Topics

Messages to +owner being wrongly routed to the whole group


Peter Martinez <Peter.Martinez@...>
 

I am moderator of a group. I have seen messages sent by members to the "groupname+owner" address which end up going to the "groupname" address and are thus sent to all members. This looks like a bug in parts of the internet itself. Most of the time its OK but for some members (including me) it happens every time. It looks like the bug is that an internet on-route server is interpreting the + sign as the end of the "user" part of the email address.

Have any other groups seen this effect? I think it may be very difficult to track down where this bug is occurring, and I would like groups.io to consider the possibility of a work-around at groups.io which will not be vulnerable to this bug. Perhaps changing "groupname+owner" to "owner.groupname" or something similar which doesn't use a character (like +) which could be treated as the end of the token.

regards
Peter Martinez


Duane
 

On Fri, Sep 13, 2019 at 06:29 AM, Peter Martinez wrote:
It looks like the bug is that an internet on-route server is interpreting the + sign as the end of the "user" part of the email address.
If that's the case, then that service isn't following RFC 2821, which says:
"Consequently, and due to a long history of problems when intermediate hosts have attempted to optimize transport by modifying them, the local-part MUST be interpreted and assigned semantics only by the host specified in the domain part of the address."

No one from Groups.io management is on this group.  If you'd like to make a suggestion, you can do that on the Beta group.  I'm not sure how much traction it would get since it's not really a groups.io problem.
 
Duane
--
Help: https://groups.io/static/help
GMF's Wiki: https://groups.io/g/GroupManagersForum/wiki
Search button at the top of Messages list
A few site FAQs: https://groups.io/static/pricing#frequently-asked-questions


Chris Jones
 

On Fri, Sep 13, 2019 at 12:29 PM, Peter Martinez wrote:
Most of the time its OK but for some members (including me) it happens every time.
What Peter didn't say is that this problem seems only to afflict (groups.io) account holders with btinternet.com email addresses, and is thus unlikely to manifest itself to those outside the UK who tries to send an email to a Groups.io address with a "+something" in it. That could, of course, includes attempts to join by email but as far as I can see there aren't any in that category in the Activity Log for the group I moderate.

Peter & I have been swapping emails about this for a couple of weeks; both of us have btinternet.com addesses.

Chris


Sue
 

I’m registering a ‘me too’ for this issue.

I replied to an email today to approve a message and was very surprised to receive it a few minutes later as a message to the group.

 

Sue

 

>What Peter didn't say is that this problem seems only to afflict (groups.io) account holders with btinternet.com email addresses, and is thus unlikely to manifest itself to those outside the UK who tries to send an email to a Groups.io address with a "+something" in it. That could, of course, includes attempts to join by email but as far as I can see there aren't any in that category in the Activity Log for the group I moderate.

_._,_


 

Chris,


What Peter didn't say is that this problem seems only to afflict (groups.io) account holders with btinternet.com email addresses, ...
 
So until some better solution is in place, it seems that an immediate triage would be for owners of an unmoderated group to put all btinternet.com subscribers on moderation. This way their errant messages to +owner and etc. will be caught in the Pending list rather than sent out to all the users.

That's not too hard to do. In the Members list use the Search box to find all btinternet subscriptions, checkmark them all (with the box next to Display Name), then select Change Moderation in the Actions menu. In the pop-up Set Moderation Status dialog select Override: moderated then click the Change button. Repeat if there is more than one page of search result.


That could, of course, includes attempts to join by email but as far as I can see there aren't any in that category in the Activity Log for the group I moderate.

No, there wouldn't be.

Those would have been logged as "Non-member ... attempted to send message ... via email" instead. And ironically the would-be member would have received back the bounce message that their message was rejected because they are not a member.

Shal


--
Help: https://groups.io/static/help
More Help: https://groups.io/g/GroupManagersForum/wiki
Even More Help: Search button at the top of Messages list


Peter Martinez <Peter.Martinez@...>
 

Chris said:
What Peter didn't say is that this problem seems only to afflict (groups.io)
account holders with *btinternet.com* email addresses, ...
It's not quite like simple. The bug occurs "out there" in the internet, not at the btinternet.com domain. I can send a vulnerable message to another btinternet.com address and it isn't hit by this bug. It might be localised at synchronos.com, which is a btinternet.com subcontractor, but my fear is that almost anywhere in the internet there might be intermediate hosts with this bug - all from the same internet software source.

