Customer display to easy to deceive via reply-to

[solariz]

Hey,

not a Technical bug, but I noticed the freescout inbox is currently doing its part to easy deceive users with phishing / spam.

Currently it displays the "customer" with its email so the user think this was written by XYZ but instead it coming from ABC at totally different domain. Freescout seems to use the reply-to: in the mail header to display this as the Customers Email.

Let me try to explain better. The Email received is displaying like this in Freescout:

As a User I would believe the Email is comming from Carina Ebeling from Steuerring. But in fact the Mail header tells the truth it is a phishing only using carina ebeling in the reply-to: nothing else. But this is enough already to display it as the Origin which can of course lead to big issues.

The Actual Header:

From: Greuth Mueller <[email protected]>
To: contakt@#########.de
Reply-To: [email protected]
Return-Path: <[email protected]>

Here the full one with target domain censored:

Return-Path: <[email protected]>
Delivered-To: hello@########.de
Received: from mail.@######## (localhost [127.0.0.1])
	by mail.@######## with ESMTP id 038845DD08
	for <contakt@########>; Wed,  9 Oct 2024 14:41:51 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.planetlan.net 038845DD08
Authentication-Results: mail.########;
	dkim=pass (2048-bit key; unprotected) header.d=ggsseguros.com [email protected] header.b="Q9wXx8y/";
	dkim-atps=neutral
Authentication-Results: ########; dkim=pass [email protected]
X-DKIM-Authentication-Results: pass
Received: from mail.ggsseguros.com (unknown [185.36.141.204])
	by mail.######## (3Q) with ESMTPS
	for <contakt@########>; Wed,  9 Oct 2024 14:41:48 +0200 (CEST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 16A262A1267
	for <contakt@########>; Wed,  9 Oct 2024 12:34:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ggsseguros.com;
	s=dkim; t=1728477271;
	h=from:reply-to:subject:date:message-id:to:mime-version:content-type;
	bh=K30fYgf0TXtUyr65uNQDjSDuYthxv9wlj4sQVqJ7ubI=;
	b=Q9wXx8y/rCd4Flgv+9JSqc7joFMCb8yBVKg6b9X/BR2Aw3sFklcTMxbJT/YTGCKOl9iDxO
	vCg2OWAH10k1XTYWYPFh1fIzqRODJjRMAIRFvN/StHYqxtuJCXMFqTefMqiQ3RpXMkYUdN
	pwLPTMfk7o2x51cJhnBWAEScnCmvx3gNbSbfEu0jh6fD1oi0WEgSYASLUS8ihIWSrG5gGX
	eZLpgYaywQbhezs7VkzYpLOIsqWjhPVBlm7kOVH0WYvEmDV6Po7bBjOq2tqvSfEnxItwgN
	Lxlz0+Zs6SvSKnpdTmoexnkHRo3N9hX5Yu0lR/lwJP867tjF/6YgP53bsDZEuA==
From: Greuth Mueller <[email protected]>
To: contakt@########
Reply-To: [email protected]
Subject: Ausstehende Zahlung
Message-ID: <[email protected]>
Date: Wed, 09 Oct 2024 12:34:30 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--_NmP-78736a092b5eae0c-Part_1"
X-Last-TLS-Session-Version: TLSv1.2

It would be great if there would be a saftey check or the real From: would be used for display.

Currently I can just change the reply-to to whatever I like to fake that the Email look like it is coming from that person.

Thanks you

[freescout-help]

Now "From" email address will be shown in the conversation when From and Reply-To headers in the email are not same: