Page MenuHomePhabricator
Create Task
Maniphest T13317

Unverified/nonsense account emails can trigger inbound CCs (was: Inbound support pact email sometimes CCs disabled user `@maxhodges` in Phacility)
Closed, ResolvedPublic
Actions

Description

This is something of a weird one.

On Phacility, user @maxhodges is disabled, but three different pacts have CC'd him (PHI35, PHI1309, PHI1202). In all cases, the action which added this account to CC was an email reply.

This is harmless because of how policies work, but likely suggests that inbound mail has some kind of parsing issue -- like a header is getting picked up by accident and treated as a mention?

Revisions and Commits

rP Phabricator
D20593rPcaaa1394ef15 Don't count "Cc: x@y.com" as a legitimate recipient if the user who has "x@y.

Related Objects

Event Timeline

epriestley triaged this task as Low priority.Jun 18 2019, 5:15 PM
epriestley created this task.
Herald added a subscriber: amckinley. · View Herald TranscriptJun 18 2019, 5:15 PM
epriestley added a comment.Jun 18 2019, 5:22 PM

Aha! This user very cleverly added noreply@admin.phacility.com to their user account before they were disabled.

They are then CC'd because their email address is on the recipient list.

We should probably:

  • Only trigger CCs for recipients if the recipient email is verified.
  • Never trigger CCs for recipients if the recipient email is on any of the "magic" lists of noreply/reserved addresses.
epriestley renamed this task from Inbound support pact email sometimes CCs disabled user `@maxhodges` in Phacility to Unverified/nonsense account emails can trigger inbound CCs (was: Inbound support pact email sometimes CCs disabled user `@maxhodges` in Phacility).Jun 18 2019, 5:22 PM
epriestley added a revision: D20593: Don't count "Cc: x@y.com" as a legitimate recipient if the user who has "x@y.com" attached to their account has not verified the address.Jun 19 2019, 6:15 PM
epriestley mentioned this in T4411: Adding a CC to a Maniphest Task should give View rights for that user.Jun 19 2019, 6:19 PM
epriestley closed this task as Resolved by committing rPcaaa1394ef15: Don't count "Cc: x@y.com" as a legitimate recipient if the user who has "x@y..Jun 19 2019, 7:51 PM
epriestley claimed this task.
epriestley added a commit: rPcaaa1394ef15: Don't count "Cc: x@y.com" as a legitimate recipient if the user who has "x@y..
Phabricator · Built by Phacility