Evils of client-side SMTP (Re: Modern email library)
benr_mc at cogapp.com
Wed Nov 30 14:00:00 EST 2016
I'm a bit confused, Richard.
FWIW, my long-time use-case is an app that runs unattended on a regular
schedule on a faceless VM, doing a whole bunch of data processing and updating
databases, and sends alerts by email if something goes wrong. When the app is
installed, it has to be set up with server, account, credentials etc in order
to be able to send those emails; the details of the emails are configured by
scripts (not LiveCode scripts, XML configs) which are checksummed and won't be
run if modified. The tool I'm working on now will also be running unattended
on a schedule, but in this case the emails, rather than being confirmation
that it has done its work are the point of the work; it's going to generate
reports and distribute them to colleagues.
You seem to be making two points: that an app which can send emails without
human intervention will inevitably given enough time become a spambot; and
that users should be able to review an email in their mail client before it is
Obviously in the cases mentioned above the latter isn't an option.
In relation to the spambot concern, I don't understand how having a sendmail
script on a server adds security (it certainly adds another point of failure,
which is one reason I'd rather not do it). But as far as I can see it also
adds another vector for hijacking. I would think it's a great deal easier to
hack a script on a server on the internet, than it is an app running on a
local network. But if the app uses an external script, then the attacker can
get the same effect by hacking either, so they have the choice!
In relation to an email being sent without being reviewed by the user, is your
concern that the email will contain the user's private data? or that it will
be used to impersonate the user? To be honest I don't get it in either case.
An app exfiltrating data from the user's machine has many options, and can do
so at least as easily by posting to... err... a script on a server.
As for impersonating the user (of course setting the envelope sender can be
done anyhow anyway, so I assume this would be about more convincingly
impersonating the user by sending through their regular server): since sending
an email requires the cooperation of an SMTP server, of which I don't imagine
there are any open ones remaining, any such app will either require the
developer to bake in the details of an account they control, or to ask the
user to enter those details. Exactly the same applies to using a sendmail
script on a server. So either it's nothing to do with the user's email; or the
app has had to ask the user to enter their email account details, and they
presumably understand at that time why their doing it.
I can see why, as a user, you might be uncomfortable about giving your email
account details to an app so that it can send emails in your name, invisibly
and unreviewed by you. Quite right too! And if you're developing software for
consumers, you need to take that into account. But I don't understand why as a
developer who knows why you want the feature you'd be uncomfortable (except
from a marketing perspective, as per the start of this para).
Can you explain your concern further?
On 30/11/2016 17:49, Richard Gaskin wrote:
> There are many. But hopefully they're an explicit decision by the user, and
> require the user to supply their own SMTP credentials.
> Bob Sneidar wrote:
>> I can provide you with scenarios where client side SMTP is a must.
>> On 30/11/2016 16:42, Richard Gaskin wrote:
>>> Personally, I've never been comfortable relying on client-side SMTP. I figure
>>> that any device configured to allow any app to send arbitrary emails without
>>> explicit user intervention will eventually become a spambot, so my hope is
>>> that it's only a matter of time before the OS provider puts an end to that.
>>> For most systems I prefer to use the "mailto:" protocol to open a message in
>>> the user's own email client, so they can review it and decide whether they
>>> actually want to send it.
More information about the Use-livecode