Several more security issues opened

From: "Justin John justin@PROTECTED [Dada Mail Developers]" <dadadev@PROTECTED>
Subject: Several more security issues opened
Date: September 6th 2021
Howdy everyone, how’s v11.15.0 working for everyone? 

While finishing up work on getting the GET requests found in email messages - things like confirming your subscriptions, it dawned on me that Dada Mail has no checks for other GET requests, that should be POSTs. 

Here’s a scenario: you want to log into your mailing list, so you fill out the password in the login form. Works a peach. The login form uses a POST request, as it’s sending pretty sensitive information through the pipes (your password), but there’s no check to make sure it’s not a GET request. If it is, things will still work, but there’s a good chance that your password is then stored in the web server logs, which could then be viewed by someone else. 

That’s a pretty low chance that that’ll happen, but it is a chance. 

Here’s another scenario: the subscription form currently allows POST and GET requests. I’ve been working with some clients who have had their subscription forms hit hard by multiple attempts to subscribe by bots. This attack is a whole lot easier when the form can be submitted by a GET request, instead of specifically a POST request. 

This is exasperated by a bug in the Google reCAPTCHA v2 check. One of the error statuses Google reCAPTCHA v2 can give back is “hey, you’ve already tried this Google reCAPTCHA before”. When an error code like this is sent to Dada Mail, Dada Mail thinks there’s something wrong with the reCAPTCHA service, and let’s the reCAPTCHA return a successful result, rather than a failure. That sets up a problem, where you can remove the reCAPTCHA v2 protection, by just sending the same reCAPTCHA challenge/response string again and again. 

This isn’t easy to set up to make work - but it’s not impossible, and if you set it up, you can totally override the reCAPTCHA v2 protection in a very automated way. I’ve been able to confirm that this is an actual problem in the wild (since I know how to set this all up!). 

The fix for this is simple: 

Or, you can switch to reCAPTCHA v3 (although: sigh, there’s another bug out for that): 

Here are the other issues out for the, “should only be POSTs that are accepted, not POST and GETs” main issue. Are there any others people can think of? 
I’ll push out v11/15/1 soon, 


Justin J: Lead Dadaist
email:    justin@PROTECTED
twitter:  @dadamail

Dada Mail Announcements: 

  • This mailing list is a public mailing list - anyone may join or leave, at any time.
  • This mailing list is a group discussion list (unmoderated)
  • Start a new thread, email:

This mailing list is to discuss the nerdy programming development of Dada Mail -

If you are just looking for support Dada Mail, consult the message boards at:

To post to this list, send a message to:

All subscribers of this list may post to the list itself.

Some on topic... topics include:

  • Positive Crits on the program (I like, "x", but, "y" needs some work - here's an idea on how to make this better...)
  • Bug/Error reports
  • Bug fixes
  • Request For Comments on any changes to the program
  • Help customizing Dada Mail for your own internal needs
  • Patches
  • Language Translations
  • Support Documentation/Doc editing, FAQ's, etc.
  • Discussion of any changes that you would like to be committed to the next version of Dada Mail -

At the moment, there aren't many people with CVS access for Dada Mail - if you would like CVS access, please first talk about the changes you propose and how it will affect the program. If the idea is sound and agreed upon, the change will be comitted. A good track record of this will allow you to have CVS access. Some reasons that patches will not be accepted is if the patch breaks compatibility with a previous version of the program, the patch is too centric to your own problem or the patch simply isn't very good.

Please, please please familiarize yourself with the documentation at:

Since no one wants to answer the same question twice.

Another sneaky reason for this mailing list is to test out the discussion list capabilities of Dada Mail, since Dada Mail is used for the mailing list itself.

NOTE - because of this, there may be times that this list will be somewhat broken. Although we're not planning on breaking the program by using it, we're giving you the heads up that this may well happen anyways.

Privacy Policy:

This Privacy Policy is for this mailing list, and this mailing list only.

Email addresses collection through this mailing list are used explicitly to work within this email discussion list.

We only collect email addresses through our Closed-Loop Opt-In system.

We don't use your email address for any other purpose.

We won't be sharing your email address with any other entity.

Unsubscription can be done at any time. Please contact us at: for any help regarding your subscription, including removal from the mailing list.

All mailing list messages sent from us will include a subscription removal link, which will allow you to remove yourself from this mailing list automatically, and permanently.

All consent to use your email address for any other purpose stated at the time of the mailing list subscription will also be revoked upon mailing list removal.