Norman,
I was just posted a remark about "mailing a draft to save it in the draft
folder". The issue I ran into is similar as follows:
Set a forward on an account. Edit a draft message and click save... The
draft message is not saved in the draft folder as "expected". Instead it is
sent to the forwarded account.
Mike
----- Original Message -----
From: "Norman J. Nolasco" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, April 06, 2002 2:51 PM
Subject: [IMail Forum] Is this a bug or a "feature"?
> This may have been covered already, I've found a couple of references to
> this in the KB. However, I haven't found any mention of this being a
> security problem. So, in the interest of protecting others with the same
> setup out there, here goes...
>
> I just realized that when I save a draft message through web messaging,
> this particular procedure is not performed as I had expected. Apparently,
> the draft is sent back into the mailbox through email. This is confirmed
> in the KB.
>
> For example, if your email address is "[EMAIL PROTECTED]" and you were to
> save a draft, a message is sent from your account to
> "[EMAIL PROTECTED]".
> If there is another account on your server called "test-draft", the
message
> "disappears" from your account and ends up in the "Main" mailbox of
> the "test-draft" account!
>
> - This also works on other mailboxes ("test-Sent", "test-Deleted",
etc...).
>
> - There is a way to change the delimiter, but this will disable draft
> saving.
>
> So what's the punch line?
>
> If you're running an online email service where your users are allowed
> to pick their own email address... you've got a big problem. Your email
> address is "[EMAIL PROTECTED]". If I want to grab your sent mail or saved
> drafts... I just create a "test-sent" and "test-draft" account... and I
> have a copy of all the email that reaches those folders. Another side
> effect is that the function will seem to not be working properly for
> "[EMAIL PROTECTED]". In reality, all their sent mail and drafts are
> getting shipped to someone else. You can run a test on your own servers:
>
> 1) Create "test" and "test-draft"
> 2) Login to "test"
> 3) Compose an email and save the draft.
> 4) Check Draft... no email.
> 5) Login to "test-draft".
> 6) There's the email.
>
> This assumes that you have Outgoing messages saved in your "Sent" folder
and
> Saved drafts in your Drafts folder. As a workaround, I am not allowing
any
> users to be created with "draft" or "sent" in them. I am not sure if this
> affects moving or deleting email also.
>
> - Does anyone know of an elegant way of dealing with this?
> - Is there a way to disable the "[EMAIL PROTECTED]" ability?
> - If I disable this feature, I can BCC the sender and create a rule (FROM:
> user -> sent)
> to send outgoing items into their "Sent" folder. Any ideas how to
> accomplish this for
> "Draft" saving?
>
> Finally, just a reminder to the guys (and gals) at IPSwitch... the HTML
> email
> issue will also allow a malicious user to create their own accounts and
> bypass
> my lame new username filter kluge if they knew which accounts has Host
Admin
> or
> List Admin access. IMHO, draft saving and sent folder functionality
should
> have been done exclusively on the server instead involving sending emails
to
> [EMAIL PROTECTED] That's just asking for trouble.
>
> Apologies for long message.
>
> Norman Nolasco
> Advarion Incorporated
> www.advarion.com
> www.saturnofamerica.com
> [EMAIL PROTECTED]
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
> Please visit the Knowledge Base for answers to frequently asked
> questions: http://www.ipswitch.com/support/IMail/
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit the Knowledge Base for answers to frequently asked
questions: http://www.ipswitch.com/support/IMail/
