Thread: Message-ID should surely not be shown as a mailto: URL

So looking at page source for, eg,
http://archives.postgresql.org/pgsql-hackers/2008-06/msg00338.php

I see

<li><strong>From</strong>: Tom Lane <<a
href="mailto:tgl@DOMAIN.HIDDEN">tgl(at)sss(dot)pgh(dot)pa(dot)us</a>></li>
<li><strong>To</strong>: <a href="mailto:pgsql-hackers@DOMAIN.HIDDEN">pgsql-hackers(at)postgresql(dot)org</a></li>
<li><strong>Subject</strong>: Re: We have a launch abort ... PG update releases will be delayed</li>
<li><strong>Date</strong>: Sat, 07 Jun 2008 11:45:56 -0400</li>
<li><strong>Message-id</strong>: <<a
href="mailto:20506.1212853556@DOMAIN.HIDDEN">20506(dot)1212853556(at)sss(dot)pgh(dot)pa(dot)us</a>></li>

This seems outright silly.  In the first place, I do not see the value
of displaying mailto: URLs containing intentionally-broken addresses.
In the second, even if the domain names were fixed, there is no way on
god's green earth that mailto: a Message-ID is going to work.

Hm, I wonder if sloppiness of this sort accounts for the remarkable
prevalence in my mail logs of spam-sign like this:

Jun  9 00:44:06 sss2 sm-mta[4062]: m594i5Ns004062: <19570.1142971720@sss.pgh.pa.us>... User unknown

I don't pretend to know what is the approved way to deal with these
issues, but *this* can't be best practice.
        regards, tom lane

On Mon, Jun 09, 2008 at 02:30:55AM -0400, Tom Lane wrote:
> 
> Hm, I wonder if sloppiness of this sort accounts for the remarkable
> prevalence in my mail logs of spam-sign like this:
> 
> Jun  9 00:44:06 sss2 sm-mta[4062]: m594i5Ns004062: <19570.1142971720@sss.pgh.pa.us>... User unknown

Good bet.

> I don't pretend to know what is the approved way to deal with these
> issues, but *this* can't be best practice.

Obviously, someone is looking for something that _looks_ like a mail
address, attempting to munge it, and on the way through, changing it
to a mailto: link.  I think some parsing of the RFC2821/2822 headers
is needed first, so that one doesn't do this for things like the
message id.   

A

-- 
Andrew Sullivan
ajs@commandprompt.com
+1 503 667 4564 x104
http://www.commandprompt.com/

Andrew Sullivan wrote:
> On Mon, Jun 09, 2008 at 02:30:55AM -0400, Tom Lane wrote:

> > I don't pretend to know what is the approved way to deal with these
> > issues, but *this* can't be best practice.
> 
> Obviously, someone is looking for something that _looks_ like a mail
> address, attempting to munge it, and on the way through, changing it
> to a mailto: link.  I think some parsing of the RFC2821/2822 headers
> is needed first, so that one doesn't do this for things like the
> message id.   

Mhonarc does this mangling.  I tried to stop it but couldn't find the
way.  I didn't investigate it too closely though, so most likely there
is a way to make it work.  If anyone wants to spend some time on it,
feel free to send patches.  Our resource files are here:

https://pgweb.postgresql.org/browser/trunk/archives/bin/resource-current
https://pgweb.postgresql.org/browser/trunk/archives/bin/resource-common
https://pgweb.postgresql.org/browser/trunk/archives/bin/resource-utf8

The actual mhonarc call is in this script:
https://pgweb.postgresql.org/browser/trunk/archives/bin/mk-mhonarc

The mhonarc documentation:
http://www.mhonarc.org/MHonArc/doc/mhonarc.html


Oh, FWIW, the Message-ID URLs (which are just hard links actually) are
created by this script:
https://pgweb.postgresql.org/browser/trunk/archives/bin/createmsgid.pl

It has a couple of holes (i.e. there are certain types of Message-Ids
for which it doesn't work), so patches are welcome too.

-- 
Alvaro Herrera                                http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

Andrew Sullivan <ajs@commandprompt.com> writes:
> On Mon, Jun 09, 2008 at 02:30:55AM -0400, Tom Lane wrote:
>> I don't pretend to know what is the approved way to deal with these
>> issues, but *this* can't be best practice.

> Obviously, someone is looking for something that _looks_ like a mail
> address, attempting to munge it, and on the way through, changing it
> to a mailto: link.  I think some parsing of the RFC2821/2822 headers
> is needed first, so that one doesn't do this for things like the
> message id.   

