Reply to notification emails can result in privacy leak

localguru · September 27, 2018, 7:15am

Hii,

Is your feature request related to a problem? Please describe.

If direct email feature isn’t enabled, all replies to notification e-mails are sent to the global set e-mail From_Email address:

packages/rocketchat-lib/server/functions/notifications/email.js

        // using user full-name/channel name in from address
        if (room.t === 'd') {
                email.from = `${ String(message.u.name).replace(/@/g, '%40').replace(/[<>,]/g, '') } <${ RocketChat.settings.get('From_Email') }>`;
        } else {
                email.from = `${ String(room.name).replace(/@/g, '%40').replace(/[<>,]/g, '') } <${ RocketChat.settings.get('From_Email') }>`;
        }
        // If direct reply enabled, email content with headers

Because the real name of the user is placed before the global e-mail address, many of my users reply to these e-mails and think the reply goes back to the sender.

As a result, this is confusing and, in my opinion, also a privacy issue because private e-mails are sent to the global e-mail address.

There is also the danger that e-mail clients such as Thunderbird, Outlook etc. will automatically collect this incorrect e-mail address consisting of the user’s right name and “incorrect” <From_Email> in their address book.

Describe the solution you’d like

There are several solutions to this problem:

a) The sender e-mail address for notifications can be configured separately, e.g. noreply@yourdomain.de and the real name of the user is not placed in front of the e-mail address, but e.g. No-Reply. As a result: No-Reply <noreply@yourdomain.de>. For most users it would be clear that the answer will not be sent to the sender. Should a user reply to noreply@ nevertheless, an autoresponder could send an answer with a corresponding hint.

b) A Reply-To header is set, which contains the e-mail address of the user. However, this does not solve the automatic collection of incorrect e-mail addresses in the recipient’s address book.

c) The sender’s real name and the e-mail address corresponds to the e-mail address of the user.

I think option c) would be the best solution to the problem.

see also: https://github.com/RocketChat/Rocket.Chat/issues/12176

Cheers
Marcus

Topic		Replies	Views
You have been direct messages by (…) email when offline Community Support	2	609	June 24, 2022
Push notifications and GDPR Community Support	9	3771	March 30, 2022
Offline messages - wrong sender email Community Support	0	632	June 4, 2020
Can we customize the email notification template for the direct messages? Community Support	3	953	July 23, 2021
Email Notifications but changing who it is sent from and templates Community Support	0	431	July 8, 2021

Join our Community Open Call tomorrow where we'll share more details regarding recent changes and answer questions about updating your workspace to the latest Rocket.Chat

Reply to notification emails can result in privacy leak

Related Topics