[Edbrowse-dev] Blacklist Bug

[Karl Dahlke <eklhad@comcast.net>]

I have been chasing down a bug for several weeks -
weeks because it is very random and very rare.
It caused my mail client to blow up the minute I made the pop3 connection.
curl does the connecting, so I had to think it was doing it right.
The bug was probably mine.
I must have set the stage for failure somewhere during initialization.

The problem is, it only failed one time in 200, statistically.
So I had to fetch mail 200 times to see the error, on average.
Sometimes more.
I'm sure comcast would shut me down if I hammered on their server
over and over again.
They'd think I was a windows computer, possessed by a virus.
So I used my own mail server installed on my machine.
I could hit that hundreds of times to get the program to blow up once.

It didn't blow up however if I skipped reading the .ebrc config file.
readConfig() is a rather ugly and uncommented 500 line subroutine;
perhaps it was corrupting the heap and then curl stepped on the landmine.
I painfully read through that routine, twice, and could see nothing wrong.
More tests and more tests.
Finally I discovered the problem is in loadBlacklist().
That wasn't called if I didn't specify a blacklist file
because I didn't read the config file.
My blacklist file is empty, but no matter,
I still try to parse it, and I didn't put a \0 on the end,
so I suppose the computer just read on and on until it found a 0 in memory.
This corrupted something, then curl did malloc or free or something and boom.
I put the 0 on the end and then it works.
I have pushed this change, with a very much abbreviated description
of the problem.
One line of code, there it is.

But I have another question for you.
I'd like to scrap the whole feature.
It's pointless and I don't think anyone uses it.
It made sense I suppose 15 years ago,
when spam came from specific ip addresses, and you could block those addresses
in a file.
That worked for a year or two, then the spammers saw that I and others
were blocking based on ip, and they set up dynamic ips.
They just change hour to hour.
Then spammers put mailbots in pcs, and now spam can come from anywhere,
even your friend.
Spam detection and redirection is, I think, something edbrowse shouldn't try to do,
in any fashion or by any mechanism.
gmail does it better, much better,
no way should I reinvent that wheel, even if I could,
which I can't.
Leave it to the mail server, or third party like spam assassan.
So I propose scrapping the feature altogether - gone.

I'm glad we already cut version 3.5.1.
I didn't want to do too much else until that was set.
But now we can move on,
and at a minimum I fixed the heap corruption bug,
and I think it makes sense to remove the entire feature.

Karl Dahlke