[MlMt] Skull 💀 emoji in the From header

[Bill Cole]

On 30 Jan 2021, at 16:38, mlmt at rhp.tw wrote:

> Sometimes I will receive an email that have the skull emoji (💀) in 
> the **From** header.  At first I thought this might be due to some 
> autocorrect/auto-substitution that is enabled on my computer  (like 
> turning a smiley emoticon to an emoji), but that does not seem to be 
> the case. I also looked at the raw message of the emails  and  didn't 
> see anything unusual. Both these messages were downloaded from Gmail 
> and when I look there the skull isn't present. How is this happening?

As others have noted, this is an intentional *feature* of MailMate, 
indicating a '@' in a part of the From header commonly called the 
"display name" because many mail clients show only that part to users, 
hiding the actual email address.

The reason to do this is that scammers have figured out that putting a 
trusted email address in the display name part of the From header is a 
great way to spoof identities without tripping up any of the common 
server-side strategies for identifying such fraud. This has lead to an 
epidemic of what is generally labeled "Business Email Compromise" in 
which the scammer poses as an executive requesting urgent assistance 
from a subordinate. Scammers have stolen billions of dollars this way.

MailMate's approach to this is (as you noted) entirely in the 
presentation layer. The mail on the server (and in the client-side  
cache) retains its original data unchanged, so that tools like DKIM 
which authenticate messages including key headers are not broken by 
MailMate's presentation. Most other approaches to mitigate BEC are done 
by modifying one or both of the Subject or From headers, typically 
breaking any DKIM signature on the message as it is delivered and 
potentially confusing clients that group messages by those headers.

-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire