Spyke
Not a newtreply
piefed.ca

13/21 here. Mostly got hung up on several "this was valid in earlier RFC, and later removed" kind of situations. There are several where I picked the correct answer, but where I know many websites that won't accept it as valid, and that's not even the more esoteric ones.

51
NaibofTabrreply
infosec.pub

Yeah I feel like the correct answer for anything obsoleted by a more recent RFC should be "Invalid".

37
JohnEdwareply
sopuli.xyz

But they will work, and according to the spec, you have to build your system so that it can handle those cases. Obsolete doesn't mean incorrect or invalid, just a "you shouldn't do this any more".

Obsolete Syntax
Earlier versions of this standard allowed for different (usually more liberal) syntax than is allowed in this version. Also, there have been syntactic elements used in messages on the Internet whose interpretation have never been documented. Though some of these syntactic forms MUST NOT be generated according to the grammar in section 3, they MUST be accepted and parsed by a conformant receiver.

https://datatracker.ietf.org/doc/html/rfc2822#section-4

24
NaibofTabrreply
infosec.pub

Well shit, yeah, that "MUST be accepted and parsed" is pretty explicit. That sucks. What is even the point of revising standards? How the fuck do we ever get rid of some of these bad ideas?

6
ddittyreply
lemmy.dbzer0.com

Me too and it said that is the amount you'd get if you just picked "valid" for every response. Lmao

4
db0reply
lemmy.dbzer0.com

Yay! Same. But only because I've already heard of some email craziness before.

4
irish_link
lemmy.world

THIS THING IS STUPID!!!!

Or it’s just me that is the fool. Thanks for sharing. I just learned about 9 new things.

75
Err(()).unwrap()reply
lemmy.world

All of the modern internet is built on the decaying carcasses of temporary solutions and things that seemed like a good idea at the moment but are now too widely used to change.

42
Blackmist
feddit.uk

I don't think it really matters what the standard is, because you'll be completely limited by some 25 year old bit of Regex from Stack Overflow that every web developer ever has implemented into their form sanity checks.

71
Frezikreply
lemmy.blahaj.zone

The main one that gets passed around will match the weirdness fine. In fact, it probably matches things you don't want, anyway.

A signin/registration form really only needs to do sanity checks to get rid of obviously bad addresses. You'll have to send a round-trip email confirmation message to make sure the email is real, anyway, so why bother going into great detail? Just check that there's an '@' symbol and a dot in the domain. Most of the rest is wanking off.

25
Dremorreply
lemmy.world

A domaine without tld (me@home) is a valide address. I saw an email server being used as a mqtt-like server this way (it is very old and predate those software).

11
Frezikreply
lemmy.blahaj.zone

An address without a domain is irrelevant for a signin/registration form. Which is like 90% of the code being written in the wild to validate addresses.

If you're writing an email server, then you need to care about all these details. Most of us never will.

6
Frezikreply
lemmy.blahaj.zone

You gonna fill an IPv6 address for your email server into the DoorDash signin page?

6
zurohkireply
aussie.zone

Don't be ridiculous, I'm going to use an open source password manager to fill an IPv6 address for my email server into the DoorDash signin page.

13
Frezikreply
lemmy.blahaj.zone

I know you're being facetious, but I'm thinking through the implications of someone actually doing this. ISPs aren't always handing out static IPv6 prefixes for some damn reason, so you can't count on that address staying the same when self-hosting. Even if you can, you don't know what will happen when you change ISPs.

So yeah, really bad idea regardless.

2
CommanderCloon
lemmy.ml

Question 5 is incorrect, name@example is a fully valid email address, even after RFC 2822

The spec of RFC 2822 defines an address (3.4.1) as:

local-part "@" domain

domain is defined (3.4.1) as:

domain = dot-atom / domain-literal / obs-domain

dot-atom is defined (3.2.4) as:

dot-atom = [CFWS] dot-atom-text [CFWS]
dot-atom-text = 1*atext *("." 1*atext)

1*atext meaning at least 1 alphanumeric character, followed by *("." 1*atext) meaning at least 0 "." 1*atext

If tomorrow, google decided to use its google top-level domain as an email domain, it would be perfectly valid, as could any other company owning top-level domains

Google even owns a gmail TLD so I wouldn't even be surprised if they decided to use it

60
HereIAmreply
lemmy.world

I don't know if they changes the answer to the question, but it now says name@example is valid.

