|
Fantastico sucks!
Fantastico is using support@system.com as default email.
For reasons beyond our understanding, Fantastico (one click autoinstaller) decided to cut corners and set default email to support@system.com during the installation process. The people at system.com are obviously not happy about the "error" because emails to users spoofs their email and any replies end up in their inbox.
This morning I woke up to find the following emails in my inbox (CCed).
Quote:
From: "Technical Support" <support@system.com>
To: "*****" <*****@gmail.com>
Cc: <****@enhancesoft.com>,
<****@enhancesoft.com>
Return-Path: support@system.com
X-OriginalArrivalTime: 22 Aug 2009 11:05:56.0201 (UTC) FILETIME=[85A76D90:01CA2318]
This is a multi-part message in MIME format.
------_=_NextPart_001_01CA2318.85184B3E
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Dear ******,
The idiots who wrote osTicket software apparently wrote their software
to send e-mail from a fake (spoofed) e-mail address of
support@system.com. Rather than making the default be blank or empty,
which would have forced you to define something real, they embedded
someone else's valid e-mail address. They are simply idiots.
Unfortunately, they also refuse to take responsibility for this. So it's
up to you to configure your osTicket software, if you are going to use
it, to send e-mail from a valid e-mail address that you own, one at
which you can receive replies and responses from your uses.
They are dickheads, but you don't have to be.
|
It's important to point out that osTicket installer asks the user to enter the email manually and nothing is hard coded at all. It is not our fault but the frustration is quite understandable. While I was still trying to absorb the colorful compliments - I received a second dose - an email to another user hit the inbox (CCed).
Quote:
Dear ****,
The idiots who wrote osTicket software apparently wrote their software to send e-mail from a fake (spoofed) e-mail address of support@system.com. Rather than requiring that you specify a valid sender e-mail address, they embedded someone else’s valid e-mail address (support@system.com). They are simply idiots.
Unfortunately, they also refuse to take responsibility for this. So it’s up to you to configure your osTicket software, if you are going to use it, to send e-mail from a valid e-mail address that you own, one at which you can receive replies and responses from your users.
We're sorry about this, but we can't take responsibility for some else's foolishness and ignorance. We have tried to educate them, but they refuse to listen. They are idiots.
|
We've all done idiotic things - provides for good lessons and teachable moments- we own up to security vulnerabilities and bugs all the time even when embarrassing. I figured I will simply let them (domain admin contact & support address) know the truth and we would both pester Fantastico to fix the issue.
Quote:
Chris,
It looks like someone on your team (see headers below) is responding to users with completely false information. While I do understand the frustration on your end, it's not osTicket's fault that Fantastico (CPanel autoinstaller) uses support@system.com during one click installation. Our installer asks the user for the email - I promise we are not idiots.
|
Moments later I received a response from Chris Summerfield (listed as domain admin on whois info);
Quote:
Peter,
Thanks for your message. Yes, our technical support team has been getting lots of replies from osTickets that are obviously meant for others.
So I have just one question for you. If you did not embed support@system.com as a default sender address in the e-mail that your software generates, how is it that so many of your users “just happen” to be using this address?
It seems highly unlikely to us that your users would just “happen to” specify this address unless you made it a default or “example” in your software. Heh? Would that be idiotic (on your part)?
Chris
|
Huh? Did he actually read the previous email?
Quote:
Chris,
As I mentioned in my previous email - it is an issue with Fantastico, a one click installer for Cpanel. They provide installation services for a bunch of open source software including osTicket. If you don't believe me simply download osTicket code and search for support@sytem.com or better yet do the installation yourself.
....
For more info about Fantastico see http://en.wikipedia.org/wiki/Fantastico_(web_hosting)
They are the one using your email during one click install. We've pointed out the issue to them already and will attempt to do so again.
|
With the rest of the day ahead, I clearly needed some caffein. Tea at hand, another email pops up in my inbox (CCed - sent to osTicket user).
Quote:
From: Technical Support <support@system.com>
subject :Idiots at Enhancesoft
*****,
Thank you for your message. We know it wasn't you fault. The people at "enhancesoft" that wrote the osTicket software appear to have had their brain out of gear when they made "system.com" be a default domain when they construct a reverse-path or "MAIL FROM:" parameter in SMTP.