What I'm complaining about is the logical disconnect involved in
sticking a mailto: onto an address that you have carefully made
unusable for sending mail to.  I don't have a problem with munging
all of them, just leave off the mailto decoration.
        regards, tom lane

Alvaro Herrera wrote:
> Andrew Sullivan wrote:
> > On Mon, Jun 09, 2008 at 02:30:55AM -0400, Tom Lane wrote:
> 
> > > I don't pretend to know what is the approved way to deal with these
> > > issues, but *this* can't be best practice.
> > 
> > Obviously, someone is looking for something that _looks_ like a mail
> > address, attempting to munge it, and on the way through, changing it
> > to a mailto: link.  I think some parsing of the RFC2821/2822 headers
> > is needed first, so that one doesn't do this for things like the
> > message id.   
> 
> Mhonarc does this mangling.  I tried to stop it but couldn't find the
> way.  I didn't investigate it too closely though, so most likely there
> is a way to make it work.  If anyone wants to spend some time on it,
> feel free to send patches.  Our resource files are here:
> 
> https://pgweb.postgresql.org/browser/trunk/archives/bin/resource-current
> https://pgweb.postgresql.org/browser/trunk/archives/bin/resource-common
> https://pgweb.postgresql.org/browser/trunk/archives/bin/resource-utf8
> 
> The actual mhonarc call is in this script:
> https://pgweb.postgresql.org/browser/trunk/archives/bin/mk-mhonarc
> 
> The mhonarc documentation:
> http://www.mhonarc.org/MHonArc/doc/mhonarc.html

I looked at this for a while and am uncertain how to affect the header
display.  When I was dealing with this, I considered the message-id to
be an identifier, rather than something I wanted displayed in the email
header block, so I put it above the header:
http://momjian.us/mhonarc/patches_hold/msg00021.html

Using these mhonarc.rc lines:
<MSGHEAD>Message-ID: $MSGID$</MSGHEAD>

You could even modify this to add a link to show the message by
message-id URL.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +

Alvaro Herrera wrote:
> Andrew Sullivan wrote:
> > On Mon, Jun 09, 2008 at 02:30:55AM -0400, Tom Lane wrote:
> 
> > > I don't pretend to know what is the approved way to deal with these
> > > issues, but *this* can't be best practice.
> > 
> > Obviously, someone is looking for something that _looks_ like a mail
> > address, attempting to munge it, and on the way through, changing it
> > to a mailto: link.  I think some parsing of the RFC2821/2822 headers
> > is needed first, so that one doesn't do this for things like the
> > message id.   
> 
> Mhonarc does this mangling.  I tried to stop it but couldn't find the
> way.  I didn't investigate it too closely though, so most likely there
> is a way to make it work.  If anyone wants to spend some time on it,
> feel free to send patches.  Our resource files are here:
> 
> https://pgweb.postgresql.org/browser/trunk/archives/bin/resource-current
> https://pgweb.postgresql.org/browser/trunk/archives/bin/resource-common
> https://pgweb.postgresql.org/browser/trunk/archives/bin/resource-utf8
> 
> The actual mhonarc call is in this script:
> https://pgweb.postgresql.org/browser/trunk/archives/bin/mk-mhonarc
> 
> The mhonarc documentation:
> http://www.mhonarc.org/MHonArc/doc/mhonarc.html

Have you tried adding this to your mhonarc.rc file?
<NOMAILTO>

In fact looking at:
https://pgweb.postgresql.org/browser/trunk/archives/bin/resource-common

I see the use of MAILTO even though the comment doesn't match:
<!-- Don't convert e-mail addresses to mailto: URLs -->25     <MAILTO>

It seems logical seeing as we are already using:
<SPAMMODE>

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +

Bruce Momjian wrote:

> Have you tried adding this to your mhonarc.rc file?
> 
>     <NOMAILTO>

Hmm, no, I just added it and the archive is being reprocessed.  The
mailto: links have now been removed; for example see
http://archives.postgresql.org/pgsql-committers/2008-11/msg00111.php
(Mhonarc is still running)

> I see the use of MAILTO even though the comment doesn't match:
> 
>     <!-- Don't convert e-mail addresses to mailto: URLs -->
>     25     <MAILTO>

Ugh.  I assume Marc took the original config file and switched the
setting without even looking at the comment.

-- 
Alvaro Herrera                                http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

Okay, so Bruce got in Perl hacking mode today and wrote a script to
munge the message-ids.  If you look at our archives you'll notice that
on each message the Message-Id header is now a proper link to the
message itself using the message-id-style URL, and it is no longer
munged by the "no spam" Mhonarc mode.  (Well, actually it is, and it's
de-munged by Bruce's script later on.  We'll be fixing that too
hopefully!)

Thanks Bruce!

-- 
Alvaro Herrera                                http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support