update

ts/mail/delivery/smtpserver/data-handler.ts

@@ -580,10 +580,11 @@ SmtpLogger.debug(`Parsed email subject: ${subject}`, { subject });
     const headersText = rawData.substring(0, headerEndIndex);
     const bodyText = rawData.substring(headerEndIndex + 4); // Skip the \r\n\r\n separator
     
-    // Parse headers
+    // Parse headers with enhanced injection detection
     const headers: Record<string, string> = {};
     const headerLines = headersText.split('\r\n');
     let currentHeader = '';
+    const criticalHeaders = new Set<string>(); // Track critical headers for duplication detection
     
     for (const line of headerLines) {
       // Check if this is a continuation of a previous header
@@ -601,14 +602,47 @@ SmtpLogger.debug(`Parsed email subject: ${subject}`, { subject });
         const value = line.substring(separatorIndex + 1).trim();
         
         // Check for header injection attempts in header values
-        if (detectHeaderInjection(value)) {
+        if (detectHeaderInjection(value, 'email-header')) {
           SmtpLogger.warn('Header injection attempt detected in email header', { 
             headerName: name, 
             headerValue: value.substring(0, 100) + (value.length > 100 ? '...' : ''),
             sessionId: session.id
           });
-          // Skip this header to prevent injection
-          continue;
+          // Throw error to reject the email completely
+          throw new Error(`Header injection attempt detected in ${name} header`);
+        }
+        
+        // Enhanced security: Check for duplicate critical headers (potential injection)
+        const criticalHeaderNames = ['from', 'to', 'subject', 'date', 'message-id'];
+        if (criticalHeaderNames.includes(name)) {
+          if (criticalHeaders.has(name)) {
+            SmtpLogger.warn('Duplicate critical header detected - potential header injection', { 
+              headerName: name, 
+              existingValue: headers[name]?.substring(0, 50) + '...',
+              newValue: value.substring(0, 50) + '...',
+              sessionId: session.id
+            });
+            // Throw error for duplicate critical headers
+            throw new Error(`Duplicate ${name} header detected - potential header injection`);
+          }
+          criticalHeaders.add(name);
+        }
+        
+        // Enhanced security: Check for envelope mismatch (spoofing attempt)
+        if (name === 'from' && session.envelope?.mailFrom?.address) {
+          const emailFromHeader = value.match(/<([^>]+)>/)?.[1] || value.trim();
+          const envelopeFrom = session.envelope.mailFrom.address;
+          // Allow some flexibility but detect obvious spoofing attempts
+          if (emailFromHeader && envelopeFrom && 
+              !emailFromHeader.toLowerCase().includes(envelopeFrom.toLowerCase()) &&
+              !envelopeFrom.toLowerCase().includes(emailFromHeader.toLowerCase())) {
+            SmtpLogger.warn('Potential sender spoofing detected', { 
+              envelopeFrom: envelopeFrom,
+              headerFrom: emailFromHeader,
+              sessionId: session.id
+            });
+            // Note: This is logged but not blocked as legitimate use cases exist
+          }
         }
         
         // Special handling for MIME-encoded headers (especially Subject)