[Python-apps-team] Bug#968875: rss2email forges envelope sender
Ben Hutchings
ben at decadent.org.uk
Sat Aug 22 21:10:59 BST 2020
Package: rss2email
Version: 1:3.12.1-1
Severity: serious
Tags: upstream
Today I learned that rss2email copies the email addresses from feed
entries into both the From field and the envelope sender of messages.
This is not acceptable behaviour in an email generator. The envelope
sender *must* be sent to an address that the user configures, where
*they* can receive bounce messages.
The current behaviour results in bounces being sent to the authors of
feed entries, which is what just happened to me. It can also result
in messages being dropped if the forgery is detected by MTAs that
check SPF.
Ben.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.7.0-1-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages rss2email depends on:
ii python3 3.8.2-3
ii python3-feedparser 5.2.1-2
pn python3-html2text <none>
Versions of packages rss2email recommends:
ii python3-bs4 4.9.1-1
Versions of packages rss2email suggests:
pn esmtp <none>
--
Ben Hutchings
When in doubt, use brute force. - Ken Thompson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/python-apps-team/attachments/20200822/51154ab3/attachment.sig>
More information about the Python-apps-team
mailing list