Date   

moderated Re: "Fake subject tags" are allowed in the subject line #bug

Duane
 

On Sun, Feb 7, 2021 at 10:51 AM, Christos G. Psarras wrote:
As to why do all this?  Spamming maybe?  Or could some enterprising mal-admin use this spoofing trick in some mal-capacity? I don't know but common-sense has proven time and time again that you never know what people will come up with.
As I see it, it wouldn't be just a problem on the group, it could also be done without actually sending anything to a group by using personal email.  It might not be as slick, but a person would still receive the same spoof.  If/when anything 'weird' like that comes in, I check it well before taking any action.  Unfortunately, there are a LOT of people that don't, they take things at face value.

Duane


moderated Re: "Fake subject tags" are allowed in the subject line #bug

Andy Wedge
 

On Sun, Feb 7, 2021 at 07:32 AM, Malcolm Austen wrote:
I see no bug here.
Agreed. Even if changes were made that prevented the use of these brackets in Groups.io, there's nothing to stop emails sent from outside Groups.io using them. Everyone needs to vet every incoming email, regardless of the apparent source. This seems to be a solution looking for a problem.

Andy


moderated Re: "Fake subject tags" are allowed in the subject line #bug

 

>>> I see no bug here. In my experience, it's normal list practice to simply prefix the subject if the list prefix text is not already present. Banning other square brackets would, for example, prevent someone asking in a techie groups about the use of [a-z] in a regular expression
>>> This seems much more like a group rule that some groups may choose to enforce rather than a technological problem in need of solution.
>>> [ and ] are perfectly valid characters in a subject line and can be used for all sorts of reasons.


It's my fault for not making it more clear in the OP; two of the "all sorts of reasons" this allows are not just silly mischief but more importantly, email tricking/spoofing.

If you noticed in the second silly example I provided above, where I can include other group's tags verbatim in my subject line, we are facilitating an admin, for fun/mischief or more sinister reasons, to make emails from their group "pretend" to be from another group: use no group tag, carefully set the message subject where it looks exactly the same as posted on another group, except one letter difference, easily missed if not paying attention. 

For example, just for the fun of it, I did that to my test group: renamed it to betta, main, and no group tag, and copied this topic's subject.  I end up with this emailed message in the inbox, which is buried/camouflaged along with the rest of the real topic, and to the careless, it looks like the real thing, only one letter difference in the address:



Invitations and DirectAdds from this betta group look like the same as the real beta ones to the careless/glance-overs, only one letter difference. 

I think I can more or less safely bet that:

- If I was to directadd you to betta, you'd probably do a "whaaat? I'm already a member, did Mark do something??" double-take initially, until you either spot the tt, or you click on the email links and go to betta's home page to see what the heck, which, if I wanted it to look like beta's, I could have, to a very close point at least.  Either way, you'd eventually figure it out and maybe come here to GMF or beta and report it.

- If I had taken the above betta spoofed message and instead of the "footers point to..." text, I had added a direct quote from one of the participants in this topic, and asked them to explain further or whatever which would necessitate their reply, and I also added the betta address in ReplyTo, then sent it to betta but also BCC'ed one or all of you participants, you'd receive it as the above seemingly-looking legit message, and because it's easy to miss, and you're also have the implicit bias of being dead-set against doing anything about this (fine, not a bug but still an) issue, there is a good chance you'd have replied back missing the trick, thinking your reply went to beta, only it didn't, it went to betta.

As to why do all this?  Spamming maybe?  Or could some enterprising mal-admin use this spoofing trick in some mal-capacity? I don't know but common-sense has proven time and time again that you never know what people will come up with. 

So if we think there's no other use than just having fun with this, and we're fine with how it currently works, then end of story I guess.

Although I'm not really though happy I had to explicitly show how to set it up (although it's not hard to figure out) ... maybe Mark should delete this topic and I can resubmit it worded less explicitly and as a #misc this time for further discussion, unless if everyone thinks it is end of story.

Cheers,
[Christos]


moderated Re: Proposing a change to Hashtag page display on mobile devices #suggestion

Andy Wedge
 

On Sun, Feb 7, 2021 at 01:20 PM, Sandi D wrote:
When I tap on the link to the Hashtag page and I am looking to #VO, for example, right now I have to scroll down through all the entries before I can get to the "next page" button.
I have 193 hashtags on my main group and my preferences are set to 100 items per page. Rather than scroll down and do Next Page I sometimes tap/click on the Name column header to change the sort order. Most items that were on page 2 then show on page 1. I just find it a bit quicker that way.

