Topics

Misrouted message test

Peter G3PLX <Peter.Martinez@...>
 

Andy:

I have a hypothesis that something along the route, perhaps at BT or Synchronoss, is mis-parsing the "To" line and picking-up the email address which is embedded within the quoted "name" part of the address instead of the intended <email> part. This impacts emails sent to groups.io.

If my hypothesis is wrong (and the message is NOT misrouted), you will see this message (as the owner of RSGB-Workshop). Please just copy it back to me but otherwise ignore it.

If I am right (and the message is misrouted) , it will go to RSGBTechnical@groups.io and I will see it myself and deal with it.

There IS a possibility that the bug is that the "+owner" token is somehow being stripped from the email address, in which case this message will go to RSGB-Workshop:groups.io and appear on your group output stream. If it does this, please accept my apologies for the inconvenience but it's the only easy way I can think of to test this.

The "To" line in this message is ...

"RSGBTechnical(a)groups.io TEST" <RSGB-Workshop+owner(a)groups.io> but I have, for this message only, replaced @ with (a) to prevent the @ being treated in some special way by email clients.

73
Peter

Peter G3PLX <Peter.Martinez@...>
 

Andy:

The fact that my last post DID end up in the group output means there is a bug somewhere out there in the internet which can result in messages, intended for the owner of a group, to be broadcast to the whole group in error. For the path from me to groups.io it looks like the bug is with BT or Synchronoss, but there's no knowing where else it might occur.

I suggest you (as owner of this group) report this to groups.io. They may say it's not their fault, but there's a very good case for them changing the way they form the "owner" variant of the group email address so that it is not vulnerable to this bug (wherever it occurs). I am guessing that "RSGB-Workshop.owner" or "owner.RSGB-Workshop" would be OK.

This bug has hit several other groups.io groups including RSGBTechnical, where an offensive message went public.

73
Peter G3PLX

Dennis Smith
 

The test email was sent to a group address AND was also sent to owner. The use of + in email addresses is not standard (although the use for filtering in this case has been pushed for some time, at least 10 years). As a result some email servers do filter characters after a + before forwarding to the next server in the chain. Nothing can be done about this but change provider.

Dennis Smith
M1DLG

On Fri, 13 Sep 2019, 09:46 Peter G3PLX via Groups.Io, <Peter.Martinez=btinternet.com@groups.io> wrote:
Andy:

The fact that my last post DID end up in the group output means there is a
bug somewhere out there in the internet which can result in messages,
intended for the owner of a group, to be broadcast to the whole group in
error.  For the path from me to groups.io it looks like the bug is with BT
or Synchronoss, but there's no knowing where else it might occur.

I suggest you (as owner of this group) report this to groups.io.  They may
say it's not their fault, but there's a very good case for them changing the
way they form the "owner" variant of the group email address so that it is
not vulnerable to this bug (wherever it occurs).  I am guessing that
"RSGB-Workshop.owner" or "owner.RSGB-Workshop" would be OK.

This bug has hit several other groups.io groups including RSGBTechnical,
where an offensive message went public.

73
Peter G3PLX




Peter G3PLX <Peter.Martinez@...>
 

Dennis:

Interesting. I am discussing this on a BT users forum and a groups.io forum. Someone pointed out that there is an RFC which says "intermediate hosts shouldn't mess with the local part of an email address", and it looks like some do. BTinternet and/or Synchronoss are the prime suspects, stripping the "+owner" bit and thus transforming one valid email address into another. There is another RFC which includes + in the set of characters which are legal in this context. However, I doubt whether I am going to get much further with this one.

73
Peter G3PLX

Colin Tuckley
 

On 14/09/2019 10:09, Dennis Smith wrote:

The use of + in email addresses is not standard
Yes it is!

It's been in both of the RFCs (An RFC is the Internet standards document
system) for email pretty much since the ARPANet days.

73, Colin

--
Colin Tuckley | +44(0)1223 830814 | PGP/GnuPG Key Id
G8TMV | +44(0)7799 143369 | 0xFA0C410738C9D903

Colin Tuckley
 

On 14/09/2019 10:44, Peter G3PLX via Groups.Io wrote:

However, I doubt whether I am going to get much further with this
one.
Unfortunately I suspect you are correct. Not even Gmail seem to bother
with the standards these days and as for Windows (Microsoft) they seem
to think that the standards don't apply to them.

73, Colin

--
Colin Tuckley | +44(0)1223 830814 | PGP/GnuPG Key Id
G8TMV | +44(0)7799 143369 | 0xFA0C410738C9D903

Peter G3PLX <Peter.Martinez@...>
 

The important point of this thread is that if members of this group who have btinternet.com email addresses, who use any of the email commands described in the groups.io web page https://groups.io/static/help#emailcommands , will find their command just appears as a message in the group broadcast output instead of being carried out.

In particular, if they send an email to RSGB-Workshop+owner@groups.io intending it to be a private message to the owner, THAT TOO will just appear in the group output broadcast FOR EVERYONE TO SEE. I am sending THIS message in this way!

