Email rule type hits when email addresses partially match

[Digi92]

Hi,
we noticed a submission today that was flagged via our email spam list.
The email type sees a hit apparently when the email addresses partially match.

In the EmailRuleTester "

mosparo/src/Rule/Tester/EmailRuleTester.php

Line 16 in 051def2

if (strpos($value, $itemValue) !== false) {

" is set as a condition.
I think it would be better for mails to check if the mail is really present in the checked text, so either before/after the string is a space or the beginning/end of the string.

Our rule (mail modified):
{"uuid":"d9aee038-3098-4db4-8162-dfeb16794db8","type":"email","value“:“test@gmail.com“,“rating":1}

The email in the form (mail changed):
blatest@gmail.com

My solution suggestion would be to solve it via a regex:
if (preg_match('/\b' . preg_quote($itemValue, '/') . '\b/', $value)) {

Tested under version 0.4.6

[zepich]

Hi @Digi92

Thank you very much for your issue and for reporting this bug!

The solution I've added to the code could be better, you're right.

I've tested your RegEx pattern, but more is needed to solve the problem. The problem is that \b also matches the . and + signs, so if you have email addresses like bla.test@gmail.com or bla+test@gmail.com will still match but should not match. Additionally, I didn't know that until now, characters like : ; , / are valid characters for an email address as well, but they would match with \b (see here: https://en.wikipedia.org/wiki/Email_address#Local-part).

I think the solution is this RegEx pattern:

(^|\s+)test@gmail\.com(\s+|$)

This RegEx pattern would match at the start of the value or if a space is in front AND at the end of the value, or if a space is after the email address. If someone writes ... write an email:test@gmail.com, it would not match because this could be a valid email address. The worst case with this pattern is that you receive the spam in that case and would have to add another rule to catch that (email:test@gmail.com) as well.

What do you think about that RegEx pattern?

Matching result:

[Digi92]

Hi @zepich,
i think your suggested regex is a good solution.
In most cases the email field is checked and there should be no other text like "email:".
If the email should appear in a text, I think there would be too many ways to write it (like "to:", "mail:", "write to me:", etc.) for us to catch it with this one regex without risking false positives again.

[zepich]

Fixed with v1.0.1