[H-GEN] Open source firm releases patch for IE spoofing flaw

Greg Black gjb at gbch.net
Tue Dec 30 06:32:10 EST 2003 

Honest, I was going to drop this thread, but Russell has posed
some new questions and they seem to deserve answers.  Apologies
to those who have had enough.

On 2003-12-30, Russell Stuart wrote:
> On Tue, 2003-12-30 at 16:07, Greg Black wrote:
> > On 2003-12-29, Russell Stuart top-posted:
> 
> > > Is a compromise possible?  If someone were to submit a patch to mailman
> > > that made reply-to munging an option the user could turn off and on,
> > > what is the odds of it being accepted?
> > 
> > Anybody who wants such a feature can add it with a trivial
> > procmail recipe; this is, after all, the way that Unix users
> > traditionally solve these little problems.  There's no need for
> > patches to mailman.
> 
> That is not true for everyone.  Firstly to an old unix programmer like
> yourself it could[1] be trivial.

Fair point.  Actually, I didn't mean it was trivial to write
procmail recipes, just that the recipe in question is a trivial
one once it's written.

In fact, the procmail language is one of the most disgusting
things I've ever seen, possibly in the same class as Allman's
sendmail.cf monstrosity.

> Judging by the questions I have seen
> on this list from others there are a few - perhaps the majority, who
> would not find it trivial.  I am sure to some would it would be
> impossible.

Nevertheless, despite its arcane syntax and rules, huge numbers
of people do use procmail regularly to do lots of useful work.
There are lots of example recipes on the Net and it's trivial to
extrapolate from them; there are also places where one can ask
questions about specific recipes.

The biggest problem with procmail recipes is that people try to
accomplish too much in one hit.  It's hopeless trying to write a
huge procmailrc file as a single exercise.  The only way to make
it work is to write one line at a time and to test it as you go,
making sure to repeat all the tests on each incarnation of the
file -- as later additions can break stuff that appeared to work
before.  On a Unix system, this exercise is easy because one can
setup special accounts and feed them with tests automatically.
And, since this is a Unix user group, that's not an unreasonable
suggestion.

> Secondly, its only option if you are allowed to install procmail scripts
> on the machine that has your mail box[2].  Again most find it easiest to
> just collect their email from their ISP using their client.

For people in that situation, that's a fair comment; I didn't
really consider that scenario because I've never done anything
like that -- I've run mail servers from home for 20 years and
tend to see things in that light.

Nonetheless, I can't imagine that Unix users, even if they do
use POP or IMAP to fetch email from accounts on their ISP's box,
can't pre-process that email on their home system in a fairly
straightforward manner.  If it's really difficult, then it would
make an excellent topic for a Humbug talk and a web page built
on that.

> If this was a Unix sysadmin list your comments would be spot on.  Its
> not.  Among other things, it is a forum newbies use ask the opinions of
> more experienced users.  Telling a newbie to write a procmail script is
> not helpful.  In fact, I think is simply elitest.

It's a Unix user group.  Yes, there are newbies and yes, that
means that the more skilled members can (and regularly do) offer
all sorts of help in getting on top of these kinds of questions.

And if someone in the newbie class actually asks such a
question, I'm quite sure that several regular procmail users
would leap in with a solution.  Telling people that there is a
possible mechanism to accomplish something and giving it a name
is not elitist, it's helpful.  There's no point in providing all
the gory details unless there's an expressed interest.  And, if
somebody does want those details, I'm not likely to be the right
person to provide them -- I don't use procmail myself and would
have to spend some time to re-learn it.

In case anybody cares, I use a bunch of tools that most people
here will not have heard of and certainly don't use; they do
what I want but are not at all something I'd recommend to people
who find procmail daunting.

> > Of course, this means that such users won't respect the wishes
> > of the people whose messages they mutilate, unless they take
> > care to write a recipe that only adds their chosen Reply-To if
> > there's not one already in place.
> 
> Again, "respecting wishes" implies they now how to make their wishes
> known.  In this case, it means knowing how to set the "Reply To"
> header.  I would wager that most people on this list don't know, and of
> those that do most are not willing to take the effort.

That's fine; if the poster either does not know how to express
such a wish or can't be bothered doing it, then s/he can simply
not even think about it.  But, when a poster has taken the time
to learn how to accomplish certain goals, then why not respect
that?

Again, if people are using Unix tools, I would be astonished if
there is any Unix MUA that doesn't make it really simple to set
one's own Reply-To headers; and most make it trivial to do that
in such a way that it's customised according to the recipient of
the email.  If people can't work out how to do it for their MUA,
even after reading the manual, a quick question here would be
sure to lead to a solution.

After all, learning more of the dark corners of the tools and
systems we use is part of what Humbug is about.

> But the way, I notice you do take the effort.  Do you do this manually
> on a message by message basis, or is it a feature of you client, or have
> you written some scripts?  If you do it manually, hats off to you - I
> don't have the patience.  If you have written some scripts would you
> care to share?

I do nearly everything manually when it comes to email.  I read
headers, I edit headers and message bodies, and I think about
what I've done.  Of course, I make typos and other misteaks that
somehow get left in even after re-reading the message; but I do
take the time to think about each message.

For the Reply-To header, my MUA puts an empty Reply-To header in
each draft message.  This is part of my mutt setup and I don't
recall if it's a default or not.  Then, if I paste something in
there, it ends up in the final message; if I leave it blank,
mutt just deletes that line from the message.  Since the likely
content of a Reply-To will be one or more of the addresses
already in the draft reply, it's a matter of a couple mouse
clicks to paste in the desired content.  Equally, it's similarly
trivial to edit out unwanted addresses.

> [1] My first experience with procmail was a bun fight.  [...]

In case people are put off by the procmail horror stories, there
are other tools that do the same job but using different syntax
and rules.  If you don't already have an investment in procmail
but want to have that functionality, you could try one of the
others.  I do know of maildrop[1] which is part of the courier
email package; I've written a couple myself in Python, so there
must be a few like that around; or you could roll your own.

Cheers, Greg

[1] The maildrop man page is here:
    http://www.flounder.net/~mrsam/maildrop/maildrop.html

    That page will lead to others that will also help.

More information about the General mailing list