See also: https://www.wired.com/story/mailsploit-lets-hackers-forge-perfect-email-spoofs/ Just one quote:
It seems that it is not/no longer true that this will not be fixed in Thunderbird: There is a corresponding tracking bug.
If I'm not mistaken this type of spoofed mails should be relatively easy to filter: I've tried the demo from https://www.mailsploit.com/index#demo and saw that the From: header was: Code: From: "=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=0A=00?=" <=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=0A=00?=@mailsploit.com> Since this comment suggests as a possible mitigation: ... an obvious solution, IMHO, is to create a filter like this: If the From: header contains ? OR < OR > OR = THEN move the mail to Junk The Thunderbird filter (which works for me) looks like this: Code: name="Email Spoofing" enabled="yes" type="17" action="Move to folder" actionValue="mailbox://nobody@nowhere.net/Junk" condition="OR (\"from\",contains,?) OR (\"from\",contains,>) OR (\"from\",contains,<) OR (\"from\",contains,=)" What do you think? This might not be a complete solution but, at least, a good start.
Thank you! I wonder whether this shouldn't be fixed at the email providers side. But that could take ages before it gets done .... Maybe some balancing act, where and how to fix it in both a secure and privacy concerned way, and all of those questions. I admit, I'm not sure myself at the moment.
Unfortuntely, this filter does work for some but not for all variants (payloads) on https://www.mailsploit.com/index#demo. I have to investigate this further. Any suggestions?