Topics

moderated Messages contain CC:group even with ReplyTo=sender and "Remove other options" #bug


Duane
 

On Wed, May 27, 2020 at 12:50 AM, Jim Avera wrote:
the MUAs still present ReplyAll buttons
I don't believe there's anything that causes that button to be available, it's just there.  On my Thunderbird, it's always there, even if there's only one address to reply to.

Duane


Jim Avera
 

Thanks Mark.   It appears that something else is still defeating Remove other Options, as the MUAs still present ReplyAll buttons which include the list-post address.

The To: header points to the list-post address, not to the recipient (i.e. subscriber).  I suspect this is making MUAs think a ReplyAll options is needed which includes that address (since To: is not the same as the current user). 


 

On Mon, May 18, 2020 at 7:34 PM Shal Farley <shals2nd@...> wrote:

What Duane said. I think for Jim's use case it would suffice to remove List-Post when Remove other options is checked. Logically it makes no sense to provide the List-Post field when that is checked (and the Reply To is set to Sender).

I've made this change.

Cheers,
Mark 


Malcolm Austen
 

On Tue, 19 May 2020 11:14:45 +0100, Jeremy H via groups.io <jeremygharrison=yahoo.co.uk@groups.io> wrote:

What I suggested, with which Jim agrees, is - as a response a question from Mark (above) - that it always be added to messages (e-mails) going through Groups.io, an eye catcher that indicates something specific has happened, that the message has passed through, and hence finally arrived from, Groups.io - something relatively meaningful for most users, and a useful indicator that it might need to responded to 'differently'.
No, very strongly no. That change would mean that a mail client that auto-added address book entries would end up with an entry saying:

"Malcolm Austen via groups.io" <my personal@address>

in their contact list and then be misguided into thinking that anything to that address would send via groups.io, which it obviously would not.

It's the users or their mail clients that are 'broken', groups.io is fine.

Or are you suggesting munging the actual email address as well, in which case I'd like to record a double 'No' vote.

Keep safe, Malcolm.

--
Malcolm Austen <@malcolma>


Jeremy H
 

On Mon, May 18, 2020 at 03:40 PM, Andy Wedge wrote:
Hi Jim,

On Sun, May 17, 2020 at 10:21 PM, Jim Avera wrote:
(That being said, always putting "via Groups.io" in the From username sounds like a good idea.)

"via Groups.io" is added when the headers have to be rewritten due to DMARC requirements so it signifies that something specific has happened not just as an eye-catcher.

<snip>

For the vast majority of users 'headers' and 'DMARC requirements' are meaningless terms, just part of the 'magic' that gets their messages through the system, without them having to care what's going on, So whether "via Groups.io"  is added is - for them - essentially random - it's something that 'sometimes' happens

What I suggested, with which Jim agrees, is - as a response a question from Mark (above) - that it always be added to messages (e-mails) going through Groups.io, an eye catcher that indicates something specific has happened, that the message has passed through, and hence finally arrived from, Groups.io - something relatively meaningful for most users, and a useful indicator that it might need to responded to 'differently'.

Jeremy


Duane
 

On Mon, May 18, 2020 at 07:12 PM, Duane wrote:
As far as I know, only Thunderbird (TB) is a problem,
After doing a bit more thorough testing, I've discovered that TB does work properly if using the Reply button.  It's the Reply All that will also populate the group name in addition to the sender.  TB also has a Reply List button that will only reply to the list.

After exchanging emails with Jim, the problem he's having is that, though it's an announcement group, he has over 20 people set as moderators so they can post.  Some of them use the Reply All instead of Reply, creating his dilemma.

Hopefully, removing the List-Post header for his conditions (Announce-Only, Reply-to-Sender,Remove-other-options), as Shal mentioned, would resolve this while still working for the group that previously requested it.

Duane


 

Mark,


I would like to get a better idea of how serious this issue is. Which email clients do this? 
 
What Duane said. I think for Jim's use case it would suffice to remove List-Post when Remove other options is checked. Logically it makes no sense to provide the List-Post field when that is checked (and the Reply To is set to Sender).

For a group that selects Reply To Sender but allows the other option the List Post field is arguably correct, plus or minus bad boys like Thunderbird.

Shal


Duane
 

On Mon, May 18, 2020 at 05:07 PM, Mark Fletcher wrote:
I would like to get a better idea of how serious this issue is. Which email clients do this?
As far as I know, only Thunderbird (TB) is a problem, but they released a patch a few years ago to restore the previous (honor Reply-To) action.  The problem is, their original change defaulted to ignore the Reply-To header when there was a List-Post header, a major change from standard practice.  Rather than revert that and make a proper fix for the problem they were trying to solve, they released the patch that requires each user to implement it if they want it.

This is related to the previous topic https://beta.groups.io/g/main/topic/7558487 where List-Post was added, removed, and then added back for some circumstances.  Unfortunately, I think it's that last addition that is causing a problem for Jim because his users are using the TB standard setup and haven't implemented the setting available in the patch.

Duane


 

On Sat, May 16, 2020 at 2:04 PM Jim Avera <jim.avera@...> wrote:

I hate to bug you but is a fix for this coming soon?

We've had to stop allowing direct (un-moderated) by anyone because many mail readers present "reply to list" as the default action, and the resulting junk messages have caused a few members to un-subscribe in disgust. 


I would like to get a better idea of how serious this issue is. Which email clients do this? 

Thanks,
Mark


Jim Avera
 

On Mon, May 18, 2020 at 07:40 AM, Andy Wedge wrote:
If your members are doing something 'wrong' out of habit, isn't a bit of education required?
Sigh.  Trying to improve everyone else's habits is a fool's errand, and rarely worth the social cost.

GIO's "Remove other Reply Options" would obviate the issue, but doesn't work because hidden headers make MUAs put those undesired reply options back in.  

This is a software problem which can be fixed; fixing people is much harder.


Andy Wedge
 

Hi Jim,

On Sun, May 17, 2020 at 10:21 PM, Jim Avera wrote:
(That being said, always putting "via Groups.io" in the From username sounds like a good idea.)

"via Groups.io" is added when the headers have to be rewritten due to DMARC requirements so it signifies that something specific has happened not just as an eye-catcher.

Referring back to your first message:

we can avoid spam from people who wrongly "reply to all" (as many are wont to do by habit),

If your members are doing something 'wrong' out of habit, isn't a bit of education required?

Andy

 


Jim Avera
 

For us, the problem is so severe that we would rather loose iron-clad traceability in order to completely disable "reply to list".

The [grouptag] prefix on the Subject: line is enough for humans to know a message originated from the list, and in the unlikely event of malicious messages we could see what is happening by looking at the raw headers.

(That being said, always putting "via Groups.io" in the From username sounds like a good idea.)


Jeremy H
 

On Sat, May 16, 2020 at 11:47 PM, Andy Wedge wrote:
On Tue, Mar 31, 2020 at 05:10 PM, Mark Fletcher wrote:
Now, to what I think you're asking: is there a way to disable Reply All in email clients. I think the answer is yes, if I re-write the To line in messages so that, instead of being the group email address, the To line is the recipient of the email message. Then the group email address would not appear anywhere in the message headers and Reply All would not send the message to the group. But, I think this would make it very difficult for someone to determine if a message they received was sent to them via the group or just by someone replying to a message the person originally sent to the group. I think this would be confusing. Thoughts?
Being able to determine that a message came from the group rather than direct from another person can give a level of confidence in the authenticity of the message and I would not want to lose that.

Andy
and the 'via Groups.io' that (currently) sometimes appears in the 'From' field achieves that: I would suggest that it always should.

Jeremy


Andy Wedge
 

On Tue, Mar 31, 2020 at 05:10 PM, Mark Fletcher wrote:
Now, to what I think you're asking: is there a way to disable Reply All in email clients. I think the answer is yes, if I re-write the To line in messages so that, instead of being the group email address, the To line is the recipient of the email message. Then the group email address would not appear anywhere in the message headers and Reply All would not send the message to the group. But, I think this would make it very difficult for someone to determine if a message they received was sent to them via the group or just by someone replying to a message the person originally sent to the group. I think this would be confusing. Thoughts?
Being able to determine that a message came from the group rather than direct from another person can give a level of confidence in the authenticity of the message and I would not want to lose that.

Andy


Jim Avera
 

Hi Mark,

I hate to bug you but is a fix for this coming soon?

We've had to stop allowing direct (un-moderated) by anyone because many mail readers present "reply to list" as the default action, and the resulting junk messages have caused a few members to un-subscribe in disgust. 

At this point it's known that it is not a Cc: header but one of the others (probably List-Post: or List-Id:) which is causing the problem.

-Jim


Jim Avera
 

In https://groups.io/g/GroupManagersForum/message/31637 Shal Farley referred me to an old bug (https://beta.groups.io/g/main/topic/7558487#16479) where the solution was to add the List-Post: header.

So maybe List-Post: should not be included if the group is configured to omit all reply options other than the default (e.g. to Sender only).

-Jim


Jim Avera
 

Mark,
It's still a problem, at least for subscribers with certain MUAs.  I use Thunderbird, and the default reply action is always "Reply To List" even though the group is a [Announce-Only, Reply-to-Sender,Remove-other-options] group.  

Even though configured to omit all options other than reply-to-sender, GIO is embedding many headers which contain the group posting email address:

Sender: mygroupname@groups.io
List-Id: <mygroupname@groups.io>
Mailing-List: list mygroupname@groups.io; contact ...
Delivered-To: mailing list mygroupname@groups.io
List-Post: <mailto:mygroupname@groups.io>

Are all these necessary?   I'm suspicious of List-Post and Mailing-List in particular.  If these are not *required* by some protocol, it might be best to omit them for groups configured to not allow reply-to-list.  Ideally the post-to-list email address would not appear anywhere in the message in that case (perhaps it could be mangled so a human would know what it is, but no MUA could know the posting address).

I'll attach the actual headers from a message I received recently from our group.

Thanks.


 

On Mon, Apr 27, 2020 at 9:49 AM Jim Avera <jim.avera@...> wrote:
The CC line is still there.  I just got spammed by a moderator who did "reply all" to someone else's post. 

We don't add CC lines anymore. My guess is that whoever is sending the message is adding that CC line (or their email client is). We strip a bunch of email headers, but CC is not one. IIRC, we used to strip it, but people complained.


Mark 


Jim Avera
 

The CC line is still there.  I just got spammed by a moderator who did "reply all" to someone else's post. 

This has become a significant problem in my group, which is "Announce Only" and "Reply To Sender" only, but has about a dozen Moderators (who have no privs, except that they can post).  

There's been email storms where one of them does "reply all" to a post, adding additionan CCs of others who also happen to be moderators, and they in turn "reply all"  to each other thinking they are having a private conversation just among themselves, but blast the entire list.

Help please!


 

On Thu, Mar 19, 2020 at 07:34 AM, Jim Avera wrote:

If "Reply to" in Group settings is set to "sender", and "Remove Other Reply Options" is checked, messages still contain a CC: header pointing to the group post address.   This permits users to reply to the group through email, but not on the web.  This is almost certainly not what the owner intended.  I'm guessing this is a #bug.

Well, not a bug because it's doing what it was designed to do, but I think the design was wrong. For Reply To Sender groups, we were adding a CC line pointing back to the group email address. I think I added that because of reasons explained here: https://beta.groups.io/g/main/message/2181, but on reflection that is wrong because when someone clicks the Reply All button in their email client, the client already includes the To address, which is the group. On testing with Gmail, with the CC line, and doing Reply All, you end up sending the reply to the group twice (because it used the addresses in the To and CC lines).

I have removed this CC line for Reply To Sender groups. Please let me know if it causes a problem.

Now, to what I think you're asking: is there a way to disable Reply All in email clients. I think the answer is yes, if I re-write the To line in messages so that, instead of being the group email address, the To line is the recipient of the email message. Then the group email address would not appear anywhere in the message headers and Reply All would not send the message to the group. But, I think this would make it very difficult for someone to determine if a message they received was sent to them via the group or just by someone replying to a message the person originally sent to the group. I think this would be confusing. Thoughts?

Thanks, Mark