From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <e@80x24.org>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: 
X-Spam-Status: No, score=-2.7 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00,
 URIBL_BLOCKED shortcircuit=no autolearn=unavailable version=3.3.2
X-Original-To: unicorn-public@bogomips.org
Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net
 (Postfix) with ESMTP id B66861F612; Mon,  1 Feb 2016 09:57:57 +0000 (UTC)
Date: Mon, 1 Feb 2016 09:57:57 +0000
From: Eric Wong <e@80x24.org>
To: Lawrence Pit <lawrence.pit@gmail.com>
Cc: unicorn-public@bogomips.org
Subject: Re: unicorn log attack?
Message-ID: <20160201095757.GA14049@dcvr.yhbt.net>
References: <56AAAD0A.8000807@icloud.com>
 <20160130093453.GA24510@dcvr.yhbt.net>
 <CAGHrWsiqS486dqLPw9mZiooLXk2yso-JEtnr1vM02HeP+f_2Ug@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To:
 <CAGHrWsiqS486dqLPw9mZiooLXk2yso-JEtnr1vM02HeP+f_2Ug@mail.gmail.com>
List-Id: <unicorn-public@bogomips.org>

Lawrence Pit <lawrence.pit@gmail.com> wrote:
> Hi Eric,
> 
> > but that includes emails :)
> 
> Yeah, sorry about the email format :[  Hope this time it's as expected.

Yep, you can check for deliverability of any message by
checking: bogomips.org/unicorn-public/$MESSAGE_ID/
(or just look near the top of http://bogomips.org/unicorn-public/)

Nothing hits the list until it hits the archives.

I also suggest always Bcc:-ing yourself instead of having your
mail client save to a "Sent" folder so you can:

a) test deliverability (including the Message-ID: in headers
   if it's added by the server and not your client)

b) get proper threading with any reply-to-all lists you're not
   subscribed to.

> > I don't consider it the responsibility of the app server to sanitize it.
> 
> fwiw, I agree :) ... similarly, why consider it the responsibility of
> the app server to log it?  it is an application level error, not a
> unicorn error.

I'm not entirely sure why unicorn logs it, either.  I think it
was already expected in 2009 for application servers to log
that (thin/mongrel/...?)

Similarly, I don't like the "timeout" feature of unicorn
anymore, either since it encourages hiding bugs.

There's no chance of removing either feature, of course.