Hello Ben
On Sat, Aug 22, 2020 at 09:10:59PM +0100, Ben Hutchings wrote:
Package: rss2email
Version: 1:3.12.1-1
Severity: serious
Tags: upstream
Today I learned that rss2email copies the email addresses from feed
entries into both the From field and the envelope sender of messages.
This is not acceptable behaviour in an email generator. The envelope
sender *must* be sent to an address that the user configures, where
*they* can receive bounce messages.
I remember seeing emails going to post authors long ago if the default
configuration was in use. Current r2e sets the From in the config if is
not set. Which should stop the issue from happening.
With the version in sid I cannot reproduce the error, would you please
check in one of the bounces you get the rss2email version?
it should be in the email headers
thanks
The current behaviour results in bounces being sent to the authors of
feed entries, which is what just happened to me. It can also result
in messages being dropped if the forgery is detected by MTAs that
check SPF.
Ben.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500,
'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.7.0-1-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages rss2email depends on:
ii python3 3.8.2-3
ii python3-feedparser 5.2.1-2
pn python3-html2text <none>
Versions of packages rss2email recommends:
ii python3-bs4 4.9.1-1
Versions of packages rss2email suggests:
pn esmtp <none>
--
Ben Hutchings
When in doubt, use brute force. - Ken Thompson
--
IRC: gfa
GPG: 0x27263FA42553615F904A7EBE2A40A2ECB8DAD8D5
OLD GPG: 0x44BB1BA79F6C6333