We have been trying to get them to "undo" this foolishness, cease and desist from the practice, and propagate changes to their users, but so far they won't even admit to having perpetrated this foolishness in the first place. The first step in correcting a problem has to be recognizing and publicly admitting the problem. So far, their egos won't allow them to do this. If they aren't idiots, they're putting on a good act and disguise.
Systemetrics, Inc.
(the "real" system.com people)
|
Head explodes! Wow!
**Update**
The "real" system.com people response.
Quote:
Thank you for letting us know that you did not, in fact, embed support@system.com into your software, but rather chose to embed a script from Fantastico that does the dirty work for you. If you are going to use or embed in your software a script, a function, an API call or other software from a third party, it is, in our opinion, your responsibility to thoroughly test and understand how that script or other third-party software works if and before you allow it to go out to the world under your name.
It is still your software that is sending e-mail, and it is still your software that is responsible for spoofing the sender in e-mail that goes out under the fine, upstanding, quality (now tarnished) name of osTicket. It is still, after all, somewhat odd that out of all the ten thousand installations and users that Fantastico claims to have, the ONLY ONE IN THE WORLD that is generating spam to support@system.com is osTicket.
A little odd, don’t you think? And you didn’t do anything wrong, and it’s all Fantastico’s fault? I’m sorry, but your excuses have a hollow ring to them.
Instead of making excuses and blaming someone else, why don’t you get busy accepting some guilt and fixing the problem. It’s SOFTWARE, for God’s sake. You can fix it.
|
Seriously. What else to say? No more clue sticks left.
Quote:
|
We did not "chose" to embed a script from Fantastico - they are a 3rd party auto installer. We are not happy about the situation too but we don't control their product. They basically take open source software and bundle them as a package for Cpanel users to auto install (one click). There is nothing for us to fix - apart from pestering then to fix "their" installation process. Seriously.
|
:)
Continued...
Response from Chris.
Quote:
Guys,
If you wrote the code that sends e-mail, you should be able to instrument it to refuse to use any e-mail address that ends in “system.com” (we give you our permission to do this). If Fantastico are the idiots, you may not be able to change what they do, but you should be able to compensate for it. In software, there is always a solution.
Chris
|
So now Chris wants us to retroactively patch code already shipped by a 3rd party?
Quote:
Chris,
As you know anyone can spoof any email address at will - even using an email client. Sure, we could do some kind of patch, maybe, but
1. There's no reason for us to - in normal circumstance this won't be happening. No one set the email to support@system.com unless they are doing it on purpose. (Yes this is Fantastico fuckup. Period.)
2. There's no guarantee fantastico would update their install (they are looking into it now), and
3. It does nothing for the hundreds that are already out there - unlike deskstop apps there is no auto update mechanism.
I'm not trying to make excuses - I know you guy are rightfully upset but it is/was important to point out the facts.
I will update you as soon as I get a response from Fantastico.
|
We are getting somewhere?? Not really!
Quote:
Thanks for your message. I agree that changing what’s already in the field would take some considerable magic, but my thought is that if you
1. instrument your code for all future distributions to refuse to use any e-mail address ending in “system.com”, then
2. regardless of who sets the e-mail to a “system.com” address (whether it’s because Fantastico did it or a user did it), it will never be used.
This (as you know) is what’s called a work-around, a compensation, a hack, something that despite how kludgy it may seem, works. Why should you screw up your otherwise beautiful code to insert something like this? Answer: Because you have chosen to use some third-party software or utility that is corrupting the functionality of your otherwise beautiful code and you are responsible for whatever third-party code, software or utilities you elect to use, just as much as you are for the code that you write, because the functionality of the combination is going out with your name on it, the “package” is yours, and it is your responsibility it make it work in a responsible way, one way or another, whatever it takes. Either stop using Fantastico and replace it with something else that will perform in a manner you can be proud of, or write a replacement for yourself. Fantastico is certainly not the only game in town and no one is forcing you to use them.
-chris
|
May be the problem is understanding how Fantastico works...
Quote:
Chris,
I think the confusion is partly because you seriously don't or refuse to understand how Fantastico works. We didn't ask them to package osTicket - they take open source software (hundreds) and package them for auto-installation via hosting companies. osTicket is available for download on our site, we have no business relationship with them whatsoever.