There is a work-around. Members who are @btinternet.com can safely send emails to the +owner address via Webmail. I am trying to get this bug sorted, but I am getting nowhere at the moment.

This point is particularly important in this group, since there is no moderation. In the RSGBTechnical group, such mis-routed messages get spotted by the moderators - who should have received the message anyway.

73
Peter G3PLX

Dennis Smith
 

The statement hashed out earlier partly incorrect - Some special characters are allowed (including "+") BUT, this is NOT recommended as it is used many mail server software in most cases as a filter for local mailbox filtering. The same is true for some other special characters that are permitted but have special functions. Some software used in between the sender and the recipient is known to strip the special characters out or strip out preceding components of the email address prior to the "@" symbol. It's a a sorry state of many standards being held together with duct tape and chewing gum.It would be nice if we had a date fixed in the future set as world standards day that implimented a huge overhaul to a rigid standard that forced all email to use encryption and standard sending/ recieving protocols and we all switched over all together. Somehow I doubt we will ever fix the mess of standards (or the broken implimentation) we do have today.

Dennis Smith
M1DLG

On Sat, 14 Sep 2019 at 11:21, Colin Tuckley <colin@...> wrote:
On 14/09/2019 10:09, Dennis Smith wrote:

> The use of + in email addresses is not standard

Yes it is!

It's been in both of the RFCs (An RFC is the Internet standards document
system) for email pretty much since the ARPANet days.

73, Colin

--
Colin Tuckley | +44(0)1223 830814 |  PGP/GnuPG Key Id
    G8TMV     | +44(0)7799 143369 | 0xFA0C410738C9D903




Andy G0FTD <punkbiscuit@...>
 
Edited

On Sat, Sep 14, 2019 at 07:55 PM, Peter G3PLX wrote:
In particular, if they send an email to RSGB-Workshop+owner@groups.io intending it to be a private message to the owner, THAT TOO will just appear in the group output broadcast FOR EVERYONE TO SEE. I am sending THIS message in this way!

I think Pete has pointed out a legitimate bug, fair enough.

There is a work-around. Members who are @btinternet.com can safely send emails to the +owner address via Webmail. I am trying to get this bug sorted, but I am getting nowhere at the moment.

Good.


This point is particularly important in this group, since there is no moderation. In the RSGBTechnical group, such mis-routed messages get spotted by the moderators - who should have received the message anyway

OK, but are you trying to legitimise moderated groups ?
Moderated groups are nothing more than an extension of the moderator(s) own prejudices and bias.
Only in rare cases do they produce good groups.
I believe that all groups should be free, and only gross violations should be get killed.
That does not include one liners, dissent, critique or thread drift (everything wanders, get used to it and grow up).

73 de Andy

Andy G0FTD <punkbiscuit@...>
 

On Sat, Sep 14, 2019 at 09:18 PM, Andy G0FTD wrote:
There is a work-around. Members who are @btinternet.com can safely send emails to the +owner address via Webmail. I am trying to get this bug sorted, but I am getting nowhere at the moment.

Good.
Ooops, pedants will notice an incorrect meaning here.

I meant to say that I applaud G3PLX in trying to sort out the issue.
The previous reads a bit opposite, my apologies.

73 de Andy

Peter G3PLX <Peter.Martinez@...>
 

Andy said:

OK, but are you trying to legitimise moderated groups ?
I am not discussing the merits or otherwise of moderated groups.

I am just pointing out that an unmoderated group (like this one) is vulnerable to this bug because anyone (with an internet route to groups.io which has this bug), who sent a private message to the owner, would get it broadcast to the world instead, which might be a bad idea. If in doubt, don't ever send an email to RSGB-Workshop+owner@groups.io in case it goes to the whole group by mistake.

A moderated group isn't vulnerable because such a wrongly-routed private message would be intercepted before it could cause any trouble.

73
Peter

Andy G0FTD <punkbiscuit@...>
 

On Sat, Sep 14, 2019 at 10:16 PM, Peter G3PLX wrote:
I am just pointing out that an unmoderated group (like this one) is vulnerable to this bug because anyone (with an internet route to groups.io which has this bug), who sent a private message to the owner, would get it broadcast to the world instead, which might be a bad idea. If in doubt, don't ever send an email to RSGB-Workshop+owner@groups.io in case it goes to the whole group by mistake.

I'll be totally fair, I do actually agree and understand. (Not that anyone has EVER given me credit for being unbiased!)

A moderated group isn't vulnerable because such a wrongly-routed private message would be intercepted before it could cause any trouble.

True, but many fall in to the trap of killing all creativity by thinking moderation is better, at the expense of the other 95% of creativity.
It's a very dangerous step to take.
And many others have fallen in to the trap, but are too daft to realise why they are unpopular.
I will always expect better of any self proclaimed learned "friends".

73 de Andy
(My work desk has a gavel !)