Fix Sender.Email leaking mailbox-owner address when authoritative sender properties are absent#515
Merged
Sicos1977 merged 1 commit intoJun 2, 2026
Conversation
…der properties are absent
When a .msg file is saved from a recipient's mailbox (rather than the original sender's
Sent Items), the authoritative sender properties PR_SENDER_EMAIL_ADDRESS (0x0C1F) and
PR_SENDER_SMTP_ADDRESS (0x5D01) are often absent. The existing fallback chain in
SetEmailSenderAndRepresentingSender then falls through to non-authoritative sources:
- PR_SENDER_SMTP_ADDRESS_ALTERNATE (0x6512)
- InternetAccountName
- PR_PRIMARY_SEND_ACCT (0x0E28)
On items saved by Outlook from a recipient's mailbox these fields can be populated with
the mailbox owner's own SMTP address rather than the real sender's. The result is that
Sender.DisplayName correctly shows the real sender (from PR_SENDER_NAME) while
Sender.Email reports the mailbox owner's address — i.e., one of the recipients of the
message. This is misleading and can cause downstream consumers to attribute the message
to the wrong party.
Fix:
1. Track whether the resolved sender email came from an authoritative property
(PR_SENDER_EMAIL_ADDRESS or PR_SENDER_SMTP_ADDRESS) via a new local flag
`senderEmailIsAuthoritative`.
2. Just before constructing the Sender object, if the email is NOT authoritative and
matches the SMTP address of any entry in `_recipients` (OrdinalIgnoreCase),
clear it. DisplayName is preserved, so consumers still see the real sender's name
(typically from PR_SENDER_NAME), but the misleading mailbox-owner address is no
longer reported as the sender's email.
The guard is intentionally narrow: it only fires when (a) the fallback path was used
AND (b) the resolved address actually collides with a known recipient — so messages with
correctly-populated authoritative properties, or fallback-resolved addresses that don't
match a recipient, are unaffected.
No public API change. Logger.WriteToLog emits a single line when the guard fires, to aid
diagnosis.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
tariqgitspace
force-pushed
the
fix/sender-email-recipient-leak
branch
from
165556e to
45fc9bd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When a
.msgfile is saved from a recipient's mailbox (rather than the original sender's Sent Items), the authoritative MAPI sender propertiesPR_SENDER_EMAIL_ADDRESS(0x0C1F)PR_SENDER_SMTP_ADDRESS(0x5D01)are often absent.
SetEmailSenderAndRepresentingSenderthen falls through to non-authoritative sources:PR_SENDER_SMTP_ADDRESS_ALTERNATE(0x6512)InternetAccountNamePR_PRIMARY_SEND_ACCT(0x0E28)On items saved by Outlook from a recipient's mailbox, those fields are often populated with the mailbox owner's own SMTP address rather than the real sender's. The observable result is:
Sender.DisplayNameis correct (fromPR_SENDER_NAME) — shows the real sender's name.Sender.Emailis wrong — it contains the mailbox owner's SMTP address, i.e. one of the message's recipients.This is misleading and causes downstream consumers to attribute the message to the wrong party.
Fix
Track whether the resolved sender email came from an authoritative property (
PR_SENDER_EMAIL_ADDRESSorPR_SENDER_SMTP_ADDRESS) via a new local flagsenderEmailIsAuthoritative.Just before constructing the
Senderobject, if the email is not authoritative and matches the SMTP address of any entry in_recipients(OrdinalIgnoreCase), clear it.DisplayNameis preserved, so consumers still see the real sender's name; only the misleading mailbox-owner address is suppressed.Why this is safe
The guard is intentionally narrow — it only fires when both:
Messages with correctly-populated
PR_SENDER_EMAIL_ADDRESS/PR_SENDER_SMTP_ADDRESSare completely unaffected, as are fallback-resolved addresses that don't collide with any recipient.Scope
MsgReader/Outlook/Message.csLogger.WriteToLogemits one line when the guard fires, to aid diagnosis..msgto exercise this property combination is non-trivial; happy to add one if a recommended approach exists in the repo.