MAJOR BUG IN THE FORUMS

Forum History General Discussion

Docchris December 26, 2009, 5:01pm 1

Ok

i replied to “David” who is having problems in another thread. i used the quick rpely, and hit reply and my post got added to the end of the thread. perfectly normal

however below that it said

“There has been a mail error sending to xxx@xxxx.com with Error: SMTP Error: Could not connect to SMTP host.”

I have changed David’s actual e-mail address to xxx’s to protect his privacy.

The point however - it that evidently the forum was trying to e-mail him to tell him there is a reply to his thread - and since it failed it showed ME his private e-mail address.

As far as i am concerned this is a major security bug in these forums!!!

At no point should it ever be displaying one member’s private e-mail address to another member.

I can only assume that if any other other members of the forum reply to any of my posts - they will be presented with a similar message - containing MY personal e-mail address.

I would expect an immediate explanation from DRI as to how such a fundamental bug exists in their software!!![hr]
Oh you have got to be kidding…

when i posted that above - after i hit post just below the “saving” screen - were a string of 5 more error messages containing another 5 e-mail addresses!

this is a joke DRI, what the hell are you guys doing???[hr]
haha, i pm’ed jennifer about it - it displayed her e-mail address too (so now i know her surname ;))

glad to see everyone is affected

bhiga December 27, 2009, 7:23am 2

I’m seeing the same.

Having worked on a bunch of forums, I’m pretty sure DRI’s running one of the common forum packages, so it might be something beyond their control, unless it’s already been addressed in an update that hasn’t been applied yet.

Regardless, glad you notified Jennifer so she can get the right people on it.

Docchris December 27, 2009, 10:01am 3

yeah i actually used to moderate a forum which used an almost identical looking package, so i wouldnt be surpised if this was actually exactly the same one.

however i cant see this being a bug which has gone both unnoticed and unfixed.

David December 27, 2009, 5:00pm 4

Ah, interesting. Could this explain why to date I have received no emailed postings from the threads that I have subscribed to?

bhiga December 27, 2009, 9:48pm 5

Yes - seems there is some kind of SMTP error causing outbound notification mails (for subscribed threads, PMs) to fail.

Docchris December 28, 2009, 11:45am 6

but it shouldnt be presenting the failed addresses to other users - thats ridiculous

strangely when i started a whole new thread - it gave me a list of 5 e-mails it had failed to deliver to

i wonder if thats the people who get notified whenever a new thread is started - maybe i should spam those 5 addresses and see i that gets it fixed!

Jennifer December 28, 2009, 6:10pm 7

We are now aware of the problem and working to resolve the issue as soon as possible.

As a reminder, DRI was closed over the 3 day holiday weekend.

bhiga December 28, 2009, 6:40pm 8

Yeah, this forum allows for subscribing to a forum as well as an individual thread.

hacker December 31, 2009, 6:19pm 9

I get about 300 valid, non-spam personal emails a day and I haven’t seen a single spam email hit any of my Inboxes in well over 5 years now, so you’re free to repost my public email address anywhere you wish.

My mail server easily defers or catches and quarantines about 100-200 more a day on top of that, but not a single one hits my mail.

dspam + graymilter++

http://www.nuclearelephant.com/

Here’s a graph from my actual mail server showing the results, and how incoming spam (which was previously being caught and quarantined) dropped significantly after putting graymilter in front of dspam:

http://code.gnu-designs.com/images/graymilter_results.png
http://code.gnu-designs.com/images/dspam+graymilter-gnu.png

Managing the spam using dspam’s web-based quarantine tools makes it easy to retrain or “score” emails based on their level of spamminess.

Gmail has something similar, but it is nowhere near as accurate as dspam, and I get a few spams a week slipping through there.

Docchris December 31, 2009, 8:37pm 10

well its not the spam that worries me, i use gmail and get less than 1 a month in my inbox.

its all the slightly more sinister things people could do with it.

basically i would much rather not have my personal e-mail being public knowledge

Jennifer December 31, 2009, 8:51pm 11

The issue is resolved.

Docchris January 1, 2010, 1:09am 12

hmm, but i dont seem to be getting e-mails when people reply to my threads still…

David January 1, 2010, 3:31pm 13

ditto

Spiney January 4, 2010, 2:43pm 14

double ditto

Jennifer January 4, 2010, 6:21pm 15

Ok, we are looking into it, thanks!

rrrevin January 5, 2010, 12:40am 16

maybe that’s the fix… no more email is sent

Jennifer January 5, 2010, 1:09am 17

Issue now resolved.

Docchris January 5, 2010, 9:09am 18

Yep, i get e-mails again

yay.

Still doesnt explain why the forums were handing out personal e-mail addresses to complete strangers, a complete unacceptable breach of privacy,

And in the UK at least, this would count as illegal and would have to be reported to the information commissioner.

hacker January 6, 2010, 4:35pm 19

Another issue I’ve found, is that the forums no longer send emails out, so clicking on the “Email me” checkbox when making a post, will not let you know when that thread is updated.

Docchris January 6, 2010, 5:33pm 20

we were just discussing that particular bug…

then jennifer said it was fixed

and i confirmed that i was now recieving e-mail

in fact i recived the e-mail telling me that you were posting saying that there are no e-mails!