Hello,
It seems that K-9 is affected by the Mailsploit bug (https://mailsploit.com)
Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters.
You have been mentioned in the list of affected vendors.
Regards,
Sabri
pwnsdx
All 8 comments
Thanks for the report.
cketti
on 5 Dec 2017
I could not reproduce this issue (on K9mail material with the same code base) - all 14 E-mails did not show [email protected] when tapping on the colored and labeled sender button (which gets created by parsing the FROM-field). See the following video:
https://s1.gifyu.com/images/mailsploit_k9mail_bug.gif
When tapping "answer" to these E-mails, the E-mail-address inside REPLY-TO ([email protected]), and not the address in FROM was used; but that's a known bug/feature and should not be fixed.
conrad-heimbold
on 5 Dec 2017
Different addresses in the FROM and REPLY-TO is indeed an email feature, that is used by mailing lists for instance.
ArchangeGabriel
on 5 Dec 2017
The text you see next to the sender's colored button is (almost) never the e-mail-address of the sender - it is the name of the sender. Only if the sender did not specify any name, the e-mail address gets used.
Example:
e-mail address: john.[email protected]
name: John Doe
If somebody writes "[email protected]" as the senders name, it might appear as if the E-mail is coming from the whitehouse - but this is perfectly normal and should not be considered a bug, IMHO.
conrad-heimbold
on 6 Dec 2017
Therefore I would vote for CLOSING this bug.
conrad-heimbold
on 6 Dec 2017
This is the wrong place to discuss K-9 Mail forks. Please take that to the appropriate issue trackers.
This is also not Twitter. If you believe you can contribute something to the issue think about what you want to say and put it all into one comment.
The issue is that newlines hide the rest of the address. It is true that the display name could be an unrelated email address and we'll simply display that. But that's also something that needs fixing instead of telling users they should ignore what we're displaying in the main view. Having to click somewhere to get reliable information about the sender is not nice UX.
cketti
on 6 Dec 2017
A reasonable solution might be:
- Remove newline characters
- If the display name "looks like" an email address and we are showing that instead of the name from the contacts, just show the email address instead.
For 'looks like' we can probably just say 'Does it have an @ sign" - we don't have to be too nice about it because the failure case is 'see the email that it's being sent from' which is not that bad a UX.
philipwhiuk
on 24 Dec 2017
Yeah, I agree. Also the @ sign was once made as a symbol, which is not in a name. So it is unlikely that a "real" sender adds it to it's the name.
rugk
on 24 Dec 2017
Related issues
jimimaseye
路
3Comments
SpatMan05
路
3Comments
D0ve
路
3Comments
BerndErnst
路
3Comments
Agno94
路
3Comments
Most helpful comment
This is the wrong place to discuss K-9 Mail forks. Please take that to the appropriate issue trackers.
This is also not Twitter. If you believe you can contribute something to the issue think about what you want to say and put it all into one comment.
The issue is that newlines hide the rest of the address. It is true that the display name could be an unrelated email address and we'll simply display that. But that's also something that needs fixing instead of telling users they should ignore what we're displaying in the main view. Having to click somewhere to get reliable information about the sender is not nice UX.