Bug 50532 - Mail protection
Summary: Mail protection
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_mbox (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-12-30 05:26 UTC by Brad Revolver
Modified: 2010-12-31 08:05 UTC (History)
1 user (show)


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brad Revolver 2010-12-30 05:26:05 UTC 
Mail archive HTML page is generated by mod_mbox. This module must try hide the full email address of people in messages. But as you can see below links, it doesn't always work. 

http://mail-archives.apache.org/mod_mbox/httpd-users/200608.mbox/%3C8d423b320608160950l4ab345b1p74d76c62fe4aa42f@mail.gmail.com%3E


http://mail-archives.apache.org/mod_mbox/tomcat-users/201012.mbox/%3CAANLkTikxhDGOQZv+CDQ2hsMwQKzBAyD4wFoyv=jGJ5T4@mail.gmail.com%3E
Comment 1 William A. Rowe Jr. 2010-12-30 12:37:12 UTC 
This is because of two entirely different concepts you would benefit from
understanding.  Mail headers are well understood and easily modified without 
damage to the content of the message, and mod_mbox modifies these values.

Mail body content is not defined, and may contain semantic information relevant 
to understanding the message.  E.g. if you had java source with annotations,
or character or line number offsets of a file, or other non-email information, 
would you prefer that the semantic value of these messages were obliterated?  
What about in attachments?

My inclination is to close this as being unrealistic, but if a more serious
proposal with specific definitions were offered, they could be discussed.
Note that this will not conceal email addresses, however, since unfiltered
mail archives are available.
Comment 2 Nick Kew 2010-12-30 14:07:25 UTC 
It's actually a good suggestion.  Sure, we can't reliably parse addresses in free text, any more than other agents from desktop tools to spambots.  But we can point a regexp at low-hanging fruit.

I'll have a think about how greedy a regexp to throw at it.
Comment 3 James Kaan Atabey 2010-12-31 08:05:00 UTC 
I agree with Nick that it is the point. 

That Apache Mail Archive can at least put under protection these names as abcxxxxxxx@noway.com.

Besides preventing so much problems (such as security, spam) from occurring, I also think that it is important for the Apache's own reputation. Because those messages are taken and parsed right away by so many 3rd. parties. Even some of those 3rd parties are reliable, we are not sure about all of them. 

I am pretty sure that there are so many spam/security victims which are waiting to hear that this problem has been fixed.