[Python-apps-team] Bug#968875: rss2email forges envelope sender

gustavo panizzo gfa at zumbi.com.ar
Sun Aug 30 10:49:01 BST 2020 

Hello Ben

On Sat, Aug 22, 2020 at 09:10:59PM +0100, Ben Hutchings wrote:
>Package: rss2email
>Version: 1:3.12.1-1
>Severity: serious
>Tags: upstream
>
>Today I learned that rss2email copies the email addresses from feed
>entries into both the From field and the envelope sender of messages.
>
>This is not acceptable behaviour in an email generator.  The envelope
>sender *must* be sent to an address that the user configures, where
>*they* can receive bounce messages.
>

I remember seeing emails going to post authors long ago if the default
configuration was in use. Current r2e sets the From in the config if is
not set. Which should stop the issue from happening.

With the version in sid I cannot reproduce the error, would you please
check in one of the bounces you get the rss2email version?
it should be in the email headers


thanks

>The current behaviour results in bounces being sent to the authors of
>feed entries, which is what just happened to me.  It can also result
>in messages being dropped if the forgery is detected by MTAs that
>check SPF.
>
>Ben.
>
>-- System Information:
>Debian Release: bullseye/sid
>  APT prefers unstable-debug
>  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
>Architecture: amd64 (x86_64)
>Foreign Architectures: i386
>
>Kernel: Linux 5.7.0-1-amd64 (SMP w/2 CPU threads)
>Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
>Shell: /bin/sh linked to /bin/dash
>Init: systemd (via /run/systemd/system)
>LSM: AppArmor: enabled
>
>Versions of packages rss2email depends on:
>ii  python3             3.8.2-3
>ii  python3-feedparser  5.2.1-2
>pn  python3-html2text   <none>
>
>Versions of packages rss2email recommends:
>ii  python3-bs4  4.9.1-1
>
>Versions of packages rss2email suggests:
>pn  esmtp  <none>
>-- 
>Ben Hutchings
>When in doubt, use brute force. - Ken Thompson
>
>



-- 
IRC: gfa
GPG: 0x27263FA42553615F904A7EBE2A40A2ECB8DAD8D5
OLD GPG: 0x44BB1BA79F6C6333

More information about the Python-apps-team mailing list