On Wed, Oct 07, 2020 at 12:27:09AM +0000, Pau Peris wrote:
> I'm hosting my dad's webpage which has a contact form (which should be
> improved to avoid spam and/or bots) and from time to time someone
> types multiple email addresses in the from field of the form so
> contact emails with multiple from addresses like "from:
> h...@example.com, f...@example.net" are generated. I though that those
> kind of messages should get rejected and thought that maybe there was
> a builtin restriction for this use case.
You may of course choose to try to block such messages, but in terms of
general syntax, they are valid email messages:
https://tools.ietf.org/html/rfc5322#section-3.6.2
The only constraint is that a message with multiple authors (multiple
"From" mailboxes), is required to have a "Sender" header which indicates
who is to blame for actually sending the message. The requirement is
unlikely to be enforced by most MUAs. I don't know what DMARC makes of
multi-author messages (but since I don't use, recommend or think much of
DMARC, I have much reason to care about that).
RFC5322.From syntax is rather non-trivial, and trying to parse it with
regular expressions is not a terribly good idea. While most addresses
are simple, and you might not ever see the exceptions, I do not
recommend ad-hoc half-right parsers for the mailbox syntax.
Therefore, the right solution would be in a content filter or milter,
coupled with a solid email address (list) parsing library.
--
Viktor.
