UserManagement icon indicating copy to clipboard operation
UserManagement copied to clipboard

Published 20 hours ago verified publisher icon sandstorm

Ditch default Reply-To configuration

Open antondollmaier opened this issue 4 years ago • 0 comments

Dear maintainers,

as an introductory note, please do accept my apologies for opening this issue - I'm neither a developer or user reporting, but a sysadmin with a spam problem at hand.

One of our customers is relying on your extension to curate their member area for their customers.

Due to yet unknown circumstances, they managed to send one (yes, a single) sign-up mail to a mailserver with probably a very eager postmaster and protected with the UCEPROTECT blacklist, because we spotted this log message:

status=bounced (host mailgate1.xxx[77.235.x.x] said: 550 Your IP will be reported for abuse - better watch out next time.

Obviously, being blacklisted caused troubles for other customers until outbound mail-traffic was re-routed.

After checking the logs, we found this entry in the PHP mail log:

[27-May-2021 08:55:15 Europe/Berlin] mail() on [/var/www/xxx/htdocs/www.xxxx.de/releases/20210520090655/Packages/Libraries/swiftmailer/swiftmailer/lib/classes/Swift/Transport/SimpleMailInvoker.php:34]: To:[email protected] -- Headers: Message-ID: <[email protected]> Date: Thu, 27 May 2021 08:55:15 +0200 From: xxx <[email protected]> Reply-To: Sandstorm Usermanagement Package Reply-To Email <[email protected]> MIME-Version: 1.0 Content-Type: multipart/alternative;  boundary="_=_swift_v4_1622098515_dc236545b62d12a3b3333f9125638318_=_" -- Subject: Please confirm your account

Obfuscated are only the recipient, the sender and the hostname in the message-ID. The Reply-To is unaltered - and matches your default settings:

  • https://github.com/sandstorm/UserManagement/blob/master/Configuration/Settings.yaml#L55

The customer has already been notified about the incident and has been asked to change the defaults as well not to rely on sendmail any more.

For future releases, I'd like to urge you to completely remove the default reply-to setting:

  • if no reply-to is defined, MUA will anyways reply back to the From.
  • if a webmaster specifies a reply-to willigly, they do so on purpose.
  • leaving example.com will also result in wrong-routed responses, if users do not fully pay attention.

I will provide a PR as well, if this is desired.

Thank you very much for considering sane defaults for the webmaster - and please again accept my apologies for opening this issue at all.

Best, Anton

antondollmaier avatar May 27 '21 20:05 antondollmaier