Andy


moderated Re: Proposing a change to Hashtag page display on mobile devices #suggestion

Sandi D <sandi.asgtechie@...>
 

On Thu, Feb 4, 2021 at 10:47 AM, Sandi D wrote:
When I tap on the link to the Hashtag page and I am looking to #VO, for example, right now I have to scroll down through all the entries before I can get to the "next page" button.
Is this not an issue for others? 
 
--
Sandi Dickenson


moderated Re: "Fake subject tags" are allowed in the subject line #bug

Dave Sergeant
 

I agree, strongly. [ and ] are perfectly valid characters in a subject
line and can be used for all sorts of reasons. The fact that they are
also used to enclose the group name is irrelevant. I would also say
that the use of # for things other than hashtags is also perfectly
valid - and in itself causes much confusion when an innocent # is
picked up and a 'new hashtag' is created. We do not use hashtags in our
lists.

Dave

On 7 Feb 2021 at 7:31, Malcolm Austen wrote:

I see no bug here. In my experience, it's normal list practice to simply
prefix the subject if the list prefix text is not already present.
Banning other square brackets would, for example, prevent someone asking
in a techie groups about the use of [a-z] in a regular expression.

Malcolm.

http://davesergeant.com


moderated Re: "Fake subject tags" are allowed in the subject line #bug

Glenn Glazer
 

Concur. This seems much more like a group rule that some groups may choose to enforce rather than a technological problem in need of solution.

Best,

Glenn

On 02/06/2021 23:31, Malcolm Austen wrote:
I see no bug here. In my experience, it's normal list practice to simply prefix the subject if the list prefix text is not already present. Banning other square brackets would, for example, prevent someone asking in a techie groups about the use of [a-z] in a regular expression.

Malcolm.

-- 
Malcolm Austen <malcolm.austen@...>

On 07/02/2021 04:06:51, Christos G. Psarras <christos@...> wrote:

Hi All,

Apparently we are allowing square bracket sets in the subject line, I was under the impression we didn't.  Today i received this topic in our (unmoderated) ALPS group, group tag [ALPS]:
[ALPS] [ALPS MD 5000] Try to Print test page -> got an error #alps #grouphelp #help

YYMV, but I did in initial double-take, and went to check the group settings to make sure no another admin was monkeying around, then the message itself and it was sent like that, which also makes the message display odd as usually there is not a "group tag" showing:



(I did email the poster and explained to them why they shouldn't use brackets and instead use a new hashtag, they can create them)

If Monty Python was performing today, they may had a modern skit, Ministry of Silly Subjects ... straight out of it, one can send stuff like this:
[ALPS] [the mountains], or is it? [nah, it's the printers] ...  Got yah!
[grouptag] [GMF] [beta] and [whatever else I can think of]


I'm not sure we should be allowing non-grouptag bracket sets for the sake of allowing the user to be able to use square brackets themselves in the subject line, it does dilute the group subject tag and allows silly mischief at the very least.  Or maybe allow them but not in the beginning of the subject text.

Cheers,
Christos


--
PG&E Delenda Est


moderated Re: "Fake subject tags" are allowed in the subject line #bug

Malcolm Austen
 

I see no bug here. In my experience, it's normal list practice to simply prefix the subject if the list prefix text is not already present. Banning other square brackets would, for example, prevent someone asking in a techie groups about the use of [a-z] in a regular expression.

Malcolm.

-- 
Malcolm Austen <malcolm.austen@...>

On 07/02/2021 04:06:51, Christos G. Psarras <christos@...> wrote:

Hi All,

Apparently we are allowing square bracket sets in the subject line, I was under the impression we didn't.  Today i received this topic in our (unmoderated) ALPS group, group tag [ALPS]:
[ALPS] [ALPS MD 5000] Try to Print test page -> got an error #alps #grouphelp #help

YYMV, but I did in initial double-take, and went to check the group settings to make sure no another admin was monkeying around, then the message itself and it was sent like that, which also makes the message display odd as usually there is not a "group tag" showing:



(I did email the poster and explained to them why they shouldn't use brackets and instead use a new hashtag, they can create them)

If Monty Python was performing today, they may had a modern skit, Ministry of Silly Subjects ... straight out of it, one can send stuff like this:
[ALPS] [the mountains], or is it? [nah, it's the printers] ...  Got yah!
[grouptag] [GMF] [beta] and [whatever else I can think of]


I'm not sure we should be allowing non-grouptag bracket sets for the sake of allowing the user to be able to use square brackets themselves in the subject line, it does dilute the group subject tag and allows silly mischief at the very least.  Or maybe allow them but not in the beginning of the subject text.

