Email sent by wrong user

swithun · March 1, 2023, 3:27pm

Hello

I’m the admin for an instance of OMP (3.3.0.5). It has been running for a couple of years now without much problem. But today I was asked to look into why the February summary of editorial activity email was sent to the main editor with the From address being the address of a regular user (who has Author and External Reviewer roles), rather than the default envelope sender.

This hasn’t happened before. There haven’t been any changes to the system that I know of.

Do you have any idea how this could have happened? In this case there wasn’t really a data breach, but we might not be so lucky next time.

Thanks.

Swithun.

rcgillis · March 2, 2023, 12:24am

Hi @swithun,

Hmm… that seems odd. The only thing that immediately springs to mind is that that user might be designated as the primary contact in Journal Settings (but that seems unlikely…). What did the editorial activity summary look like or contain?

-Roger
PKP Team

swithun · March 2, 2023, 11:04am

Thanks for replying. Yes, it is pretty odd. The email contained this:

XXXX,

Your press health report for February, 2023 is now available. Your key stats for this month are below.

New submissions this month: 4
Declined submissions this month: 1
Accepted submissions this month: 5
Total submissions in the system: 141

Login to the the press to view more detailed editorial trends and published article stats. A full copy of this month’s editorial trends is attached.

I’ve anonymized the name and links, but they were legit, as was the editorial-report.csv which was attached.

The principal and technical support contacts are what they should be. I’ll see if the recipient still has the email, and if they can get the header information, in case I can spot anything odd. I can see in the exim4 log on the server that the email was sent, but it doesn’t record the From address.

Swithun.

swithun · March 2, 2023, 1:06pm

Just to say, I’ve seen the message headers now, and while the From address was wrong, the Reply-To one was correct.

In the config for the site, we have:

allow_envelope_sender = On
default_envelope_sender = email@example.com
force_default_envelope_sender = On

That said, the value for the default_envelope_sender isn’t the same as the principal contact, and it is the principal contact address which gets used as the From/Reply-To address.

I can’t rule out user error, but if you can point me in roughly the right direction I can look through the source code. I know PHP well, but OMP is quite a haystack.

Thanks.

rcgillis · March 2, 2023, 6:58pm

Hi @swithun,

Thanks for elaborating. In case you haven’t seen it, our docs may provide some information on the email settings:https://docs.pkp.sfu.ca/admin-guide/en/email

I’m not an expert in these settings and/if you might need to modify the code (the general approach is to avoid this if you can help it), but I’m paging my colleague @jnugent here, who might be able to provide some advice.

Roger
PKP Team

jnugent · March 2, 2023, 7:29pm

Hi everyone,

So the force_default_envelope_sender setting will put the default_envelope_sender in the From: field. The other settings that are missing from this discussion are the DMARC ones:

force_dmarc_compliant_from can be set to On
and
dmarc_compliant_from_displayname which contains a string to use as the replacement.

It’s the force_dmarc_compliant_from setting that does the heavy lifting here. It’s the setting that puts the envelope sender in the From field and then the actual person’s address in the Reply-To header.

If you’re using the force.... headers then nothing you put in the primary contact field will end up in an email. That’d be a code modification and all of that code lives in the Mail.inc.php class, and starts here:

github.com

pkp/pkp-lib/blob/stable-3_3_0/classes/mail/Mail.inc.php#L533


      
          		}
          		$mailer->CharSet = Config::getVar('i18n', 'client_charset');
          		if (($t = $this->getContentType()) != null) $mailer->ContentType = $t;
          		$mailer->XMailer = 'Public Knowledge Project Suite v3';
          		$mailer->WordWrap = MAIL_WRAP;
          		foreach ((array) $this->getHeaders() as $header) {
          			$mailer->AddCustomHeader($header['key'], $mailer->SecureHeader($header['content']));
          		}
          		$request = Application::get()->getRequest();
          		if (($f = $this->getFrom()) != null) {
          			if (Config::getVar('email', 'force_default_envelope_sender') && Config::getVar('email', 'default_envelope_sender') && Config::getVar('email', 'force_dmarc_compliant_from')) {
          				/* If a DMARC compliant RFC5322.From was requested we need to promote the original RFC5322.From into a Reply-to header
          				 * and then munge the RFC5322.From */
          				$alreadyExists = false;
          				foreach ((array) $this->getReplyTo() as $r) {
          					if ($r['email'] === $f['email']) {
          						$alreadyExists = true;
          					}
          				}
          				if (!$alreadyExists) {
          					$mailer->AddReplyTo($f['email'], $f['name']);

Best
Jason

asmecher · March 2, 2023, 9:56pm

Hi all,

This issue is already fixed in more recent releases:

github.com/pkp/pkp-lib

Editorial Activity email is sometimes attributed to a regular user

opened 06:40AM - 01 Apr 21 UTC

closed 04:32PM - 15 Jul 21 UTC

aukondk

Bug:1:Low

**Describe the bug** Sometimes the Editorial Activity email is attributed to a …regular user (presumably the user who loaded the page that triggered the scheduled task). The signature is that of the primary contact but the name in the header is the user. **To Reproduce** Don't know how to reproduce but it has happened twice now. January and March this year. **What application are you using?** OJS version 3.2.1.0 **Additional information** Also had an issue where the report for February was sent twice. Once on the 1st March and the second on 29th March. The 29th date suggests something to do with leap years(?)

Regards,
Alec Smecher
Public Knowledge Project Team

swithun · March 3, 2023, 9:35am

Hello

Ah, I wish I’d found that bug report. That’s exactly it. Thank you all.

Marked as solved.

Swithun.

rcgillis · March 13, 2023, 11:00am

This topic was automatically closed after 10 days. New replies are no longer allowed.