Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Registration e-mails - allow no-reply address with Reply-To conference organizer #2224

Open
pferreir opened this issue Jan 29, 2016 · 3 comments

Comments

@pferreir
Copy link
Member

Since it's too insecure to allow customization of theFrom field, we could allow an option for a no-reply with a Reply-To one of the conference managers (configurable).

We should check whether #1877 would have any implications, though.

@pferreir pferreir added this to the v1.9.7 milestone Jan 29, 2016
@pferreir
Copy link
Member Author

Internal reference: CHG34180

@ThiefMaster ThiefMaster removed this from the v1.9.7 milestone Sep 7, 2016
@DirkHoffmann
Copy link
Member

Why do you state "it's too insecure"? Are there real (IT) safety issues, or is it just that people might enter an invalid address.

I use this opportunity to make another, related observation: Recently I had sent out emails to participants (of an event on indico.in2p3.fr) with a CNRS sender address (some_comitee@services.cnrs.fr) on the official CNRS mailing list server. All recipients received their email except the one who had an address my_name@cnrs.fr, because the cnrs.fr mailserver considered it spam, due to the "forged sender address", which did not correspond to a cnrs.fr IP. (Yes, IN2P3 is CNRS, but that is not the point here. ;-) )

So we may have this problem of false positive spam detection for Indico-sent emails coming more often. The "From:noreply - Reply-To:anyaddress" strategy (as described in #1877) seems promising to me.

@pferreir
Copy link
Member Author

Why do you state "it's too insecure"? Are there real (IT) safety issues, or is it just that people might enter an invalid address.

I'm not sure what Pedro from 2016 meant, but I believe it was just about someone creating an Indico event, forging the "From:" field and sending spam/phishing. Speaking of this, I've just opened a PR that applies this "no-reply" logic to service requests:

#3938

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants