Slash

Roger,

Thanks for the link to the RFC, I will read it over.

My original thinking on the from address was this:
It makes it easier for someone to request that we don't allow people 
to email them from our system. Someone who is angry (and not 
tech-savvy) will most likely just hit reply, and if someone is 
abusing the system they most likely are putting someone else's 
address in the sender's address field as well. The only thing known 
for sure is that the email is from my system. To allow an unverified 
address in the from field seemed like asking for trouble.

--Eric


At 3:23 PM -0500 3/27/02, Roger H. Goun wrote:
>Eric Goldhagen writes:
> > My mailit plugin is running and although it is not as polished as I
> > would like, it is online for a public beta test.
> >
> > http://info.interactivist.net
> >
> > any criticism / comments are welcome.
>
>Looks very nice. I recommend bringing the email headers that this plugin
>generates into compliance with RFC 2822:
>
>    ftp://ftp.rfc-editor.org/in-notes/rfc2822.txt
>
>Specifically, the From: header should contain the email address provided
>by the user who asked to have the message sent, and the Sender: header
>should contain info@..., the mailbox of the actual
>transmitter of the message.
>
>See Section 3.6.2. of RFC 2822 for details.
>
>Regards,
>
>Roger

------------
http://www.abcnorio.org
http://www.interactivist.net
http://www.autonomedia.org
http://www.nomadlab.com

It seems to me that the more likely case is that a naive recipient will
hit the reply button to thank the (human) sender for forwarding the
story. If the From: header doesn't contain the human sender's address,
the reply will go awry and the recipient of the story won't understand
why. Indeed, he or she might never know that the reply had gone into the
bit bucket.

Your heart is in the right place, but understand that there are
thousands of ways for abusive senders to mailbomb unwilling recipients.
Messing with the headers isn't a good way to prevent that. Better ways
to minimize such mischief might be to limit the number of times per hour
that any IP block can access the form, or permit only logged-in users to
use it and take the From address from users.realemail, so at least
you'll know that the From address is valid.

Regards,

Roger

On Wed, 2002-03-27 at 15:57, Eric Goldhagen wrote:
> Roger,
> 
> Thanks for the link to the RFC, I will read it over.
> 
> My original thinking on the from address was this:
> It makes it easier for someone to request that we don't allow people 
> to email them from our system. Someone who is angry (and not 
> tech-savvy) will most likely just hit reply, and if someone is 
> abusing the system they most likely are putting someone else's 
> address in the sender's address field as well. The only thing known 
> for sure is that the email is from my system. To allow an unverified 
> address in the from field seemed like asking for trouble.
> 
> --Eric
> 
> 
> At 3:23 PM -0500 3/27/02, Roger H. Goun wrote:
> >Eric Goldhagen writes:
> > > My mailit plugin is running and although it is not as polished as I
> > > would like, it is online for a public beta test.
> > >
> > > http://info.interactivist.net
> > >
> > > any criticism / comments are welcome.
> >
> >Looks very nice. I recommend bringing the email headers that this plugin
> >generates into compliance with RFC 2822:
> >
> >    ftp://ftp.rfc-editor.org/in-notes/rfc2822.txt
> >
> >Specifically, the From: header should contain the email address provided
> >by the user who asked to have the message sent, and the Sender: header
> >should contain info@..., the mailbox of the actual
> >transmitter of the message.
> >
> >See Section 3.6.2. of RFC 2822 for details.
> >
> >Regards,
> >
> >Roger
> 
> ------------
> http://www.abcnorio.org
> http://www.interactivist.net
> http://www.autonomedia.org
> http://www.nomadlab.com

All good points.

We don't want to limit the feature to logged in users as most people 
that use our site don't log in. But using something to limit repeated 
access to the form is a fine idea.

Expect to see some changes in the next few days.

Thanks again for your feedback.

