This may have been covered already, I've found a couple of references to
this in the KB. However, I haven't found any mention of this being a
security problem. So, in the interest of protecting others with the same
setup out there, here goes...
I just realized that when I save a draft message through web messaging,
this particular procedure is not performed as I had expected. Apparently,
the draft is sent back into the mailbox through email. This is confirmed
in the KB.
For example, if your email address is "[EMAIL PROTECTED]" and you were to
save a draft, a message is sent from your account to
"[EMAIL PROTECTED]".
If there is another account on your server called "test-draft", the message
"disappears" from your account and ends up in the "Main" mailbox of
the "test-draft" account!
- This also works on other mailboxes ("test-Sent", "test-Deleted", etc...).
- There is a way to change the delimiter, but this will disable draft
saving.
So what's the punch line?
If you're running an online email service where your users are allowed
to pick their own email address... you've got a big problem. Your email
address is "[EMAIL PROTECTED]". If I want to grab your sent mail or saved
drafts... I just create a "test-sent" and "test-draft" account... and I
have a copy of all the email that reaches those folders. Another side
effect is that the function will seem to not be working properly for
"[EMAIL PROTECTED]". In reality, all their sent mail and drafts are
getting shipped to someone else. You can run a test on your own servers:
1) Create "test" and "test-draft"
2) Login to "test"
3) Compose an email and save the draft.
4) Check Draft... no email.
5) Login to "test-draft".
6) There's the email.
This assumes that you have Outgoing messages saved in your "Sent" folder and
Saved drafts in your Drafts folder. As a workaround, I am not allowing any
users to be created with "draft" or "sent" in them. I am not sure if this
affects moving or deleting email also.
- Does anyone know of an elegant way of dealing with this?
- Is there a way to disable the "[EMAIL PROTECTED]" ability?
- If I disable this feature, I can BCC the sender and create a rule (FROM:
user -> sent)
to send outgoing items into their "Sent" folder. Any ideas how to
accomplish this for
"Draft" saving?
Finally, just a reminder to the guys (and gals) at IPSwitch... the HTML
email
issue will also allow a malicious user to create their own accounts and
bypass
my lame new username filter kluge if they knew which accounts has Host Admin
or
List Admin access. IMHO, draft saving and sent folder functionality should
have been done exclusively on the server instead involving sending emails to
[EMAIL PROTECTED] That's just asking for trouble.
Apologies for long message.
Norman Nolasco
Advarion Incorporated
www.advarion.com
www.saturnofamerica.com
[EMAIL PROTECTED]
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit the Knowledge Base for answers to frequently asked
questions: http://www.ipswitch.com/support/IMail/