Cheers,
Christos


moderated "Fake subject tags" are allowed in the subject line #bug

 

Hi All,

Apparently we are allowing square bracket sets in the subject line, I was under the impression we didn't.  Today i received this topic in our (unmoderated) ALPS group, group tag [ALPS]:
[ALPS] [ALPS MD 5000] Try to Print test page -> got an error #alps #grouphelp #help

YYMV, but I did in initial double-take, and went to check the group settings to make sure no another admin was monkeying around, then the message itself and it was sent like that, which also makes the message display odd as usually there is not a "group tag" showing:



(I did email the poster and explained to them why they shouldn't use brackets and instead use a new hashtag, they can create them)

If Monty Python was performing today, they may had a modern skit, Ministry of Silly Subjects ... straight out of it, one can send stuff like this:
[ALPS] [the mountains], or is it? [nah, it's the printers] ...  Got yah!
[grouptag] [GMF] [beta] and [whatever else I can think of]


I'm not sure we should be allowing non-grouptag bracket sets for the sake of allowing the user to be able to use square brackets themselves in the subject line, it does dilute the group subject tag and allows silly mischief at the very least.  Or maybe allow them but not in the beginning of the subject text.

Cheers,
Christos


moderated Re: Member activity incomplete for Direct Added members #bug

Duane
 

On Sat, Feb 6, 2021 at 04:55 PM, Mike Hanauer wrote:
I would still suggest listing both date and time.
It did at one time, but takes too much real estate on mobile, so the current option was implemented.

Duane


moderated Re: Member activity incomplete for Direct Added members #bug

Mike Hanauer
 

Thanks. Didn't realize that. I would still suggest listing both date and time.

Consider Better, not Bigger. So many advantages. Just ask. USA adds a Chicago to our overpop each year.
"Still more population growth is not our way to a healthy community, a healthy planet, OR enjoyable cycling."

    ~Mike


On Saturday, February 6, 2021, 01:57:22 PM EST, Duane <txpigeon@...> wrote:


On Sat, Feb 6, 2021 at 11:05 AM, Mike Hanauer wrote:
I would love to see the date and the time for all instances.
When you hover on anything that only shows a date, it will show complete information.

Duane


moderated Sent invitations don't sort in 'Invited' #bug

Malcolm Austen
 

This is in a free group in case it matters ...

The 'Sent invitations' list sorts fine when clicking on the Email or Status headers but it doesn't sort in any obvious way when I click on the Invited header. ...?

While I'm here although this is only a #suggestion or #request ... could we have a search option on the 'Sent invitations' display please?

Malcolm.

-- 
Malcolm Austen <malcolm.austen@...>


moderated Re: Member activity incomplete for Direct Added members #bug

Duane
 

On Sat, Feb 6, 2021 at 11:05 AM, Mike Hanauer wrote:
I would love to see the date and the time for all instances.
When you hover on anything that only shows a date, it will show complete information.

Duane


moderated Re: Member activity incomplete for Direct Added members #bug

Mike Hanauer
 

Added to that, I would love to see the date and the time for all instances.

Consider Better, not Bigger. So many advantages. Just ask. USA adds a Chicago to our overpop each year.
"Still more population growth is not our way to a healthy community, a healthy planet, OR enjoyable cycling."

    ~Mike


On Saturday, February 6, 2021, 12:02:39 PM EST, Andy Wedge <andy_wedge@...> wrote:


Hi Mark,

I noticed that the Member Activity list does not include the point at which a member joined a group if they were Direct Added. It does show if they accepted an invite though.  Can we include the Direct Added entry as well for a full list please?

Thanks
Andy


moderated Re: Changing email address security issue #misc

billsf9c
 

SECURITY: You can no longer change the email address of a member who is a moderator of a group. Discussion.

Yahoo lost a great list of 2000 due to this issue. 2 owners suddenly died a month apart. The 3rd and original owner was sad and would not consider a new appointment until after her planned 30 day vaction despite by adamant warnings. In a hotel her email was hacked. Somehiw she lost her ownership ability despite getting owner-mail.

A sole remaining mod did what he could but also did harm... perhaps why he was only a mod.

Now, Oremium Groups can get support help. I needed and got that once to help another list, (not mine, but was okay'd by the past owner to assume its helm.) But no lower group has recourse. Maybe "send this documentation & $20?"

Dunno - but ponder some last gasp assist, please, for the "outer limits" "twilight zone" that may and will occur.