Sue: It would be interesting to know if you are on btinternet.com too.

I have posted this problem on a btinternet user forum, but if the problem turns out to be widespread, there may be no easy fix unless we can persuade groups.io to work-around it, perhaps by coding the "owner" address variant as something like <owner.mygroup@groups.io>

regards
Peter


Sue
 

Hi Peter,

Sue: It would be interesting to know if you are on btinternet.com too.
I am indeed using btinternet.com and decided to comment in case my particular experience of the problem, or weight of numbers would assist in the analysis.

Sue


 

Peter,


It's not quite like simple. The bug occurs "out there" in the internet, not
at the btinternet.com domain. 

Would you (and/or Sue, if she's listening) kindly send a message to:

I'd like to take a look at the header of such a message to see if there's anything to learn from it. You don't need to be a member of shalstest, but perhaps for an extra point of view CC it to my personal email address (which should be available in the From of this message in your email interface).

... but my fear is that almost anywhere in the internet there might be intermediate hosts with
this bug - all from the same internet software source.

Not too likely, for a couple of reasons.

First, there's Duane's point regarding the email standard (RFC) specifically disallowing such behavior.

Second, in the modern internet most messages route directly from the source server to the destination server. And even in cases where that is not true, the intermediates are usually "hardwired" in the sense of being a part of the source email infrastructure. By which I mean that most likely, for a given sending user, messages will always go through the same intermediaries, or none.
... there may be no easy fix unless we can persuade
groups.io to work-around it, perhaps by coding the "owner" address variant
as something like <owner.mygroup@groups.io>

As an alias perhaps, but certainly not as a replacement for the existing form - it is too deeply entrenched.

It may be easier to persuade Groups.io to find some form of "fix" to apply to messages arriving from btinternet (or maybe just the affected subset, and any other affected services) if a way can be found within the message header of determining that part of the user name (the plus and what follows) in the destination address has been trimmed. Hopefully that could be applied to correct all of the email commands, and not just +owner.

Shal


--
Help: https://groups.io/static/help
More Help: https://groups.io/g/GroupManagersForum/wiki
Even More Help: Search button at the top of Messages list


Peter Martinez <Peter.Martinez@...>
 

Shal:

I am going to send two messages to main+owner@shalstest.groups.io, one via POP3 and the other via Webmail. I am guessing the first will be misrouted and appear at main@shalstest.groups.io (or perhaps it will be rejected since I am not subscribed?). I am guessing the second will be routed correctly. I will copy both to your personal email address.

Thanks
Peter


Chris Jones
 

On Sat, Sep 14, 2019 at 08:32 AM, Peter Martinez wrote:
I am going to send two messages to main+owner@shalstest.groups.io, one via POP3 and the other via Webmail.
Your "guess" turned out to be correct. Both your and Sue's messages were released in moderation just to prove the point.

Chris


 

Peter,

I am going to send two messages to main+owner@shalstest.groups.io, one
via POP3 and the other via Webmail. I am guessing the first will be
misrouted and appear at main@shalstest.groups.io (or perhaps it will
be rejected since I am not subscribed?).
main@shalstest has the "Allow Non Subscribers to Post" box checked, so your message arrived in the Pending queue for moderation. I checked that before asking you to send in a message.

Alas, nothing in the header offered me a clue. None of the Received fields bothered to include a "for" clause that might have revealed the envelope To: content at that step.

I am guessing the second will be routed correctly. I will copy both to
your personal email address.
Damn Gmail. I forgot that it would irrevocably hide from my view the second message (the copy through the +owner address). I really do hate that misfeature with a passion.

And I also failed to check my alternate mod addresses, which weren't set to send me non-subscriber +owner messages. Oops, that one's on me.

-----

At any rate, one interesting distinction between the one that was sent by your email client and the one that was Webmail is the path they took.

