Bug in nabble's mail forms

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Bug in nabble's mail forms

Hi.  I discovered a bug with your email forms.

I work at NASA.  In the jzy3d forum (a nabble forum), I used a mail form to reach another user, Joe.  I'm guessing you provide these to hide users' addresses.

Then you sent Joe a message to his gmail account, listing me as the From address.

But NASA's DMARC policy only allows emails from NASA to come from NASA machines, so the gmail server bounced it back to me, including that it was to Joe, exposing his email address.  (So I worked around the problem by sending an email to Joe at his gmail address.)

Thus, all of your users with gmail addresses, or whose mail providers observe the DMARC standards, can be exposed by a bot that sends mail with all the forms on your site (assuming the bot first makes an account.)

A solution is to send to Joe from your own machines, and include my email address in the content of the email.