Re: Email::Address easily spoofed
Hans Dieter Pearcey wrote: I mean what the OP said he was using it for: running various commands when messages are received. But that can be something as soft as (as it turned out), a mailing list response. Which was actually *my* first thought (unsurprisingly). I'm not talking about whether or not this is a bug in E::A; I'm addressing the design (flaws) of using E::A specifically and From header parsing generally to do this kind of authentication. I figure using it for authentication is just fine. It's how much authorization you credit to that sort of authorization that matters. I had, to be honest, figured by the time we got this grossly into the future (thank you, SpamAssassin), we'd be seeing spambots smart enough to recognize mailing lists, and to match up incoming From addresses with the mailing list address to successfully forge from-a-subscriber mails. But we haven't, which probably says more about the decline of mailing lists than about the sophistication of spammers, so it's still fairly safe to trust a From line that you recognize. At least, given some other basic spam filtering has taken place.
Re: Email::Address easily spoofed
Hans Dieter Pearcey wrote: If you are relying on From (or Sender) headers for access control, you have already lost. Almost every part of the email header and SMTP transaction can be faked by a malicious user. Depends on what you mean by access control. I can easily see where you'd want to use it as part of your spam filtering, which might be considered a soft authentication. For example, I've seen spam with a pattern like this: From: phishsch...@somebankorother botinfec...@legitisp I'm guessing the use of the infected user's real address (or at least one that's not likely to be blacklisted) gets the thing through the infected user's ISP, and then (so the phisher hopes) the recipient only sees the comment and assumes it's the actual source. You'd still want E::A to parse it properly, if only so you can test for If the comment is a valid email address, but doesn't match the bracketed email address, it's spam.
Re: I hate Unicode
On Thu, 26 Jun 2008, Ricardo SIGNES wrote: RSWow. I had never noticed this bit of HORRIBLENESS before. Um... thanks? RSEmail::MIME, once again, is shown to be useful for a very, very small set of RSemail. That is, email that is not wrong; all correct email won't work either, RSbut this email is failing because it's not to-spec. Yeah. (It was a forwarded Chinese spam, and to complicate things it was probably forwarded back when Pine didn't deal with weird character sets either. So there's a high probability even with a known encoding it could be corrupted.) Failing would generally be okay, but I'd like it to fail when the Email::MIME object is created, not spring a surprise on me later. Which is probably not feasible without an unacceptable performance hit, but I can still want it. RSProbably. I'm not sure if the encoding in a encoded-word needs to be in a RSregistry somewhere, and whether X-UNKNOWN is. It does, and it isn't. Though needs to be is flexible; you can tell Encode what to do with it, just Encode::Unicode doesn't apparently respect your choices. RSHeaders *must* be encoded into a seven bit format. I have no idea what RSunicode means as the first arg to encode, but I doubt that it's 7-bit safe. RSYou'll want to use Encode::MIME::Header, which means you'll need to have a RSutf-8 string first. Oh hey, I hadn't thought of that. I'm not really sure what it means either. Hmm. (I'm still cargo-culting this whole unicode thing. I'm going to have to dig into how that actually works sooner or later, I've just been hoping for, y'know, later.) The critter needs to be unicode'd when it's stored in the database, but I could do that on the string *after* it's Email::MIME'd.
Re: Email::Store is dead! Long live Email::Store!
On Wed, 19 Sep 2007, Hans Dieter Pearcey wrote: HDPClose enough, I think. It's a really interesting conversation to have; web Oh, good, because clearly Sudafed (plus Diet Dew to combat the drowsiness) clearly makes me chatty. It would be nice to be able to say Let's take this conversation over to the Wirebird mailing list except, like I just said (buried in the lengthy, lengthy post to Simon), it's not fully moved yet. So I'm left with saying I just set up a webforum! Let's go! which sounds vaguely familiar somehow. But if this conversation *does* bother anyone, soon as I get past this sinus yuck and can focus on finishing the install, we can move over there. (Guess I could just turn on the daemon and hope for the best...) Of course, once I get off the Sudafed+Dew I probably won't be so inclined toward lengthy rants. Then again, get me started on what webforums do wrong and I'll rant without any chemical incentives. As evidenced in the PEPBOF at YAPCNA, though here it's harder to throw magnetic business cards at people. And beer. http://flickr.com/photos/gamehawk/655094745/ http://flickr.com/photos/gamehawk/708043939/ (I see that Boulevard isn't available in Chicago, so I reckon I'll be bringing another trunkful to YAPC2008. Not sure about Flying Monkey, but probably that too.)
Re: Email::Store is dead! Long live Email::Store!
On Wed, 19 Sep 2007, Ricardo SIGNES wrote: RSNo, I think enough of us have a vested interest in seeing this kind of thing RSdone properly. Don't encourage me. I'll start posting SQL schemas and stuff. And assigning tasks. And setting up a repository (thereby terrifying my husband/sysadmin; periodically I ask him things like Can't I just chmod 0777 everything now? or I'm going to set up Apache to run as root, is that okay? (Hey, *my* code is secure, it shouldn't be a problem, right? Heh.)) RSSeriously, I still think about that Boulevard beer from time to time. I wonder RSif my local beverage distributor could acquire a case for me. Hey, I'll happily ship whatever you want. (In better packaging than USPS Priority Flat-Rate, even. Though you can fit 9 bottles, I think it was, in one of those, if you don't bother with niceties like padding.) Cheaper, but probably less legal, than having your distributor do it. Speak now if you want any ZON, since they stop making it in August and I'm not even sure there's any in circulation now (might be able to reacquire a couple from the in-laws). Bob's 47(?) (Munich lager) is supposedly in production now, though I haven't gone looking for it or anything, and the Nutcracker (winter ale) is scheduled to show up in November.
Re: Email::Store is dead! Long live Email::Store!
On Tue, 18 Sep 2007, Simon Wistow wrote: SW1) To shut people up who said that there was no Perl based MLM Did majordomo switch from Perl? I mean, that's the granddaddy of all MLMs, isn't it? SW2) It allowed per user Reply-To munging settings thus shutting up SW even more whiners Heh. I'm writing one because: 1) Web forums suck because they ignore the last, oh, 25 years of electronic-community development (they lack features that freakin' FIDONET had, never mind Usenet and mailing lists), but these days only hardcore geeks use mailing lists (I blame spammers), so clearly there's a need for community software that does both well. At the same time. 2) Um, that's about it.
Re: Email::Store is dead! Long live Email::Store!
On Tue, 18 Sep 2007, Dave Cross wrote: DCHave you looked at the source code for majordomo? Are you _sure_ that's DCPerl :) Heh. Yeah, here's where I admit I wrote a mailing list program myself (some ten-ish years ago) because I couldn't figure out how to modify majordomo. Here's where I also admit that NONE of its code is inherited by the one I'm writing now, because what I wrote was no saner than majordomo (it looked, not coincidentally, like Visual Basic ported into Perl. Badly).
Re: Email::Store is dead! Long live Email::Store!
On Mon, 17 Sep 2007, William Yardley wrote: WYSeems kind of overkill to write a new tool just because the one WYbeing used isn't written in Perl. Isn't there a project to rewrite all the Debian utilities in Python instead of Perl because some Python people are offended by the presence of Perl in the distro? Somebody's gotta maintain the cosmic Perl/Python balance.
