moderated "Fake subject tags" are allowed in the subject line #bug


 

Hi All,

Apparently we are allowing square bracket sets in the subject line, I was under the impression we didn't.  Today i received this topic in our (unmoderated) ALPS group, group tag [ALPS]:
[ALPS] [ALPS MD 5000] Try to Print test page -> got an error #alps #grouphelp #help

YYMV, but I did in initial double-take, and went to check the group settings to make sure no another admin was monkeying around, then the message itself and it was sent like that, which also makes the message display odd as usually there is not a "group tag" showing:



(I did email the poster and explained to them why they shouldn't use brackets and instead use a new hashtag, they can create them)

If Monty Python was performing today, they may had a modern skit, Ministry of Silly Subjects ... straight out of it, one can send stuff like this:
[ALPS] [the mountains], or is it? [nah, it's the printers] ...  Got yah!
[grouptag] [GMF] [beta] and [whatever else I can think of]


I'm not sure we should be allowing non-grouptag bracket sets for the sake of allowing the user to be able to use square brackets themselves in the subject line, it does dilute the group subject tag and allows silly mischief at the very least.  Or maybe allow them but not in the beginning of the subject text.

Cheers,
Christos


Malcolm Austen
 

I see no bug here. In my experience, it's normal list practice to simply prefix the subject if the list prefix text is not already present. Banning other square brackets would, for example, prevent someone asking in a techie groups about the use of [a-z] in a regular expression.

Malcolm.

-- 
Malcolm Austen <malcolm.austen@...>

On 07/02/2021 04:06:51, Christos G. Psarras <christos@...> wrote:

Hi All,

Apparently we are allowing square bracket sets in the subject line, I was under the impression we didn't.  Today i received this topic in our (unmoderated) ALPS group, group tag [ALPS]:
[ALPS] [ALPS MD 5000] Try to Print test page -> got an error #alps #grouphelp #help

YYMV, but I did in initial double-take, and went to check the group settings to make sure no another admin was monkeying around, then the message itself and it was sent like that, which also makes the message display odd as usually there is not a "group tag" showing:



(I did email the poster and explained to them why they shouldn't use brackets and instead use a new hashtag, they can create them)

If Monty Python was performing today, they may had a modern skit, Ministry of Silly Subjects ... straight out of it, one can send stuff like this:
[ALPS] [the mountains], or is it? [nah, it's the printers] ...  Got yah!
[grouptag] [GMF] [beta] and [whatever else I can think of]


I'm not sure we should be allowing non-grouptag bracket sets for the sake of allowing the user to be able to use square brackets themselves in the subject line, it does dilute the group subject tag and allows silly mischief at the very least.  Or maybe allow them but not in the beginning of the subject text.

Cheers,
Christos


Glenn Glazer
 

Concur. This seems much more like a group rule that some groups may choose to enforce rather than a technological problem in need of solution.

Best,

Glenn

On 02/06/2021 23:31, Malcolm Austen wrote:
I see no bug here. In my experience, it's normal list practice to simply prefix the subject if the list prefix text is not already present. Banning other square brackets would, for example, prevent someone asking in a techie groups about the use of [a-z] in a regular expression.

Malcolm.

-- 
Malcolm Austen <malcolm.austen@...>

On 07/02/2021 04:06:51, Christos G. Psarras <christos@...> wrote:

Hi All,

Apparently we are allowing square bracket sets in the subject line, I was under the impression we didn't.  Today i received this topic in our (unmoderated) ALPS group, group tag [ALPS]:
[ALPS] [ALPS MD 5000] Try to Print test page -> got an error #alps #grouphelp #help

YYMV, but I did in initial double-take, and went to check the group settings to make sure no another admin was monkeying around, then the message itself and it was sent like that, which also makes the message display odd as usually there is not a "group tag" showing:



(I did email the poster and explained to them why they shouldn't use brackets and instead use a new hashtag, they can create them)

If Monty Python was performing today, they may had a modern skit, Ministry of Silly Subjects ... straight out of it, one can send stuff like this:
[ALPS] [the mountains], or is it? [nah, it's the printers] ...  Got yah!
[grouptag] [GMF] [beta] and [whatever else I can think of]


I'm not sure we should be allowing non-grouptag bracket sets for the sake of allowing the user to be able to use square brackets themselves in the subject line, it does dilute the group subject tag and allows silly mischief at the very least.  Or maybe allow them but not in the beginning of the subject text.

Cheers,
Christos


--
PG&E Delenda Est


Dave Sergeant
 

I agree, strongly. [ and ] are perfectly valid characters in a subject
line and can be used for all sorts of reasons. The fact that they are
also used to enclose the group name is irrelevant. I would also say
that the use of # for things other than hashtags is also perfectly
valid - and in itself causes much confusion when an innocent # is
picked up and a 'new hashtag' is created. We do not use hashtags in our
lists.

Dave

On 7 Feb 2021 at 7:31, Malcolm Austen wrote:

I see no bug here. In my experience, it's normal list practice to simply
prefix the subject if the list prefix text is not already present.
Banning other square brackets would, for example, prevent someone asking
in a techie groups about the use of [a-z] in a regular expression.

Malcolm.

http://davesergeant.com


 

>>> I see no bug here. In my experience, it's normal list practice to simply prefix the subject if the list prefix text is not already present. Banning other square brackets would, for example, prevent someone asking in a techie groups about the use of [a-z] in a regular expression
>>> This seems much more like a group rule that some groups may choose to enforce rather than a technological problem in need of solution.
>>> [ and ] are perfectly valid characters in a subject line and can be used for all sorts of reasons.


It's my fault for not making it more clear in the OP; two of the "all sorts of reasons" this allows are not just silly mischief but more importantly, email tricking/spoofing.

If you noticed in the second silly example I provided above, where I can include other group's tags verbatim in my subject line, we are facilitating an admin, for fun/mischief or more sinister reasons, to make emails from their group "pretend" to be from another group: use no group tag, carefully set the message subject where it looks exactly the same as posted on another group, except one letter difference, easily missed if not paying attention. 

For example, just for the fun of it, I did that to my test group: renamed it to betta, main, and no group tag, and copied this topic's subject.  I end up with this emailed message in the inbox, which is buried/camouflaged along with the rest of the real topic, and to the careless, it looks like the real thing, only one letter difference in the address:



Invitations and DirectAdds from this betta group look like the same as the real beta ones to the careless/glance-overs, only one letter difference. 

I think I can more or less safely bet that:

- If I was to directadd you to betta, you'd probably do a "whaaat? I'm already a member, did Mark do something??" double-take initially, until you either spot the tt, or you click on the email links and go to betta's home page to see what the heck, which, if I wanted it to look like beta's, I could have, to a very close point at least.  Either way, you'd eventually figure it out and maybe come here to GMF or beta and report it.

- If I had taken the above betta spoofed message and instead of the "footers point to..." text, I had added a direct quote from one of the participants in this topic, and asked them to explain further or whatever which would necessitate their reply, and I also added the betta address in ReplyTo, then sent it to betta but also BCC'ed one or all of you participants, you'd receive it as the above seemingly-looking legit message, and because it's easy to miss, and you're also have the implicit bias of being dead-set against doing anything about this (fine, not a bug but still an) issue, there is a good chance you'd have replied back missing the trick, thinking your reply went to beta, only it didn't, it went to betta.

As to why do all this?  Spamming maybe?  Or could some enterprising mal-admin use this spoofing trick in some mal-capacity? I don't know but common-sense has proven time and time again that you never know what people will come up with. 

So if we think there's no other use than just having fun with this, and we're fine with how it currently works, then end of story I guess.

Although I'm not really though happy I had to explicitly show how to set it up (although it's not hard to figure out) ... maybe Mark should delete this topic and I can resubmit it worded less explicitly and as a #misc this time for further discussion, unless if everyone thinks it is end of story.

Cheers,
[Christos]


Andy Wedge
 

On Sun, Feb 7, 2021 at 07:32 AM, Malcolm Austen wrote:
I see no bug here.
Agreed. Even if changes were made that prevented the use of these brackets in Groups.io, there's nothing to stop emails sent from outside Groups.io using them. Everyone needs to vet every incoming email, regardless of the apparent source. This seems to be a solution looking for a problem.

Andy


Duane
 

On Sun, Feb 7, 2021 at 10:51 AM, Christos G. Psarras wrote:
As to why do all this?  Spamming maybe?  Or could some enterprising mal-admin use this spoofing trick in some mal-capacity? I don't know but common-sense has proven time and time again that you never know what people will come up with.
As I see it, it wouldn't be just a problem on the group, it could also be done without actually sending anything to a group by using personal email.  It might not be as slick, but a person would still receive the same spoof.  If/when anything 'weird' like that comes in, I check it well before taking any action.  Unfortunately, there are a LOT of people that don't, they take things at face value.

Duane


Bruce Bowman
 

The group's Subject Tag is in no way restricted to square brackets. You can use curly braces or angle brackets or no delimiter at all. Change it to whatever works for you.

Regards,
Bruce


Samuel Murrayy
 

On Sun, Feb 7, 2021 at 05:51 PM, Christos G. Psarras wrote:
As to why do all this?  Spamming maybe?  Or could some enterprising mal-admin use this spoofing trick in some mal-capacity? I don't know but common-sense has proven time and time again that you never know what people will come up with.

Okay, so you're trying to find a way to prevent abuse.  Then perhaps you should post a #suggestion that a user can enable an option in his settings called e.g. "Convert clashing subject line tags" which would cause Groups.io to compare any bracketed text of incoming messages' subject lines against the subject line tags of the groups that that member is currently a member of, and if there is a match, it changes the tag from e.g. [beta] to {beta}.  It must be possible for users to disable this check (in case they get too many false positives).  I suspect adding such a feature would be considered overkill, though.

Samuel