Obviously, as I mentioned previously, we are not happy with the screw up and we've told them so. Can we tell them to stop packaging osTicket? Not necessarily since osTicket is released under GPL license but it's something we are considering.
|
That helped a little...but remember Chris is always right and the rest of us are idiots by default.
Quote:
|
You are correct, of course, that I don’t understand what Fantastico does or how it works, although now after some explanation I know a bit more. As I understand in any event that you have no control over what Fantastico does, this is why I suggest that, at least, if you have control over your own software, you can instrument it to ignore e-mail addresses in the system.com domain. If you don’t have control over your own software to the extent that you are initiating SMTP send operations, then I’m confused about what part of osTicket you are, after all, responsible for. Is osTicket simply someone else’s bulletin board or forum software with someone else’s e-mail and someone else’s database and someone else’s installation procedure and… what else is there?
|
We are not getting anywhere, fast.
Quote:
I'm glad you now at least understand how Fantastico works and how they got us into this mess. It is also important to know a little about open source software.
Blocking system.com at the code level is doable and we will probably add it for the next release. Although I personally think it's unnecessary. It's the responsibility of the user to configure osTicket or any software for that matter correctly. I'm sure you won't be asking Microsoft to filter domains in outlook or thousands of other help desk applications with email functionality to do the same. Email spoofing is a weakness of SMTP protocol not applications.
That said, if osTicket was a hosted application - then it would be perfectly within our right to block domains. The code is open source and if someone really wanted to use support@system.com they can simply comment the "hack" out. My point is no one wants to use your email - it doesn't make sense to do so at all. If this was the case, as you noted earlier, you will be having problems with all (thousands?) email enabled applications.
|
Chris now fights the logic!
Quote:
You are quite right that we won’t be asking other vendors who have local implementations of SMTP to start blocking the use of “system.com” addresses. And we wouldn’t think it appropriate for you to do it either EXCEPT that beginning a couple of weeks ago we suddenly saw this flood of e-mails being sourced from osTicket that were OBVIOUSLY intended by the osTicket user to be a response to (in most cases) valid support tickets. So there are a couple of characteristics associated with this phenomenon:
· It started suddenly, indicating that someone somewhere changed something in the way that osTicket was working
· It did not appear that either party to the osTicket transaction was aware of or had it in their interest to “misdirect” the e-mail (i.e., it was not “intentional” on the part of either party that the sender address in the osTicket e-mail should be spoofed)
· Most cases appear to be related to “new” osTicket users (plenty of “test” e-mail responses being sent, along with plenty of honest and valid ones).
If I were a new osTicket user, I would expect that the software would BY DEFAULT send e-mail from my own e-mail address, whatever that happened to be, without having to be told what that e-mail address is. Most innocent users are not going to realize that sending an e-mail from osTicket should not work by default the same way that their Outlook or whatever e-mail client works. Most innocent users are completely unaware of how SMTP works under the covers. At least 50% of users don’t even know what SMTP is or what the acronym stands for. E-mail is e-mail and it just works.
In light of these observations, together with the explanation you have provided, it seems most likely to me that Fantastico began “defaulting” the osTicket sender e-mail address to support@system.com, and both parties to the osTicket transaction were unaware of this. So I don’t think that osTicket users are deliberately setting their “sender” e-mail address to support@system.com. They are, in effect, being tricked into it. It’s not their fault. So they need to be forced at execution time to realize that their osTicket software is misconfigured. With an error message. With an e-mail failure. Something.
Beyond assigning blame, we need to be looking at a solution that will work to everyone’s benefit (including to the benefit of the osTicket user who is unaware of the problem).
|
No blame assigning!? work together!? We must be in a different world.
Quote:
Chris,
I totally agree that we need to look for a solution, that has been my goal. To that end, I've contacted Fantastico and they've confirmed that they are looking into the issue.
I was mainly objecting to your initial characterizations as evidenced by the emails you sent to osTicket users. Honestly didn't care much about the insults but it was important to get the facts straight and hence resolve the issue.
Thank you for your time.
|
--- The end ---
*I really really feel sorry for whoever works under Chris.
*To date we haven't received any communication from Fantastico although we opened a trouble ticket and received a confirmation that they "were" looking into the issue. I'm not surprised to say the least.
|
08-22-2009 01:40 PM
Subscribe to this issue