--Eric



At 4:42 PM -0500 3/27/02, Roger H. Goun wrote:
>It seems to me that the more likely case is that a naive recipient will
>hit the reply button to thank the (human) sender for forwarding the
>story. If the From: header doesn't contain the human sender's address,
>the reply will go awry and the recipient of the story won't understand
>why. Indeed, he or she might never know that the reply had gone into the
>bit bucket.
>
>Your heart is in the right place, but understand that there are
>thousands of ways for abusive senders to mailbomb unwilling recipients.
>Messing with the headers isn't a good way to prevent that. Better ways
>to minimize such mischief might be to limit the number of times per hour
>that any IP block can access the form, or permit only logged-in users to
>use it and take the From address from users.realemail, so at least
>you'll know that the From address is valid.
>
>Regards,
>
>Roger
>
>On Wed, 2002-03-27 at 15:57, Eric Goldhagen wrote:
> > Roger,
> >
> > Thanks for the link to the RFC, I will read it over.
> >
> > My original thinking on the from address was this:
> > It makes it easier for someone to request that we don't allow people
> > to email them from our system. Someone who is angry (and not
> > tech-savvy) will most likely just hit reply, and if someone is
> > abusing the system they most likely are putting someone else's
> > address in the sender's address field as well. The only thing known
> > for sure is that the email is from my system. To allow an unverified
> > address in the from field seemed like asking for trouble.
> >
> > --Eric
> >
> >
> > At 3:23 PM -0500 3/27/02, Roger H. Goun wrote:
> > >Eric Goldhagen writes:
> > > > My mailit plugin is running and although it is not as polished as I
> > > > would like, it is online for a public beta test.
> > > >
> > > > http://info.interactivist.net
> > > >
> > > > any criticism / comments are welcome.
> > >
> > >Looks very nice. I recommend bringing the email headers that this plugin
> > >generates into compliance with RFC 2822:
> > >
> > >    ftp://ftp.rfc-editor.org/in-notes/rfc2822.txt
> > >
> > >Specifically, the From: header should contain the email address provided
> > >by the user who asked to have the message sent, and the Sender: header
> > >should contain info@..., the mailbox of the actual
> > >transmitter of the message.
> > >
> > >See Section 3.6.2. of RFC 2822 for details.
> > >
> > >Regards,
> > >
> > >Roger
> >
> > ------------
> > http://www.abcnorio.org
> > http://www.interactivist.net
> > http://www.autonomedia.org
> > http://www.nomadlab.com
>
>
>_______________________________________________
>Slashcode-general mailing list
>Slashcode-general@...
>https://lists.sourceforge.net/lists/listinfo/slashcode-general

------------
http://www.abcnorio.org
http://www.interactivist.net
http://www.autonomedia.org
http://www.nomadlab.com

On Wednesday 27 March 2002 05:10 pm, Eric Goldhagen wrote:
> All good points.
>
> We don't want to limit the feature to logged in users as most people
> that use our site don't log in. 

It would be nice if this behavior was on/off'able via a constant var.

>But using something to limit repeated
> access to the form is a fine idea.

Is it using formkeys? If so, you could put the limit inside the formkey 
itself.

At 6:04 PM -0500 3/27/02, shane wrote:
>On Wednesday 27 March 2002 05:10 pm, Eric Goldhagen wrote:
> > All good points.
> >
> > We don't want to limit the feature to logged in users as most people
> > that use our site don't log in.
>
>It would be nice if this behavior was on/off'able via a constant var.

Seems easy enough to add in; I will work on it. in the short-term I 
think it could be done in the template-- don't display the "email 
this article" link to non-logged in users.


> >But using something to limit repeated
> > access to the form is a fine idea.
>
>Is it using formkeys? If so, you could put the limit inside the formkey
>itself.


Not at the moment, but by the end of the week. yes, it will be using formkeys.

--Eric

------------
http://www.abcnorio.org
http://www.interactivist.net
http://www.autonomedia.org
http://www.nomadlab.com

Eric,

Thanks very much for your mailit2.pl plugin.

I've installed it even though it may not be the securest piece of code on 
the net....

http://news.diversebooks.com/

-----------------------------------------------------

Can anyone give me an example of their storyLink template? I am trying to 
understand whether my Bender installation should be using links like

http://news.diversebooks.com/article.pl?sid=02/03/27/1030207&mode=thread&threshold=

or

point to the static file which *isn't* getting generated on my Bender box.,

Alex





At 23:10 27/03/02, Eric Goldhagen wrote:
>All good points.
>
>We don't want to limit the feature to logged in users as most people that 
>use our site don't log in. But using something to limit repeated access to 
>the form is a fine idea.
>
>Expect to see some changes in the next few days.
>
>Thanks again for your feedback.
>
>--Eric

Any thoughts on how to make it more secure?

I am rather new to this writing code thing...

--Eric

>Eric,
>
>Thanks very much for your mailit2.pl plugin.
>
>I've installed it even though it may not be the securest piece of 
>code on the net....
>
>http://news.diversebooks.com/
>
>-----------------------------------------------------

------------
http://www.abcnorio.org
http://www.interactivist.net
http://www.autonomedia.org
http://www.nomadlab.com