{"id":1069,"date":"2021-04-20T14:33:53","date_gmt":"2021-04-20T18:33:53","guid":{"rendered":"https:\/\/dc540.org\/xxx\/?p=1069"},"modified":"2021-04-20T14:33:54","modified_gmt":"2021-04-20T18:33:54","slug":"cpanels-plus-addressing-feature-is-specifically-weird-and-problematic","status":"publish","type":"post","link":"https:\/\/dc540.org\/xxx\/2021\/04\/cpanels-plus-addressing-feature-is-specifically-weird-and-problematic\/","title":{"rendered":"CPanel’s “Plus Addressing” feature is specifically weird and problematic."},"content":{"rendered":"\n

I got off on a tangent recently, wanting Gitlab’s “Service Desk” functionality to work. This feature allows remote users to open issues via a crafted “Plus addressing” email address, i.e. gitlabaddress+gitlab-project-identifier<\/strong>@yourdomain.com<\/em>. I did everything I was told to, and was struggling with why it wasn’t working. It just wasn’t detecting new emails at all. <\/p>\n\n\n\n

So I logged into the webmail of the domain on which I had set up the email account, it’s a cPanel website by one of the big commodity shared hosting providers. Sure enough, nothing is in the inbox. Hmm. Maybe Plus Addressing isn’t as ubiquitous as I thought. I mean it’s been a thing with Gmail for a while now, but maybe…<\/p>\n\n\n\n

Nope, research showed that cPanel has indeed adopted it.<\/p>\n\n\n\n

But wait. Ooooooh, cPanel, you think you’re crafty, don’t you? Rather than just allow the email in and rely on the user to filter it, cPanel actually immediately routes the email to a folder named for whatever you throw in after the plus sign. If the folder doesn’t exist, it just creates one. That’s sure convenient! Except for one thing — the user has no way of knowing that folder exists, at least via webmail, because the user is not “subscribed” to new folders by default. The only way I was able to find the emails is to go into “Manage Folders”, then they show up in the folder list, with “subscribed” unchecked. So I subscribed, then viewed the emails, then dragged them into the inbox, where they were promptly picked up by Gitlab.<\/p>\n\n\n\n

A unique problem that may require a unique solution… I’ll have to think on this one a bit. Ideally, I would want these emails to enter the inbox normally. I know they think they’re doing the right thing for users wanting to use this as a spam filtering mechanism, but by having different behavior than other vendors supporting the extension of email address with a plus sign, they have created a dilemma for vendors who choose to make use of this functionality in their features.

Tested also on my Thunderbird client. Sending to a nonexistent folder hides the message in a newly-created unsubscribed folder. No hint to the user that it exists. Sending to an existing folder adds a new unread message to that folder.<\/p>\n\n\n\n

So you can put things into a recipients mailbox without anyone knowing they are there…
You can take up SPACE in a recipient’s mailbox, causing a denial of service, without them knowing why unless they go out of their way to look for unsubscribed folders. What if I sent 10,000 emails to that newly-created unsubscribed folders. Or even more annoying, 10,000 randomly-created folder names.<\/p>\n\n\n\n

Fascinating.<\/p>\n","protected":false},"excerpt":{"rendered":"

I got off on a tangent recently, wanting Gitlab’s “Service Desk” functionality to work. This feature allows remote users to open issues via a crafted “Plus addressing” email address, i.e. … <\/p>\n

Continue reading “CPanel’s “Plus Addressing” feature is specifically weird and problematic.”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1070,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[77],"tags":[],"class_list":["post-1069","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cots"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/dc540.org\/xxx\/wp-content\/uploads\/2021\/04\/Screen-Shot-2021-04-20-at-2.22.22-PM.png","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/posts\/1069","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/comments?post=1069"}],"version-history":[{"count":1,"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/posts\/1069\/revisions"}],"predecessor-version":[{"id":1071,"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/posts\/1069\/revisions\/1071"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/media\/1070"}],"wp:attachment":[{"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/media?parent=1069"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/categories?post=1069"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/tags?post=1069"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}