Spoofing detection added Webklex#40

Author: Webklex

CHANGELOG.md

@@ -9,7 +9,7 @@ Updates should follow the [Keep a CHANGELOG](http://keepachangelog.com/) princip
 - Filename sanitization is now optional (enabled via default)
 
 ### Added
-- NaN
+- Spoofing detection added #40
 
 ### Breaking changes
 - NaN

src/Exceptions/SpoofingAttemptDetectedException.php

@@ -0,0 +1,24 @@
+<?php
+/*
+* File:     SpoofingAttemptDetectedException.php
+* Category: Exception
+* Author:   M. Goldenbaum
+* Created:  17.01.25 17:25
+* Updated:  -
+*
+* Description:
+*  -
+*/
+
+namespace Webklex\PHPIMAP\Exceptions;
+
+use \Exception;
+
+/**
+ * Class SpoofingAttemptDetectedException
+ *
+ * @package Webklex\PHPIMAP\Exceptions
+ */
+class SpoofingAttemptDetectedException extends Exception {
+
+}

src/Header.php

@@ -18,6 +18,7 @@
 use Webklex\PHPIMAP\Exceptions\DecoderNotFoundException;
 use Webklex\PHPIMAP\Exceptions\InvalidMessageDateException;
 use Webklex\PHPIMAP\Exceptions\MethodNotFoundException;
+use Webklex\PHPIMAP\Exceptions\SpoofingAttemptDetectedException;
 
 /**
  * Class Header
@@ -199,6 +200,7 @@ private function clearBoundaryString(string $str): string {
      * Parse the raw headers
      *
      * @throws InvalidMessageDateException
+     * @throws SpoofingAttemptDetectedException
      */
     protected function parse(): void {
         $header = $this->rfc822_parse_headers($this->raw);
@@ -230,6 +232,11 @@ protected function parse(): void {
 
         $this->extractHeaderExtensions();
         $this->findPriority();
+
+        if($this->config->get('security.detect_spoofing', true)) {
+            // Detect spoofing
+            $this->detectSpoofing();
+        }
     }
 
     /**
@@ -413,7 +420,7 @@ private function decodeAddresses($values): array {
      * @param object $header
      */
     private function extractAddresses(object $header): void {
-        foreach (['from', 'to', 'cc', 'bcc', 'reply_to', 'sender'] as $key) {
+        foreach (['from', 'to', 'cc', 'bcc', 'reply_to', 'sender', 'return_path', 'envelope_from', 'envelope_to', 'delivered_to'] as $key) {
             if (property_exists($header, $key)) {
                 $this->set($key, $this->parseAddresses($header->$key));
             }
@@ -760,4 +767,25 @@ public function setDecoder(DecoderInterface $decoder): static {
         return $this;
     }
 
+    /**
+     * Detect spoofing by checking the from, reply_to, return_path, sender and envelope_from headers
+     * @throws SpoofingAttemptDetectedException
+     */
+    private function detectSpoofing(): void {
+        $header_keys = ["from", "reply_to", "return_path", "sender", "envelope_from"];
+        $potential_senders = [];
+        foreach($header_keys as $key) {
+            $header = $this->get($key);
+            foreach ($header->toArray() as $address) {
+                $potential_senders[] = $address->mailbox . "@" . $address->host;
+            }
+        }
+        if(count($potential_senders) > 1) {
+            $this->set("spoofed", true);
+            if($this->config->get('security.detect_spoofing_exception', false)) {
+                throw new SpoofingAttemptDetectedException("Potential spoofing detected. Message ID: " . $this->get("message_id") . " Senders: " . implode(", ", $potential_senders));
+            }
+        }
+    }
+
 }

tests/issues/Issue40Test.php

@@ -0,0 +1,74 @@
+<?php
+/*
+* File: Issue410Test.php
+* Category: -
+* Author: M.Goldenbaum
+* Created: 23.06.23 20:41
+* Updated: -
+*
+* Description:
+*  -
+*/
+
+namespace Tests\issues;
+
+use PHPUnit\Framework\TestCase;
+use Tests\fixtures\FixtureTestCase;
+use Webklex\PHPIMAP\Attachment;
+use Webklex\PHPIMAP\ClientManager;
+use Webklex\PHPIMAP\Exceptions\AuthFailedException;
+use Webklex\PHPIMAP\Exceptions\ConnectionFailedException;
+use Webklex\PHPIMAP\Exceptions\ImapBadRequestException;
+use Webklex\PHPIMAP\Exceptions\ImapServerErrorException;
+use Webklex\PHPIMAP\Exceptions\InvalidMessageDateException;
+use Webklex\PHPIMAP\Exceptions\MaskNotFoundException;
+use Webklex\PHPIMAP\Exceptions\MessageContentFetchingException;
+use Webklex\PHPIMAP\Exceptions\ResponseException;
+use Webklex\PHPIMAP\Exceptions\RuntimeException;
+use Webklex\PHPIMAP\Exceptions\SpoofingAttemptDetectedException;
+use Webklex\PHPIMAP\Message;
+
+class Issue40Test extends FixtureTestCase {
+
+    /**
+     * @throws RuntimeException
+     * @throws MessageContentFetchingException
+     * @throws ResponseException
+     * @throws ImapBadRequestException
+     * @throws InvalidMessageDateException
+     * @throws ConnectionFailedException
+     * @throws \ReflectionException
+     * @throws ImapServerErrorException
+     * @throws AuthFailedException
+     * @throws MaskNotFoundException
+     */
+    public function testIssueEmail() {
+        $message = $this->getFixture("issue-40.eml");
+
+        self::assertSame("Zly from", (string)$message->subject);
+        self::assertSame([
+                             'personal' => '',
+                             'mailbox'  => 'faked_sender',
+                             'host'     => 'sender_domain.pl',
+                             'mail'     => 'faked_sender@sender_domain.pl',
+                             'full'     => 'faked_sender@sender_domain.pl',
+                         ], $message->from->first()->toArray());
+        self::assertSame([
+                             'personal' => '<real_sender@sender_domain.pl>',
+                             'mailbox'  => 'real_sender',
+                             'host'     => 'sender_domain.pl',
+                             'mail'     => 'real_sender@sender_domain.pl',
+                             'full'     => '<real_sender@sender_domain.pl> <real_sender@sender_domain.pl>',
+                         ], (array)$message->return_path->first());
+        self::assertSame(true, $message->spoofed->first());
+
+        $config = $message->getConfig();
+        self::assertSame(false, $config->get("security.detect_spoofing_exception"));
+        $config->set("security.detect_spoofing_exception", true);
+        self::assertSame(true, $config->get("security.detect_spoofing_exception"));
+
+        $this->expectException(SpoofingAttemptDetectedException::class);
+        $this->getFixture("issue-40.eml", $config);
+    }
+
+}

tests/messages/issue-40.eml

@@ -0,0 +1,39 @@
+Return-Path: <real_sender@sender_domain.pl>
+Delivered-To: receipent@receipent_domain.pl
+Received: from h2.server.pl
+\tby h2.server.pl with LMTP
+\tid 4IDTIEUkm18ZSSkA87l24w
+\t(envelope-from <real_sender@sender_domain.pl>)
+\tfor <receipent@receipent_domain.pl>; Thu, 29 Oct 2020 21:21:25 +0100
+Return-path: <real_sender@sender_domain.pl>
+Envelope-to: receipent@receipent_domain.pl
+Delivery-date: Thu, 29 Oct 2020 21:21:25 +0100
+Received: from sender_domain.pl ([server ip])
+\tby h2.server.pl with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+\t(Exim 4.94)
+\t(envelope-from <real_sender@sender_domain.pl>)
+\tid 1kYEQG-00BPgD-S0
+\tfor receipent@receipent_domain.pl; Thu, 29 Oct 2020 21:21:25 +0100
+Received: by sender_domain.pl (Postfix, from userid 1000)
+\tid 57DADAB; Thu, 29 Oct 2020 21:21:23 +0100 (CET)
+DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=sender_domain.pl; s=default;
+\tt=1604002883; bh=CsZufJouWdjY/W12No6MSSMwbp0VaS8EOMGg9WptEaI=;
+\th=From:To:Subject:Date;
+\tb=v0NAncnNT/w+gInANxAkMt20ktM4LZquuwlokUmLpPyO3++8dy112olu63Dkn9L2E
+\t GwfHGqW+8f7g494UK6asUKqTx8fHxlEJbHqAiEV5QrlynSeZDFXsKvGDW8XNMFBKop
+\t sAjvp8NTUiNcA4MTbFaZ7RX15A/9d9QVEynU8MaNP2ZYKnq9J/JXgUjjMnx+FiULqf
+\t xJN/5rjwHRx7f6JQoXXUxuck6Zh4tSDiLLnDFasrSxed6sTNfnZMAggCyb1++estNk
+\t q6HNBwp85Az3ELo10RbBF/WM2FhxxFz1khncRtCyLXLUZ2lzhjan765KXpeYg7FUa9
+\t zItPWVTaTzTEg==
+From: faked_sender@sender_domain.pl
+To: receipent@receipent_domain.pl
+Subject: Zly from
+Message-Id: <20201029202123.57DADAB@sender_domain.pl>
+Date: Thu, 29 Oct 2020 21:21:01 +0100 (CET)
+Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on server ip, -10 Spam score
+SPFCheck: Server passes SPF test, -30 Spam score
+X-DKIM: signer='sender_domain.pl' status='pass' reason=''
+DKIMCheck: Server passes DKIM test, -20 Spam score
+X-Spam-Score: -0.2 (/)
+
+Test message