The client SMTP message:
Your laptop (Outlook Express 6) --> synchonoss.net --> btinternet.com
--> Gmail & Groups.io

The Webmail message:
yahoo.com --> yahoo.com --> Gmail (& presumably Groups.io)

Which is consistent with my failure to be able to reproduce the problem using my Yahoo mail account by way of its webmail interface.

Sue used Outlook 14 on her laptop, but otherwise the message followed the same path as your first example. So implicated are Microsoft, synchonoss.net and btinternet.com.

Alas, I can't think of a way to determine which one. Well, I guess we could rule out (or convict) Microsoft if one of you were to try a different client app (e.g. Thunderbird).

Shal


--
Help: https://groups.io/static/help
More Help: https://groups.io/g/GroupManagersForum/wiki
Even More Help: Search button at the top of Messages list


Sue
 

So implicated are Microsoft, synchonoss.net and btinternet.com.
Alas, I can't think of a way to determine which one. Well, I guess we could rule out (or convict) Microsoft if one of you were to try a different client app (e.g. Thunderbird).
Sorry, I don't use any other email client so can't help there. I don't know if this has any bearing on the issue but BT has been the subject of some problems in delivery and syncing mail this past week or so. From the little I've read about it, it seems to point to Yahoo servers.
Although things are better now (previously had no access at all) I am still having glitches with my mail being delivered or alternatively double or triple drops of repeat mail.

Sue


P H LLOYD
 

Although I have not seen this issue on my group, I do have a btinternet.com address, so I tried sending a test message to the owner and I believe it was sent out to the group.  I have two memberships of the group, one has owner status and the other does not.  Unfortunately the one that does not also is set to "no emails" (so I don't get everything twice!) but if I log on under that name I see the message.

Since Chris in his latest message has not copied the letter he was responding to, I am not sure what the "Guess" is that he refers to.

Peter

On 13/09/2019 11:28, Peter Martinez via Groups.Io wrote:
I am moderator of a group. I have seen messages sent by members to the "groupname+owner" address which end up going to the "groupname" address and are thus sent to all members. This looks like a bug in parts of the internet itself. Most of the time its OK but for some members (including me) it happens every time. It looks like the bug is that an internet on-route server is interpreting the + sign as the end of the "user" part of the email address.

Have any other groups seen this effect? I think it may be very difficult to track down where this bug is occurring, and I would like groups.io to consider the possibility of a work-around at groups.io which will not be vulnerable to this bug. Perhaps changing "groupname+owner" to "owner.groupname" or something similar which doesn't use a character (like +) which could be treated as the end of the token.

regards
Peter Martinez



P H LLOYD
 

Yes, Sue, I too have issues with btinternet and am seriously thinking of moving everything to gmail.  But I remember the problems when I ditched NTLWorld and went to BT

I get the same issue with group+owner, and I use Thunderbird.

Peter

On 14/09/2019 09:37, Sue via Groups.Io wrote:
So implicated are Microsoft, synchonoss.net and btinternet.com.
Alas, I can't think of a way to determine which one. Well, I guess we could rule out (or convict) Microsoft if one of you were to try a different client app (e.g. Thunderbird).
Sorry, I don't use any other email client so can't help there. I don't know if this has any bearing on the issue but BT has been the subject of some problems in delivery and syncing mail this past week or so. From the little I've read about it, it seems to point to Yahoo servers.
Although things are better now (previously had no access at all) I am still having glitches with my mail being delivered or alternatively double or triple drops of repeat mail.

Sue




 

Peter,

I get the same issue with group+owner, and I use Thunderbird.
Thanks for that!

I really didn't think it was a Microsoft issue, as I think there are many group members using Outlook in one form or another, and we'd no doubt have heard of this already.

-----

With the clarity of morning comes the realization that the header To: field has the correct (+owner) address, even in the misdirected message.

So, the recommended fix to Groups.io may be, in cases where the message is delivered to Groups.io directly from btinternet.com, trust the header To field over the envelope To. Or at least compare them and make a decision.

