Re: [Mimedefang] Email injection and the android 'email' app
On 03/04/2013 06:30 PM, Dale Moore wrote: [...] I would suggest combination of per SMTP AUTH user bounce settings (possibly with auto change) AND scripted scanning logs for offenders. I hope you are not going to use another option mentioned without very good reason/very hard pressure. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Email injection and the android 'email' app
On Tue, Mar 5, 2013 at 2:00 AM, Andrzej A. Filip andrzej.fi...@gmail.com wrote: On 03/04/2013 06:30 PM, Dale Moore wrote: [...] I would suggest combination of per SMTP AUTH user bounce settings (possibly with auto change) AND scripted scanning logs for offenders. I hope you are not going to use another option mentioned without very good reason/very hard pressure. Yes, consider what would happen in the more typical scenario of the authenticated 'submission host' server that you give out for your users _not_ knowing the user list for the domain. It is the somewhat accidental fact that yours does that triggers the problem, even if the problem really is in the submitting application. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Email injection and the android 'email' app
--- On Tue, 3/5/13, Andrzej A. Filip andrzej.fi...@gmail.com wrote: On 03/04/2013 06:30 PM, Dale Moore wrote: [...] I would suggest combination of per SMTP AUTH user bounce settings (possibly with auto change) AND scripted scanning logs for offenders. Very BAD advice. This should be a rejection, not a bounce. There is a difference. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Email injection and the android 'email' app
On Mon, Mar 4, 2013 at 11:30 AM, Dale Moore dale.mo...@cs.cmu.edu wrote: The android 'email' app, will NOT take this 'permanent' failure as definitive, and instead try again shortly to resend the email. The email remains the the app's 'Outbox' . I currently have dozens of remote android client that connect to my smtp server that regularly attempt to send their same mis-addressed email dozens of times a day for weeks on end. Those aren't big numbers and it shouldn't bother your server much even if they were orders of magnitude higher... Why not just ignore it? Or do you want to improve the user's experience by getting a DNS in their inbox where they might see it - which is what would happen if the server where they submit didn't know the user list? -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Email injection and the android 'email' app
Those aren't big numbers and it shouldn't bother your server much even if they were orders of magnitude higher... Why not just ignore it? Or do you want to improve the user's experience by getting a DNS in their inbox where they might see it - which is what would happen if the server where they submit didn't know the user list? Exactly right. Looking back over my logs, this was only a couple of droids A few months ago. Now I must do this several times a month. Perhaps the result of a minor email education blitz. The load on the server is very low, but getting higher. But from the user experience standpoint it is a total failure. The users don't check their 'Outbox' on their android. They don't know why the email didn't get through. They didn't get any notification as to why their email didn't go through. They thought that they sent it. They are sure that they sent it. And the intended recipient sure didn't receive it. It does the right thing for other especially off-site email addresses. From the users perspective our system lost their email again. This application works for hundreds or thousands of other sites and it doesn't work for our system.From their perspective, our setup is just plain broken. Dale Moore -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Email injection and the android 'email' app
On Tue, 5 Mar 2013 17:45:01 -0500 Dale Moore dale.mo...@cs.cmu.edu wrote: From the users perspective our system lost their email again. This application works for hundreds or thousands of other sites and it doesn't work for our system. From their perspective, our setup is just plain broken. I would file a bug with the authors of the application in question, and I'd notify all your users of the bug and advise them to switch to a different email application if they send mail via your servers. There's no way you should break your setup to comply with a brain-dead Android app. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Email injection and the android 'email' app
On Tue, Mar 5, 2013 at 4:59 PM, David F. Skoll d...@roaringpenguin.com wrote: There's no way you should break your setup to comply with a brain-dead Android app. Is having a submission server that doesn't know all of the domain addresses necessarily broken? -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Email injection and the android 'email' app
On Tue, 2013-03-05 at 17:59 -0500, David F. Skoll wrote: There's no way you should break your setup to comply with a brain-dead Android app. As a result of this thread, we discussed and tested this in-house (on just one phone). I believe we did get a notification that the message didn't send, so that's good. However, the fact that we had to switch it into airplane mode to be able to delete from the outbox was very annoying. That aside, is Android behaving any differently than Thunderbird, or many other mail clients? Getting a 5xx status code from the outgoing mail server seems to pop up a dialog and then leave the message in the outbox on the ones we tested. This leads to inconsistent behavior between local and remote destinations. It's arguably good for local destinations, as you can fix the address typo before sending (thus avoiding breakage when people hit Reply to All, for example). But I don't think it'd be reasonable for the outgoing mail server to check the remote addresses at the RCPT TO stage so that it could (attempt to) provide the consistent behavior of (nearly) always rejecting at RCPT TO. So if you want consistency, accepting all recipients for authenticated senders (and then later generating bounces) seems to be the only option. -- Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang