FUDforum - خوراک RDF
http://fudforum.org/forum/index.php
Google Groups rewriting from addresses to handle DMARC policy
http://fudforum.org/forum/index.phpindex.php?t=rview&goto=187615&th=123955#msg_187615
I just created a PoC project to create a forum interface for some google(groups) based mailing lists.
Now we have been hit by this isuse:
www.spamresource.com/2014/04/google-groups-rewriting-from-addresses.html
As I use the auto user account creation feature, in practice this means that the forged From address causing the forum engine to create a user accoutn using the mailing list email address
The side effects:
- all the affected users mails are appearing under this fake user.
- the password reset function sends out reset links to the public mailing lists.
With this bug - or missing feature to workaround google's bad workaround - makes the forum useless in case of google mailing lists.
I found out that in such cases:
- the mail address in the From filed is always ending with: '@googlegroups.com'
- the real sender address can be found in: 'X-Original-From'
I also started to investigate the responsible code.
It seems trivial to add such exeption, however I don't know if that mail header parsing module is third party code or not...
]]>Zrubi2018-11-05T10:11:59-00:00Re: Google Groups rewriting from addresses to handle DMARC policy
http://fudforum.org/forum/index.phpindex.php?t=rview&goto=187616&th=123955#msg_187616
Please post a patch when you're done.
]]>naudefj2018-11-05T19:32:01-00:00Re: Google Groups rewriting from addresses to handle DMARC policy
http://fudforum.org/forum/index.phpindex.php?t=rview&goto=187618&th=123955#msg_187618
It is woks for me - but I only tested it with googlegroups mailing lists.]]>Zrubi2018-11-07T13:07:07-00:00Re: Google Groups rewriting from addresses to handle DMARC policy
http://fudforum.org/forum/index.phpindex.php?t=rview&goto=187667&th=123955#msg_187667
When sending mails with fake From address to a mailing list, it will deny or at least delay the message.
The "Fixed from address:" is a workaround, but then we loosing the author of the post.
To workaround this I just created a small modification (attached)
Hence, it is a quick fix, the final solution would be to (optionally?) include additional headers like X-Original-From
And/or probably this sould be template specific?]]>Zrubi2019-02-02T12:46:24-00:00