Shal


--
Help: https://groups.io/static/help
More Help: https://groups.io/g/GroupManagersForum/wiki
Even More Help: Search button at the top of Messages list


Chris Jones
 

On Sat, Sep 14, 2019 at 11:18 AM, P H LLOYD wrote:
Since Chris in his latest message has not copied the letter he was responding to, I am not sure what the "Guess" is that he refers to.
I was quoting Peter's message that was immediately before mine.

In other news this PC (which from past experience exhibits the "problem") uses XP + Outlook 2003. (No laughing at the back please!)

I will do the same test using my laptop (should have done it while I was away; would save getting it out again) because that uses Win7 + Outlook 2013; it will be worth seeing if there is any difference in behaviour.

It won't make any difference "internet - wise" because both ostensibly use BT, although not the Yahoo variant. IIRC my email service is provided by cpcloud.

Chris


Peter Martinez <Peter.Martinez@...>
 

I have now established that the misrouting does NOT occur if I sent a message to the +owner address from my btinternet.com account, but not by using the mail.btinternet.com server but by using the yahoo one. This is routed via yahoo rather that via btinternet and synchronoss, so it confirms the earlier experiments and points to the culprit being btinternet or synchronoss.

regards
Peter


Chris Jones
 

On Sat, Sep 14, 2019 at 07:02 PM, Peter Martinez wrote:
I have now established that the misrouting does NOT occur if I sent a message to the +owner address from my btinternet.com account...
I have carried out further tests and can report that if I use Outlook 2003 or 2013 the message misroutes by chopping off the "+owner" part of the address and displaying the email for all to see as a "posted message". (Note; on the test group in question I am not moderated)

However, if I use the BT Mail web UI (not, in my case, provided by Yahoo) then +owner messages route correctly.

Not sure if that helps all that much though...

Chris


 

Peter,

... so it confirms the earlier experiments and points to the culprit
being btinternet or synchronoss.
And, following up with a similar case reported by another member I have evidence to implicate synchronoss.net
https://groups.io/g/GroupManagersForum/topic/33141231

Off-list Trista sent me the header for a misdirected message that posted into her group. In the following two Received fields note particularly the "for" clauses:

Received: from re-prd-rgout-002.btmx-prd.synchronoss.net ([10.2.54.5])
by re-prd-fep-041.btinternet.com
with ESMTP id
<20190904180319.WRUD7208.re-prd-fep-041.btinternet.com@...>
for <ta-members@groups.io>; Wed, 4 Sep 2019 19:03:19 +0100
...
Received: from [redacted]-imac.home ([redacted)
by re-prd-rgout-002.btmx-prd.synchronoss.net (5.8.337)
(authenticated as [redacted]@btinternet.com)
id 5D6FA3290010097D
for ta-members+owner@groups.io; Wed, 4 Sep 2019 19:03:19 +0100
The second is synchronoss saying that they received the message from the member's iMac, intended for the +owner address.

The first is btinternet saying that they received the message from synchronoss, intended for the group posting address.

I don't know for a fact about these two services, but I believe that servers generally record in the Received header very literally what they received. Which in this case would imply that synchronoss trimed the "+owner" off of the address after receiving it from the member's iMac and before delivering it to btinternet.

That's what I call a smoking gun.

Shal


--
Help: https://groups.io/static/help
More Help: https://groups.io/g/GroupManagersForum/wiki
Even More Help: Search button at the top of Messages list


P H LLOYD
 

Peter's message evidently didn't reach me....  Sorry, but the point remains.

Peter (another one!)

On 14/09/2019 15:54, Chris Jones via Groups.Io wrote:
On Sat, Sep 14, 2019 at 11:18 AM, P H LLOYD wrote:
Since Chris in his latest message has not copied the letter he was responding to, I am not sure what the "Guess" is that he refers to.
I was quoting Peter's message that was immediately before mine.

In other news this PC (which from past experience exhibits the "problem") uses XP + Outlook 2003. (No laughing at the back please!)

I will do the same test using my laptop (should have done it while I was away; would save getting it out again) because that uses Win7 + Outlook 2013; it will be worth seeing if there is any difference in behaviour.

It won't make any difference "internet - wise" because both ostensibly use BT, although not the Yahoo variant. IIRC my email service is provided by cpcloud.

Chris
[ad removed by moderator]