1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Add-on [AD] E-Mail Piping

Discussion in 'Resource and Add-on Discussions' started by Jake B., Mar 20, 2015.

  1. Jake B.

    Jake B. Well-Known Member

    Hi all,

    Audentio Design is currently in the process of developing an e-mail piping add-on similar to the one @Chris D had planned here, and we are looking for suggestions.

    Current planned features:
    • Replying to conversations
    • Some sort of API for other developers to hook into so they can extend it to work with their Add-ons
    Please feel free to reply with any ideas you may have.


    Jake B.
    Last edited: Mar 20, 2015
  2. Jake B.

    Jake B. Well-Known Member

    Just an udpate, this is almost done now. I plan on opening a beta sometime in the near future after a couple minor issues are fixed
  3. Daniel Hood

    Daniel Hood Well-Known Member

    Out of curiousity, how are you authenticating the source? I considered doing this is the past but decided against it due to security reasons. Basically, pretending that XenForo had this set up, what would prevent me from knowing your email and sending an email to contact@xenforo.com with headers saying it's from you?

    I love the concept of this add-on, so I don't mean to come across as negative or like I'm trying to kill it. Just concerned about members catching on that they can reply on eachother's behalf.
    Jake B. likes this.
  4. Chris D

    Chris D XenForo Developer Staff Member

    Also, spam and flood checking would be a key thing to get right also.
    Jake B. and Daniel Hood like this.
  5. Jake B.

    Jake B. Well-Known Member

    Since this will only, by default, be supporting conversations, you would also need to know the Conversation ID. Though, I'm not quite sure what else I could do to remedy this :\. Perhaps some sort of Unique E-Mail identifier for each user that is sent with the e-mail that notifies you of the reply/new conversation. Right now all I'm doing is adding [CONV#X] to the beginning of the subject and then matching it to the conversation ID with a regular expression. Could probably do something along the lines of [CONV#X-Y] Where Y is some unique identifier for that user that is not displayed anywhere to members, but even that isn't secure. If anyone has any great ideas for this, I'm definitely open to them.

    Yep, I have this planned. Just working out the best way to notify someone that their reply was rejected.


  6. Daniel Hood

    Daniel Hood Well-Known Member

    You could just use the link for the "view conversation" link at the bottom of the message?

    If you could figure out a way to capture the message id being sent from your server (something like
    Message-Id: <41e9c4152f6cb00136543 xxxxxx213b5f8fb6e75 @x enforo.com>), you'd be perfectly fine.

    Response via email in my opinion.
  7. Chris D

    Chris D XenForo Developer Staff Member

    Yeah just sending the conversation ID is nowhere near secure enough.

    Presumably the abuse scope is reduced somewhat because a reply will only be added to a conversation if they are a valid recipient of that conversation which means a reply would need to be sent from a user's email address that matches a user in the conversation but that can be very easily spoofed. It wouldn't take much to build a script that would mass mail to all conversations just incrementing the conversation ID each time. The member you're spoofing is going to be a recipient of at least one, in all probability.
    Jake B. and Daniel Hood like this.
  8. Jake B.

    Jake B. Well-Known Member

    Only if they leave the quoted portion in tact, though I suppose most people would leave it. I'd also have to make sure that it is actually a conversation and they didn't reply to a watched thread e-mail or something, which could end up being a bit difficult if the board is running multiple languages, or there are route filters in place.

    Ah yeah, you are right. I'll have to figure something else out. Will have to use something similar to the CSRF token.
  9. Digital Doctor

    Digital Doctor Well-Known Member

    The title should be:
    Email replying for Conversations.


    Potentially interested people in this addon dont use the word piping.
    That's a NIX / programming concept.

    Nor does anyone use e-mail anymore. it's email.

    If people want their threads or resource items to be findable ... they need to consider what search terms people use get there.

    I'll bet no one has ever used the word piping in a search term on Xenforo.com

    Previous thread title: Reply to Conversation by E-Mail

    Interesting note: searching Xenforo.com with e-mail vs. email yields entirely different stuff. ElasticSearch should have a list of analogous terms ... especially because email vs e-mail is mostly preference.
    Last edited: Mar 20, 2015
    tajhay likes this.
  10. Daniel Hood

    Daniel Hood Well-Known Member

    The title is absolutely fine, they're piping emails.
    Jake B. likes this.
  11. Jake B.

    Jake B. Well-Known Member

    How do you figure? It can be used for much more than that. Anyone can extend it to work with whatever they want.
  12. Daniel Hood

    Daniel Hood Well-Known Member

    Either way you're assuming the title is left intact right? And yeah you definetely have to do checks. That's easier for conversations than threads though.
  13. Jake B.

    Jake B. Well-Known Member

    Maybe a custom SMTP header? I'm not even sure if that is a thing, though. Even if it is, I'm not sure if it would stay intact when you reply to the e-mail.
  14. Daniel Hood

    Daniel Hood Well-Known Member

    It wouldn't. There's some logistics to figure out for sure but good idea for an add on. I'll brainstorm some ways to maybe help with the problem.
    Steve F likes this.
  15. Chris D

    Chris D XenForo Developer Staff Member

    You could look into using the user confirmation stuff, e.g. that is the confirmation key that is used to confirm password resets and user registration, etc.

    For each recipient of a conversation you could create a confirmation key, and insert it into xf_user_confirmation.

    You would just need some way of inserting that key in the email body which would then be scraped by you. Having some way of generating a new confirmation key might be wise too. The tricky thing is they're really only supposed to be used one time so having one that never expires is a bit of a risk, but also having a way to deal with expiry and creating a new one and that being part of the email body is probably not going to work.
  16. Daniel Hood

    Daniel Hood Well-Known Member

    This is likely your best bet if you can get it to work due to the fact that replies have a message references field in the header. You can validate the references and user email together and not rely on the body of the message and quoting at all. Granted headers can still be spoofed but that strings pretty secure.

Share This Page