Hi Norman, I would suggest not letting your users use usernames with hyphens at ALL. According to the Imail Help file, it IS allowed... "The user ID must be unique for this mail host. It must be between 3 and 30 characters and cannot contain spaces. You can use hyphen, but you should be aware that IMail Server will use the last hyphen in the user ID to delimit a mailbox name. For example, if mail is sent to the address [EMAIL PROTECTED], IMail Server reads accounts as a mailbox that belongs to mr-fred." ... but just because you can play in the street, doesn't mean you should. :-)
If you allow users to choose their own email username online, I would assume you've got some application that performs this for you. My suggestion (which is what we do - we use Platypus, which out of the box lets you set very good rules on the formatting of usernames and passwords - these settings persist with both the client app that our office uses, and the web interface that our customers sign up with) would be to modify that online app. to only allow usernames 3-30 characters, no spaces, no hyphens, only letters and numbers, and maybe a period. If what they enter doesn't fit, the app. should let them know and make them edit it until it does fit. That should solve the security bug that you've identified from ever happening to you. If you've got existing users that have hyphens (I can't imagine there is too many, I don't think I've ever seen a legit message ever get sent to me with a hyphen in the username, usually a period is the only punctuation character used), you have to make a decision to either live with the bug (not a good plan), or more likely inform them that to keep their account secure, you have to make their hyphen a period. I also took a look at RFC822. I'm not very good at RFC-speak, but if I'm reading it right, the only punctuation that should appear in the user portion of the address is a period. Scott or Len might want to bump in here... Hope this helps, Tony >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]]On Behalf Of Norman J. >Nolasco >Sent: Saturday, April 06, 2002 2:52 PM >To: [EMAIL PROTECTED] >Subject: [IMail Forum] Is this a bug or a "feature"? > > >This may have been covered already, I've found a couple of references to >this in the KB. However, I haven't found any mention of this being a >security problem. So, in the interest of protecting others with the same >setup out there, here goes... > >I just realized that when I save a draft message through web messaging, >this particular procedure is not performed as I had expected. Apparently, >the draft is sent back into the mailbox through email. This is confirmed >in the KB. > >For example, if your email address is "[EMAIL PROTECTED]" and you were to >save a draft, a message is sent from your account to >"[EMAIL PROTECTED]". >If there is another account on your server called "test-draft", the message >"disappears" from your account and ends up in the "Main" mailbox of >the "test-draft" account! > >- This also works on other mailboxes ("test-Sent", "test-Deleted", etc...). > >- There is a way to change the delimiter, but this will disable draft >saving. > >So what's the punch line? > >If you're running an online email service where your users are allowed >to pick their own email address... you've got a big problem. Your email >address is "[EMAIL PROTECTED]". If I want to grab your sent mail or saved >drafts... I just create a "test-sent" and "test-draft" account... and I >have a copy of all the email that reaches those folders. Another side >effect is that the function will seem to not be working properly for >"[EMAIL PROTECTED]". In reality, all their sent mail and drafts are >getting shipped to someone else. You can run a test on your own servers: > >1) Create "test" and "test-draft" >2) Login to "test" >3) Compose an email and save the draft. >4) Check Draft... no email. >5) Login to "test-draft". >6) There's the email. > >This assumes that you have Outgoing messages saved in your "Sent" >folder and >Saved drafts in your Drafts folder. As a workaround, I am not allowing any >users to be created with "draft" or "sent" in them. I am not sure if this >affects moving or deleting email also. > >- Does anyone know of an elegant way of dealing with this? >- Is there a way to disable the "[EMAIL PROTECTED]" ability? >- If I disable this feature, I can BCC the sender and create a rule (FROM: >user -> sent) >to send outgoing items into their "Sent" folder. Any ideas how to >accomplish this for >"Draft" saving? > >Finally, just a reminder to the guys (and gals) at IPSwitch... the HTML >email >issue will also allow a malicious user to create their own accounts and >bypass >my lame new username filter kluge if they knew which accounts has >Host Admin >or >List Admin access. IMHO, draft saving and sent folder functionality should >have been done exclusively on the server instead involving sending >emails to >[EMAIL PROTECTED] That's just asking for trouble. > >Apologies for long message. > >Norman Nolasco >Advarion Incorporated >www.advarion.com >www.saturnofamerica.com >[EMAIL PROTECTED] > > >Please visit http://www.ipswitch.com/support/mailing-lists.html >to be removed from this list. > >An Archive of this list is available at: >http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > >Please visit the Knowledge Base for answers to frequently asked >questions: http://www.ipswitch.com/support/IMail/ >--- >[This E-mail was scanned for viruses by http://www.intouchmi.com] > > --- [This E-mail was scanned for viruses by http://www.intouchmi.com] Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
