Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add email.return_path.address #1947

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add email.return_path.address #1947

wants to merge 6 commits into from

Conversation

ebeahan
Copy link
Member

@ebeahan ebeahan commented May 26, 2022

Overview

As described in #1934, security analysts find the Return-Path header useful for examining email events, and the field is a good addition to the email.* field set.

Open questions

RFC 5322 Return-Path holding a single value, so I've created email.return_path.address to expect only one value.

Any known use cases where Return-Path would hold more than one value, and would it benefit return_path.address to hold an array of values?

Resolves #1934

@ebeahan ebeahan self-assigned this May 26, 2022
@ebeahan ebeahan requested a review from a team as a code owner May 26, 2022 20:32
@ebeahan
Copy link
Member Author

ebeahan commented May 26, 2022

Any known use cases where Return-Path would hold more than one value, and would it benefit return_path.address to hold an array of values?

@MarkVanAcker, from your experiences, do Return-Path headers ever contains > 1 address?

@MarkVanAcker
Copy link

@ebeahan thank you for working on this so quickly. According to the RFC:

A message-originating SMTP system SHOULD NOT send a message that
already contains a Return-path header field. SMTP servers performing
a relay function MUST NOT inspect the message data, and especially
not to the extent needed to determine if Return-path header fields
are present. SMTP servers making final delivery MAY remove Return-
path header fields before adding their own.

It is not supposed to have > 1 addresses nor have I experienced this, but in theory a badly coded SMTP client could add it. For this reason allowing an array of values would be beneficial to detect anomalies.

@ebeahan
Copy link
Member Author

ebeahan commented Jun 27, 2022

Updated change to set normalize: [ 'array' ] for email.return_path.address. PR is ready for a review.

@djptek
Copy link
Contributor

djptek commented Jun 28, 2022

For this reason allowing an array of values would be beneficial to detect anomalies.

I'm not sure about this, it sets a theoretical precedent for permitting an Array of almost any field in order to detect anomalies.

@MarkVanAcker have you seen any example in the field where this occurs, otherwise would it be possible to detect such potential anomalies in the process of mapping to ECS rather than after the fact?

@MarkVanAcker
Copy link

MarkVanAcker commented Jun 28, 2022
edited
Loading

@djptek As per RFC, a SMTP system should not send a message that already contains a return-path header and may remove the previous return-path before adding its own. Depending on how you interpret that last line, having multiple entries is thus not forbidden by the RFC, but rather not recommended. From a theoretical perspective, making this an array seems sound to me.

However, I have never seen any example of this behavior. I also don't know how modern mail servers behave when dealing with multiple return-paths.

We map our fields to ECS before they enter the Elastic SIEM, so detecting anomalies before that would be a bit tricky.

@ebeahan ebeahan removed their assignment Jul 26, 2022
@MarkVanAcker
Copy link

@ebeahan Any updates on the progress of this change?

@github-actions
Copy link

This PR is stale because it has been open for 60 days with no activity.

@github-actions github-actions bot added the stale Stale issues and pull requests label Oct 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
stale Stale issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add email.return_path
3 participants
@ebeahan @MarkVanAcker @djptek