Email worker and email redirection are dropping the valid emails.
Email routes and workers exclude addresses with a "plus" addressing field. This made the service unsuccessful in processing the data. No error nor notification is provided.
Steps to reproduce
- Create an email redirection processed by the worker and print using the
console.log(for example)event.to - Enable email worker on email in the dashboard. e.g.:
user@sld.emailto process emails in the worker - Execute the worker with an email with a 'plus' addressing field. e.g.:
user+info@sld.email - Email is not captured at all. And the worker didn't run.
Impact
The impact is high because you miss emails, even if they are addressed correctly.
All cases with event.to have been affected so far. There may be more cases.
The impact is to lose even valid emails in the Cloudflare system.
With the configuration: catch-all: none or drop; the valid emails are lost.
Environment
Please, set the catch-all to drop. And create a custom address recipient@cloudflare.com or test@cloudflare.com. Then those addresses should run the worker. On my end, I am facing issues with "plus" addresses, such as recipient+123@cloudflare.com; test+123@cloudflare.com.
Rationale
Certain important communications may be inadvertently excluded due to filtering processes, which can harm Cloudflare's operational efficiency. The perpetrator may attribute this to a spam filter, thereby influencing Cloudflare's business logic. By employing a catch-all address, the system may be vulnerable to DoS attacks or result in the loss of client funds.
Classification
CWE840: Business Logic Errors
Referrence
Originally posted in HackerOne #1988088
Result
Informative
Top comments (0)