issue with displaynames set by spammers

[r10s]

spammers may fake names and use some existing addresses; this just happens to "delta at merlinux eu", my desktop app got the name of some "sunglass manufactor" over the wire somehow, probably as a faked From: "Sunglass Manufactor" <delta at merlinux eu>.

this results in reusing this name on sending to a group containing "delta at merlinux eu". (for "delta at merlinux eu" itself, this is no issue as that address uses the settings that cannot be changed that way).

when the real owner of "delta at merlinux eu" writes again, however, the wrong name will be set to the correct one again, but there is still some chance the wrong name is sent out in between.

EDIT: it is not only a delta chat problem, the screenshot below is from thunderbird :)

so, wondering what we can do about that. i think, the issue is mainly about gossiped names currently - so maybe accept them only when they come from a group (spammers usually do not know the grpid) and/or when the message is encrypted (spammers usually do not encrypt). other names coming in can be used as well, however, should have a lower origin.

[link2xt]

The issue here is the softfail SPF record for merlinux.eu:

merlinux.eu.            79      IN      TXT     "v=spf1 ip6:2a01:4f8:c17:b03::2 ip4:78.46.202.179/32 ip4:95.217.159.152 ip6:2a01:4f9:c010:78bc::1 ~all"

It should be -all, so forged mails are rejected by receiving servers.

There is nothing we can do on the client afaik.

so, wondering what we can do about that. i think, the issue is mainly about gossiped names currently - so maybe accept them only when they come from a group

There is already an origin check that should prevent authname update when we have received the true name from the user: https://github.com/deltachat/deltachat-core-rust/blob/db991453b0d0a009b8010490bcd80d5ebe0e91a4/src/contact.rs#L453

and/or when the message is encrypted (spammers usually do not encrypt)

Then the name will never be updated if the user switches to classic MUA.