moderated Re: "Fake subject tags" are allowed in the subject line #bug


 

>>> I see no bug here. In my experience, it's normal list practice to simply prefix the subject if the list prefix text is not already present. Banning other square brackets would, for example, prevent someone asking in a techie groups about the use of [a-z] in a regular expression
>>> This seems much more like a group rule that some groups may choose to enforce rather than a technological problem in need of solution.
>>> [ and ] are perfectly valid characters in a subject line and can be used for all sorts of reasons.


It's my fault for not making it more clear in the OP; two of the "all sorts of reasons" this allows are not just silly mischief but more importantly, email tricking/spoofing.

If you noticed in the second silly example I provided above, where I can include other group's tags verbatim in my subject line, we are facilitating an admin, for fun/mischief or more sinister reasons, to make emails from their group "pretend" to be from another group: use no group tag, carefully set the message subject where it looks exactly the same as posted on another group, except one letter difference, easily missed if not paying attention. 

For example, just for the fun of it, I did that to my test group: renamed it to betta, main, and no group tag, and copied this topic's subject.  I end up with this emailed message in the inbox, which is buried/camouflaged along with the rest of the real topic, and to the careless, it looks like the real thing, only one letter difference in the address:



Invitations and DirectAdds from this betta group look like the same as the real beta ones to the careless/glance-overs, only one letter difference. 

I think I can more or less safely bet that:

- If I was to directadd you to betta, you'd probably do a "whaaat? I'm already a member, did Mark do something??" double-take initially, until you either spot the tt, or you click on the email links and go to betta's home page to see what the heck, which, if I wanted it to look like beta's, I could have, to a very close point at least.  Either way, you'd eventually figure it out and maybe come here to GMF or beta and report it.

- If I had taken the above betta spoofed message and instead of the "footers point to..." text, I had added a direct quote from one of the participants in this topic, and asked them to explain further or whatever which would necessitate their reply, and I also added the betta address in ReplyTo, then sent it to betta but also BCC'ed one or all of you participants, you'd receive it as the above seemingly-looking legit message, and because it's easy to miss, and you're also have the implicit bias of being dead-set against doing anything about this (fine, not a bug but still an) issue, there is a good chance you'd have replied back missing the trick, thinking your reply went to beta, only it didn't, it went to betta.

As to why do all this?  Spamming maybe?  Or could some enterprising mal-admin use this spoofing trick in some mal-capacity? I don't know but common-sense has proven time and time again that you never know what people will come up with. 

So if we think there's no other use than just having fun with this, and we're fine with how it currently works, then end of story I guess.

Although I'm not really though happy I had to explicitly show how to set it up (although it's not hard to figure out) ... maybe Mark should delete this topic and I can resubmit it worded less explicitly and as a #misc this time for further discussion, unless if everyone thinks it is end of story.

Cheers,
[Christos]

Join main@beta.groups.io to automatically receive all group messages.