26
CommanderCloonreply
lemmy.ml

It does say it's valid, but also that it's obsolete, and while the RFC does define valid but obsolete specs, there is nothing defining domains without a dot as obsolete, and it is in fact defined in the regular spec, not the obsolete section

36
[deleted]reply
lemmy.world

It says valid but obsolete, which sounds like a contradiction to me.

This is technically valid but considered obsolete. RFC 822 allowed domains without dots, but RFC 2822 made this obsolete.

Do email suffix not indicate a different domain like .org and .com for websites?

6
/home/pineappleloverreply
lemmy.dbzer0.com

I didn't understand this one. How do you have a no dot domain? Like you need to distinguish from example.com or example.wtf

Edit: do you mean if you own .google you can have your email@google address?

4
DaPorkchop_ [any]reply
lemmy.ml

Yes, the top-level domain is still just a domain. I'm not aware of any public Internet services which are reachable from a TLD directly, and it's strongly discouraged by ICANN, but there isn't any technical limitation preventing e.g. someone at Verisign from setting up example@com.

6
mobotsarreply
sh.itjust.works

In response to your edit.

Yes, or countries could use their cctld, e.g. email@us or noreply@uk.

Or any tld owner could do the same with theirs, of course.

3
Atherelreply
lemmy.dbzer0.com

you could also send mails within your local network, the hostname just has to resolve and have a mail service running

1
tylerreply
programming.dev

You shouldn’t be validating emails yourself anyway. Use a library or check for only the @ and then send an email confirmation.

20
zurohkireply
aussie.zone

Even if it's a completely valid address and the domain exists, they still might've fat fingered the username part. Going to extreme lengths to validate email addresses is pointless, you still have to send an email to it anyway.

14
psudreply
aussie.zone

I seem to have annoyed an admin of an instance enough for them to subscribe my signup email to hundreds of dating profiles (presumably using a service that offers to harass someone for you)

Many of them aren't good at validating email

One in ten has one email arrive, asking me to click a link to confirm

9 in ten have 5 emails before I notice them:

  • Please click a link to confirm
  • You received a wink
  • You received a wink
  • You received 3 chat requests
  • You received a link

So it's important to not send emails beyond the validate one to unvalidated addresses, to perfect your service annoying or harassing this parties

Also, use a disposable address for signing up to Lemmy

3
whoreply
feddit.org

Use a library

Please, no. If someone wrote email address "validation" complex enough to warrant a library, then their code is almost certainly wrong.

or check for only the @ and then send an email confirmation.

Yes. Do that.

If your boss demands a more detailed check at input time, then make it display warnings, not errors, and continue to the confirmation sending step if the user chooses to ignore the warning.

6
rumbareply
lemmy.zip

Now i just need a registrar that allows emoji...

4
Frezik
lemmy.blahaj.zone

Two of my "favorite" features it didn't even touch on. You can have nested comments:

foo(one(two(three(four(five(six(seven)))))))@example.com

This will actually fail on that big email regex that gets copied around (originally from Mastering Regular Expressions in 1997), because it can only handle comment nesting to a depth of six. It is actually possible to do indefinite nesting now with recursive regex, but it was developed before that feature existed.

RFC822 also allows routing addresses through multiple servers:

<@[email protected]:[email protected]>

But this is almost always denied on modern email servers because it was abused by spammers.

