did test also Reply-To header, then had same response as above. > > > ----- Original Message ----- > > On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote: > > > Hi, > > > > > > I tried to see a mail that have a strange From header in bellow URL: > > > > > > https://www.mailsploit.com/index > > > > > > Then, I got BODYSTRUCTURE response contain next: > > > > > > ((NIL NIL "service" "paypal.com")) > > > > > > Are this problem already founded by anyone? > > > So already fixed? > > > > The metasploit generated emails contain a fake Reply-To header. Are you > > sure that the above isn't the Reply-To header? > > > > The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes > > ENVELOPE). From the IMAP RFC: > > > > The fields of the envelope structure are in the following order: > > date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and > > message-id. > > > > Can you paste the whole IMAP command response? > > > > Thanks, > > > > Jeff. > > > > -- > TACHIBANA Masashi QUALITIA CO., LTD. > mailto:tachibana at qualitia.co.jp > > >-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana at qualitia.co.jp ?????????? http://www.qualitia.co.jp/
Hi,
I'm sorry, I had been tested by miss From/Reply-To,
If From/Reply-To addresses are bellow:
From:
=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com
Reply-To:
=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com
ENVELOPE will come bellow:
A01 UID FETCH 25 (ENVELOPE)
* 5 FETCH (UID 25 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900"
"test3" ((NIL NIL
"=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?="
"mailsploit.com")) (("dev1" NIL "dev1-bounces"
"example.com")) ((NIL NIL
"=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?="
"mailsploit.com")) (("user1" NIL "user1"
"example.com")) (("dev1" NIL "dev1"
"example.com")) NIL "<20171206084846.0000478C.0596 at
example.com>" "<20171208004435.00006B4F.0014 at
example.com>"))
A01 OK Fetch completed (0.000 secs).
It seems correct response.
Thank you.
----- Original Message -----> Hi,
>
> Additionally, I just tried bellow:
>
> From: service at paypal.com<iframe onload=alert(document.cookie)
src=https://www.hushmail.com style="display:none"\n\0 at
mailsploit.com
> Reply-To: service at paypal.com<iframe onload=alert(document.cookie)
src=https://www.hushmail.com style="display:none"\n\0 at
mailsploit.com
>
>
> Thanks
>
>
> ----- Original Message -----
> > Hi,
> >
> > Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE.
> > For example:
> >
> > A01 UID FETCH 24 (ENVELOPE)
> > * 4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35
+0900" "test2" ((NIL NIL "service"
"paypal.com")) (("dev1" NIL "dev1-bounces"
"example.com")) ((NIL NIL "service" "paypal.com"))
(("user1" NIL "user1" "example.com"))
(("dev1" NIL "dev1" "example.com")) NIL
"<20171206084846.0000478C.0596 at example.com>"
"<20171208004435.00006B4F.0014 at example.com>"))
> > A01 OK Fetch completed (0.000 secs).
> >
> > > The metasploit generated emails contain a fake Reply-To header.
Are you
> > > sure that the above isn't the Reply-To header?
> >
> > I did test also Reply-To header, then had same response as above.
> >
> >
> > ----- Original Message -----
> > > On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:
> > > > Hi,
> > > >
> > > > I tried to see a mail that have a strange From header in
bellow URL:
> > > >
> > > > https://www.mailsploit.com/index
> > > >
> > > > Then, I got BODYSTRUCTURE response contain next:
> > > >
> > > > ((NIL NIL "service" "paypal.com"))
> > > >
> > > > Are this problem already founded by anyone?
> > > > So already fixed?
> > >
> > > The metasploit generated emails contain a fake Reply-To header.
Are you
> > > sure that the above isn't the Reply-To header?
> > >
> > > The "FETCH 123 ENVELOPE" command will return both (and
FETCH ALL includes
> > > ENVELOPE). From the IMAP RFC:
> > >
> > > The fields of the envelope structure are in the following order:
> > > date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to,
and
> > > message-id.
> > >
> > > Can you paste the whole IMAP command response?
> > >
> > > Thanks,
> > >
> > > Jeff.
> > >
> >
> > --
> > TACHIBANA Masashi QUALITIA CO., LTD.
> > mailto:tachibana at qualitia.co.jp
> >
> >
> >
> --
> TACHIBANA Masashi QUALITIA CO., LTD.
> mailto:tachibana at qualitia.co.jp
>
> ??????????
> http://www.qualitia.co.jp/
>
>
>
--
TACHIBANA Masashi QUALITIA CO., LTD.
mailto:tachibana at qualitia.co.jp
??????????
http://www.qualitia.co.jp/