Leaking address in reply by email
-
Continuing the discussion from How to quit a job after 6 days?:
paging @scboffspring @Buddy @apapadimoulis
Very odd. I know @apapadimoulis has replied by email. I never have, but I've also never seen @apapadimoulis' email leaked in his replies, while we've seen it a couple of times with other people here.
I just looked at emails that I get (old ones from here, and recent ones from meta.d), and when I reply I don't see my email address in there anywhere. From here, I get the use-the-contact-form address, and a generic info address from meta. Do you have your address in your signature?
I found an old meta thread about how it's hard to detect signatures:
-
I actually got this bug, or feature, using "Reply" with the default Windows Phone email.
-
Did your reply quote the original message (however WP does that)?
-
His email address was in the 'TO' header data from the original post he was replying to.
So it was
FROM MATCHES (TOPIC) TO HIS ACTUAL EMAIL
when he replied, it embedded his email as part of the post.
-
Here you go for the sample.
Sent from my Windows Phone
From:
boomzilla
Sent:
10/6/2014 11:22 PM
To:
**@.me
Subject:
[What the Daily WTF?] [Meta/Bug] Leaking address in reply by emailboomzilla
October 6Did your reply quote the original message (however WP does that)?
To respond, reply to this email or visit http://what.thedailywtf.com/t/leaking-address-in-reply-by-email/3787/3 in your browser.
To unsubscribe from these emails, visit your user preferences.
-
Awww, why ruin the fun, I would love if it some site using discourse had teenage users who had their email leaked and thus violating COPPA.
-
Technically this isn't a discourse bug (in the strictest sense) - so I don't believe it will be changed.
But why do you think someone submitting their information will violate anything? (This is provided by the end user, not discourse)
Discourse should take steps to strip the email to the best of their ability (at LEAST provide a site setting checked by default), but yeah.
-
I think the important thing to note is that WP does not allow the user to change anything below the horizontal rule. Having that entire section not clickable like that led me to believe that there might be some kind of simple or standardized way of stripping it – it's been a while since I read any email standards, but I seem to recall something about multiple or separate messages in the same email, and I guess I just wanted to give microsoft/discourse a chance to surprise me.
Filed under: Discoverability!
-
actually, discourse could change it if they wanted to.
the trick is that you use the BCC field to include the actually recipient and the TO field would be something
forumuser+accalia@thedailywtf.com
ornoreply+accalia@thedailywtf.com
This would prevent emails from getting leaked, but make it slightly harder for the emails to pass through a spam filter firewall. but the format of the to address does lead itself to be whitelisted easily and it seems like a requirement for staying with discourse is a fairly high degree of techsavy and also patience, at least given our dropout rate...
Bonus points if you make emails to the first address automatically turn into PMs to the person when sent from a registered email address (with proper sanitization of course)
(how many times will i edit this before i call it good enough: it think this is 7 and counting...)
-
Bolus points
I think I'll go with this, which might turn into this, although the idea of Bolus points would seem to indicate you might have had either this or this in mind.
-
it is 2211 local time here and i'm operating on about 4 hours of sleep since Sunday morning.
things are starting to get a little weird.... sorry if that's affecting my spelling.
now i think it's time to put the computer away for a while. the screen won't stay still anymore.
-
Bed, now.
-
@royal_poet might have something to say about that @Arantor.
-
-
Her bed probably isn't much safer for you.
-
Her bed probably isn't much safer for you.
Probably not, no. Especially as tonight I'm definitely in trouble.
-
-
-
@accalia, @royal_poet, my bed is way too small to be sharing with anyone else... :( Now if it were a bigger bed, who knows what might happen?
-
if that's the only problem i'm sure we can upgrade your size.... ;-)
-
the format of the to address does lead itself to be whitelisted easily and it seems like a requirement for staying with discourse is a fairly high degree of techsavy and also patience, at least given our dropout rate...
This leads to several questions:
- What is the dropout rate?
- Anyone heard from @Arantor recently? (Or was he leaving for the holidays and I simply missed the memo?)
Shut up Dissedcourse.
-
What is the dropout rate?
Not sure, but we have lost a lot of old wtfers
And we don't tend to see many front page users but once or twice
As for a rant or he quit. He did not send a worldwide memo but he did post something of an explanation a few weeks ago as he drove by.