41
MonkderVierte
lemmy.zip

::: spoiler My top five from this (all valid):

  • ":(){␣:|:&␣};:"@example.com # fork bomb
  • 👉@👈 and poop@[💩]
  • "@"@[@]
  • c̷̨̈́i̵̮̅l̶̠̐͊͝ȁ̷̠̗̆̍̍n̷͖̘̯̍̈͒̅t̶͍͂͋ř̵̞͈̓ȯ̷̯̠-̸͚̖̟͋s̴͉̦̭̔̆̃͒û̵̥̪͆̒̕c̸̨̨̧̺̎k̵̼͗̀s̸̖̜͍̲̈́͋̂͠@example.com
  • fed-up-yet@␣example.com␣ # ␣ = whitespace :::
36
TomasEkeli
programming.dev

I don't validate emails, I test them.

That's your email? OK, what did we send it? if we couldn't send to it or the user can't read it there's no reason to accept it.

OK, maybe I do some light validation first, but I don't trust the email address just because it's email-address-shaped.

35
TomasEkelireply
programming.dev

Almost correct. ^.+@.+$

Too hard to validate properly to be worth it. Even if it is technically valid that's insufficient. It must also work, and the easiest way to test that is to use it and verify that the user got what we sent.

14
whoreply
feddit.org

I don’t validate emails, I test them.

Hooray! You get a gold star.

OK, maybe I do some light validation first,

I hope your "validation" does nothing more than show a warning that the user is allowed to ignore.

I have seen too many systems built by people who think they know what's valid or not before and after the @ sign*, and they are almost always dead wrong. In the worst cases, such systems accept an unusual-looking address and claim to send the expected verification message, but never actually send it. Of course, these systems won't work for some people, and since none of their online docs or support staff know why, those people will be locked out of using the system and funneled into bottomless pit of misery if they try. Please don't build broken garbage like this.

*Fun fact: Not so terribly long ago, even the @ sign didn't have to be present. Some email addresses were bang paths. I'm not sure if any of these are still in use, but it wouldn't shock me to learn that they are.

2
GiveOverreply
feddit.uk

Hooray, you have better security than Apple, who won't let me use my own email because some idiot in Australia used it first.

2
isaacd
lemmy.world

Let us recite the email validator’s oath:

If it has something before the @, something between the @ and the ., and something after the ., it’s valid enough.

30
Daisy (she/her)reply
lemmy.ml

Fails for when there is no TLD. Just send an email and validate a response eg from a link.

3
isaacdreply
lemmy.world

No. The number of users who have a real email with no TLD is far less than the number of users who will accidentally type an email with no TLD if you don’t validate on the front end.

I’m here to help 99.9% of users sign up correctly, not to be completely spec-compliant for the 0.1% who think they’re special.

3
ulternoreply
programming.dev

Guess my mail@IPv6 won't be accepted because I was too poor to pay for a domain name after having paid for a static IPv6.

0
Björn
swg-empire.de

I had to make an email address just for paypal because those idiots don't accept subdomains in email addresses.

28
Frezikreply
lemmy.blahaj.zone

Pizza Hut doesn't allow dashes in the domain. This prevents me from ordering Pizza Hut with the email under my personal domain. This can be considered a feature.

23
ikidd
lemmy.world

I gave up when I got like 5 wrong. I've ran mail servers for decades, most of the invalid "valids" would get rejected by any mailservers I've administered.

28
Xatolosreply
reddthat.com

Just because it's not something you'd use anymore doesn't mean it isn't valid.

WEP is still a valid form of wireless encryption, but no one would use it anymore (and so would be obsolete). It's still a part of the 802.11 standard.

4
NessD
lemmy.world

14 / 21

This is the score you get when you answer "valid" for every question. Good job.

25
marzhall
lemmy.world

I scored 16/21 on https://e-mail.wtf/ and all I got was this lousy text to share on social media.

Damn, and here I thought I had this locked down because I was salty that so many places struggle with + in the email addy. But my god, there's comments?

25
dumnezero
piefed.social

Thanks to RFC 6532, Zalgo text is a-okay.

hmmm...

Yay! You're average! Time to start making plans for what you'll do when an LLM takes your job.

I already have plans.

24
codapine
lemmy.zip

Also as the registrant of one of those new fancy TLDs, much like the owner of this website (email.wtf), their own email addresses will fail those stupid email validation checks that only believe in example@example.[com|net|org]

Shitty websites will fail "[email protected]", guaranteed - despite it being 100% valid AND potentially live.

