Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

E-Mail headers with @ trigger some spam filters #29107

Closed
techknowlogick opened this issue Feb 9, 2024 · 2 comments · Fixed by #29109
Closed

E-Mail headers with @ trigger some spam filters #29107

techknowlogick opened this issue Feb 9, 2024 · 2 comments · Fixed by #29109
Labels
type/bug

Comments

@techknowlogick
Copy link
Member

image

Originally posted in #28981 (comment)

cc: @wxiaoguang @gwymor
@techknowlogick
Copy link
Member Author

pinging @pat-s too.

below quote is from @gwymor in linked issue

What displays that message? Are you aware of email providers/stacks that will take that as a sign of spam/phishing and flag the message? I would hope nothing would make that mistake as there's no user-part before the @.
If email providers do, we should probably drop the @, and display the sender as Display Name (username).
When a user has no display name the sender currently falls back to @username. If we change that to just username, I'm afraid that doesn't make it clear enough that this is a username that cannot be spoofed (aside from inspecting the X-Gitea/GitHub-Sender headers, which I think is too much to require a user to do in a spoofing attempt) -- you can't easily tell the difference between a post-1.22 Gitea sending a username, and a pre-1.22 Gitea sending a displayname that looks like a username. We could remove the fallback code, and always show Display Name (username), which will fall back to username (username). That would be more consistent and easy to verify at a glance, but perhaps noisy.

gwymor added a commit to gwymor/gitea that referenced this issue Feb 9, 2024
@gwymor
Drop "@" from email sender to avoid spam filters
f110138 
Commit 360b3fd (Include username in email headers (go-gitea#28981),
2024-02-03) adds usernames to the From field of notification emails in
the form of `Display Name (@username)`, to prevent spoofing. However,
some email filtering software flags "@" in the display name part of the
From field as potential spoofing, as you could set the display name part
to another email address than the one you are sending from (e.g.
`From: "apparent@email-address" <actual@email-address>`). To avoid
being flagged, instead send emails from `Display Name (username)`.

Closes: go-gitea#29107
@gwymor gwymor mentioned this issue Feb 9, 2024
Merged
silverwind pushed a commit that referenced this issue Feb 10, 2024
@gwymor @GiteaBot
Drop "@" from email sender to avoid spam filters (#29109)
5b2fd0f 
Commit 360b3fd (Include username in email headers (#28981),
2024-02-03) adds usernames to the From field of notification emails in
the form of `Display Name (@username)`, to prevent spoofing. However,
some email filtering software flags "@" in the display name part of the
From field as potential spoofing, as you could set the display name part
to another email address than the one you are sending from (e.g.
`From: "apparent@email-address" <actual@email-address>`). To avoid
being flagged, instead send emails from `Display Name (username)`.

Closes: #29107

---------

Co-authored-by: Giteabot <teabot@gitea.io>
silverwind pushed a commit to silverwind/gitea that referenced this issue Feb 20, 2024
@gwymor @GiteaBot @silverwind
Drop "@" from email sender to avoid spam filters (go-gitea#29109)
e662590 
Commit 360b3fd (Include username in email headers (go-gitea#28981),
2024-02-03) adds usernames to the From field of notification emails in
the form of `Display Name (@username)`, to prevent spoofing. However,
some email filtering software flags "@" in the display name part of the
From field as potential spoofing, as you could set the display name part
to another email address than the one you are sending from (e.g.
`From: "apparent@email-address" <actual@email-address>`). To avoid
being flagged, instead send emails from `Display Name (username)`.

Closes: go-gitea#29107

---------

Co-authored-by: Giteabot <teabot@gitea.io>
6543 pushed a commit to 6543-forks/gitea that referenced this issue Feb 26, 2024
@gwymor @earl-warren
[gitea] Drop "@" from email sender to avoid spam filters (go-gitea#29109
9a1d5c5 
)

Commit 360b3fd (Include username in email headers (go-gitea#28981),
2024-02-03) adds usernames to the From field of notification emails in
the form of `Display Name (@username)`, to prevent spoofing. However,
some email filtering software flags "@" in the display name part of the
From field as potential spoofing, as you could set the display name part
to another email address than the one you are sending from (e.g.
`From: "apparent@email-address" <actual@email-address>`). To avoid
being flagged, instead send emails from `Display Name (username)`.

Closes: go-gitea#29107

---------

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit 5b2fd0f)
@github-actions GitHub Actions
Copy link

Automatically locked because of our CONTRIBUTING guidelines

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Drop "@" from email sender to avoid spam filters gwymor/gitea
1 participant
@techknowlogick