• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Add-on [AD] E-Mail Piping

Jake B.

Well-known member
#1
Hi all,

Audentio Design is currently in the process of developing an e-mail piping add-on similar to the one @Chris D had planned here, and we are looking for suggestions.

Current planned features:
  • Replying to conversations
  • Some sort of API for other developers to hook into so they can extend it to work with their Add-ons
Please feel free to reply with any ideas you may have.

Regards,

Jake B.
 
Last edited:

Jake B.

Well-known member
#2
Just an udpate, this is almost done now. I plan on opening a beta sometime in the near future after a couple minor issues are fixed
 

Daniel Hood

Well-known member
#3
Out of curiousity, how are you authenticating the source? I considered doing this is the past but decided against it due to security reasons. Basically, pretending that XenForo had this set up, what would prevent me from knowing your email and sending an email to contact@xenforo.com with headers saying it's from you?

I love the concept of this add-on, so I don't mean to come across as negative or like I'm trying to kill it. Just concerned about members catching on that they can reply on eachother's behalf.
 

Jake B.

Well-known member
#5
Out of curiousity, how are you authenticating the source? I considered doing this is the past but decided against it due to security reasons. Basically, pretending that XenForo had this set up, what would prevent me from knowing your email and sending an email to contact@xenforo.com with headers saying it's from you?

I love the concept of this add-on, so I don't mean to come across as negative or like I'm trying to kill it. Just concerned about members catching on that they can reply on eachother's behalf.
Since this will only, by default, be supporting conversations, you would also need to know the Conversation ID. Though, I'm not quite sure what else I could do to remedy this :\. Perhaps some sort of Unique E-Mail identifier for each user that is sent with the e-mail that notifies you of the reply/new conversation. Right now all I'm doing is adding [CONV#X] to the beginning of the subject and then matching it to the conversation ID with a regular expression. Could probably do something along the lines of [CONV#X-Y] Where Y is some unique identifier for that user that is not displayed anywhere to members, but even that isn't secure. If anyone has any great ideas for this, I'm definitely open to them.

Also, spam and flood checking would be a key thing to get right also.
Yep, I have this planned. Just working out the best way to notify someone that their reply was rejected.

Regards,

Jake
 

Daniel Hood

Well-known member
#6
Right now all I'm doing is adding [CONV#X] to the beginning of the subject and then matching it to the conversation ID with a regular expression.
You could just use the link for the "view conversation" link at the bottom of the message?

If you could figure out a way to capture the message id being sent from your server (something like
Message-Id: <41e9c4152f6cb00136543 xxxxxx213b5f8fb6e75 @x enforo.com>), you'd be perfectly fine.

Yep, I have this planned. Just working out the best way to notify someone that their reply was rejected.
Response via email in my opinion.
 

Chris D

XenForo developer
Staff member
#7
Yeah just sending the conversation ID is nowhere near secure enough.

Presumably the abuse scope is reduced somewhat because a reply will only be added to a conversation if they are a valid recipient of that conversation which means a reply would need to be sent from a user's email address that matches a user in the conversation but that can be very easily spoofed. It wouldn't take much to build a script that would mass mail to all conversations just incrementing the conversation ID each time. The member you're spoofing is going to be a recipient of at least one, in all probability.
 

Jake B.

Well-known member
#8
You could just use the link for the "view conversation" li tonk at the bottom of the message?
Only if they leave the quoted portion in tact, though I suppose most people would leave it. I'd also have to make sure that it is actually a conversation and they didn't reply to a watched thread e-mail or something, which could end up being a bit difficult if the board is running multiple languages, or there are route filters in place.

Yeah just sending the conversation ID is nowhere near secure enough.

Presumably the abuse scope is reduced somewhat because a reply will only be added to a conversation if they are a valid recipient of that conversation which means a reply would need to be sent from a user's email address that matches a user in the conversation but that can be very easily spoofed. It wouldn't take much to build a script that would mass mail to all conversations just incrementing the conversation ID each time. The member you're spoofing is going to be a recipient of at least one, in all probability.
Ah yeah, you are right. I'll have to figure something else out. Will have to use something similar to the CSRF token.
 

Digital Doctor

Well-known member
#9
The title should be:
Email replying for Conversations.

EDIT

Potentially interested people in this addon dont use the word piping.
That's a NIX / programming concept.

Nor does anyone use e-mail anymore. it's email.

If people want their threads or resource items to be findable ... they need to consider what search terms people use get there.

I'll bet no one has ever used the word piping in a search term on Xenforo.com

Previous thread title: Reply to Conversation by E-Mail

Interesting note: searching Xenforo.com with e-mail vs. email yields entirely different stuff. ElasticSearch should have a list of analogous terms ... especially because email vs e-mail is mostly preference.
 
Last edited:

Daniel Hood

Well-known member
#12
Only if they leave the quoted portion in tact, though I suppose most people would leave it. I'd also have to make sure that it is actually a conversation and they didn't reply to a watched thread e-mail or something, which could end up being a bit difficult if the board is running multiple languages, or there are route filters in place.
Either way you're assuming the title is left intact right? And yeah you definetely have to do checks. That's easier for conversations than threads though.
 

Jake B.

Well-known member
#13
Either way you're assuming the title is left intact right? And yeah you definetely have to do checks. That's easier for conversations than threads though.
Maybe a custom SMTP header? I'm not even sure if that is a thing, though. Even if it is, I'm not sure if it would stay intact when you reply to the e-mail.
 

Chris D

XenForo developer
Staff member
#15
You could look into using the user confirmation stuff, e.g. that is the confirmation key that is used to confirm password resets and user registration, etc.

For each recipient of a conversation you could create a confirmation key, and insert it into xf_user_confirmation.

You would just need some way of inserting that key in the email body which would then be scraped by you. Having some way of generating a new confirmation key might be wise too. The tricky thing is they're really only supposed to be used one time so having one that never expires is a bit of a risk, but also having a way to deal with expiry and creating a new one and that being part of the email body is probably not going to work.
 

Daniel Hood

Well-known member
#16
If you could figure out a way to capture the message id being sent from your server (something like
Message-Id: <41e9c4152f6cb00136543 xxxxxx213b5f8fb6e75 @x enforo.com>), you'd be perfectly fine.
This is likely your best bet if you can get it to work due to the fact that replies have a message references field in the header. You can validate the references and user email together and not rely on the body of the message and quoting at all. Granted headers can still be spoofed but that strings pretty secure.