BillSF9c


moderated Rejection message #bug

Duane
 

One of our rejection notices has quote marks, "thank you", but when selected, it shows the hmtl, &quot;thank you&quot;  Checking the notice, it appears correct, it's only when used that it's converted.  (I hope these show correctly.)

Thanks,
Duane


moderated Member activity incomplete for Direct Added members #bug

Andy Wedge
 

Hi Mark,

I noticed that the Member Activity list does not include the point at which a member joined a group if they were Direct Added. It does show if they accepted an invite though.  Can we include the Direct Added entry as well for a full list please?

Thanks
Andy


moderated Re: Site updates #changelog

 

Mark, the inclusion of the discussion link is a great and helpful idea, thanks!

Cheers,
Christos


moderated Re: Site updates #changelog

 

Thanks, Mark. 

On Fri, Feb 5, 2021 at 17:24 Mark Fletcher <markf@corp.groups.io> wrote:

Changes to the site this week:

February 5th, 2021

  • DOCS: Updates from Nina to the Owners Manual, Members Manual, and Getting Started Guide.
  • CHANGE: Changed hover title for P badge to Posting Always Allowed and hover title for NP badge to Not Allowed To Post.

February 4th, 2021

  • BUGFIX: For Enterprise groups with Disable Signups checked, don't display the link to register on the /login page.
  • BUGFIX: Fixed missing Moderator changed moderator permissions activity log entry description in the dropdown. Discussion.
  • BUGFIX: Use the message's unprocessed subject for the sent message activity log entry. Previously the cooked subject line, with end hashtags removed, was used.

February 3nd, 2021

  • NEW: New activity log entries for when someone reports a message, file or photo. Discussion.
  • CHANGE: Display a photo album's owner when viewing the album, not on the /photos page. Discussion.
  • CHANGE: We're now including a member's Display Name in notifications if available. Discussion.
  • SECURITY: You can no longer change the email address of a member who is a moderator of a group. Discussion.

February 2nd, 2021

  • BUGFIX: We were not returning SMTP error codes for some errors. Discussion.
  • BUGFIX: Fix confirmation email subject line example to agree with the actual email subject line. Discussion.
  • BUGFIX: Include the sender in the activity log entry for non-member sending a message requiring approval. Discussion.
  • BUGFIX: There were inconsistent tooltips on the Members page. Discussion.
  • CHANGE: In the Pending Message page, the NM badge is now red, and when viewing an individual pending message, the Non Member badge is red. Discussion.
  • BUGFIX: Drafts now remember if you have toggled the Private button in message replies. Discussion.
  • NEW: Activity log entries for adding/removing group aliases. Discussion.

Take care everyone.

Mark


moderated Site updates #changelog

 

Changes to the site this week:

February 5th, 2021

  • DOCS: Updates from Nina to the Owners Manual, Members Manual, and Getting Started Guide.
  • CHANGE: Changed hover title for P badge to Posting Always Allowed and hover title for NP badge to Not Allowed To Post.

February 4th, 2021

  • BUGFIX: For Enterprise groups with Disable Signups checked, don't display the link to register on the /login page.
  • BUGFIX: Fixed missing Moderator changed moderator permissions activity log entry description in the dropdown. Discussion.
  • BUGFIX: Use the message's unprocessed subject for the sent message activity log entry. Previously the cooked subject line, with end hashtags removed, was used.

February 3nd, 2021

  • NEW: New activity log entries for when someone reports a message, file or photo. Discussion.
  • CHANGE: Display a photo album's owner when viewing the album, not on the /photos page. Discussion.
  • CHANGE: We're now including a member's Display Name in notifications if available. Discussion.
  • SECURITY: You can no longer change the email address of a member who is a moderator of a group. Discussion.

February 2nd, 2021

  • BUGFIX: We were not returning SMTP error codes for some errors. Discussion.
  • BUGFIX: Fix confirmation email subject line example to agree with the actual email subject line. Discussion.
  • BUGFIX: Include the sender in the activity log entry for non-member sending a message requiring approval. Discussion.
  • BUGFIX: There were inconsistent tooltips on the Members page. Discussion.
  • CHANGE: In the Pending Message page, the NM badge is now red, and when viewing an individual pending message, the Non Member badge is red. Discussion.
  • BUGFIX: Drafts now remember if you have toggled the Private button in message replies. Discussion.
  • NEW: Activity log entries for adding/removing group aliases. Discussion.

Take care everyone.

Mark

1061 - 1080 of 29214