Source - I have a ".family" domain for my email server. Totally functional, but some shitty websites refuse to believe it.

23
locuesterreply
lemmy.zip

Yeah I have a .engineering for my biz. I also registered mycompanyengineering.com to get through places that won’t take the new TLDs.

Usually banks.

4
Appoxoreply
lemmy.dbzer0.com

Seems like a weird choice as the primary TLD.
I'd switch it just to reduce the annoying typing hassle and to avoid misspelling.

It's already unusual if I say "My email is [email protected]"
And that trips so many persons.
First: I have my own domain
Second: It's not gmail, apple or a local provider
Third: The TLD isnt .de or .com but .eu

1
BlushedPotatoPlayersreply
sopuli.xyz

I have a spam collecting address @freemail.hu , the domain is live and working since 96, sometimes it's not accepted, because it's not Gmail I guess

2
notarobotreply
lemmy.zip

I'm not sure I blame the sites. The spec is so complex that it's not even possible to know which regex to use

1
bignosereply
programming.dev

The spec is so complex that it’s not even possible to know which regex to use

Yes. Almost like a regex is not the correct tool to use, and instead they should use a well-tested library function to validate email addresses.

1
notarobotreply
lemmy.zip

Exactly! But its not obvios. So most of those shitty websites don't even know they have a problem.

Then there are also people ignoring it on purpose. I once read a reddit comment saying 'well of your address looks like "John wick 🐶❤️"@2001:0db8:85a3:0000:0000:8a2e:0370:7334 I don't event want your email in my DB because oit will break something

1
ulternoreply
programming.dev

I have a feeling, the ones codapine is stating, didn't even care to half-read the spec and just went with what they knew from experience.
Maybe they didn't even know there was a spec.
Maybe they asked ChatGPT for the regex.

0
notarobotreply
lemmy.zip

That's one very random place to find that. There are a lot of different one and there is no way we all just agree to use that one.

Look art his site that shows a more complete and (in theory) official website. While also explaining that there is no regex that is perfect

https://emailregex.com/

(Compete regex for the lazy)

(?:\[a-z0-9!#$%&'\*+/=?^\_\`{|}\~-]+(?:\\.\[a-z0-9!#$%&'\*+/=?^\_\`{|}\~-]+)\*|"(?:\[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\\\\[\x01-\x09\x0b\x0c\x0e-\x7f])\*")@(?:(?:\[a-z0-9]\(?:\[a-z0-9-]\*\[a-z0-9])?\\.)+\[a-z0-9]\(?:\[a-z0-9-]\*\[a-z0-9])?|\\\[(?:(?:25\[0-5]|2\[0-4]\[0-9]|\[01]?\[0-9]\[0-9]?)\\.){3}(?:25\[0-5]|2\[0-4]\[0-9]|\[01]?\[0-9]\[0-9]?|\[a-z0-9-]\*\[a-z0-9]:(?:\[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\\\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\\])
0
pyre
lemmy.world

nice. though valid but obsolete is not a thing... if it's obsolete it's invalid.

23
rumba
lemmy.zip

I lost it at the fork bomb. I mean I hit valid because there was no way it was on the and not valid, but there's no way i'd have expected that. after that I just kept guessing the most stupid answer and did pretty well

20
Avicenna
lemmy.world

13/21, seems like I am not significantly different from random guessing

18
GreenShimadareply
lemmy.world

Got the same, I can't believe how many weird comments and extra random things can get added into an email address.

9
brisk
aussie.zone

::: spoiler Tap for spoiler Email addresses can have comments?! :::

17
Frezikreply
lemmy.blahaj.zone

Nested comments. RFC822 had a whole bunch of bad ideas in it, but nobody thought much of it at the time. Most programming languages don't even do nested comments, because they want to filter them out with a simple lexer before the grammar ever sees it.

8
Cam
scribe.disroot.org

13 right answers and I didn't expect so many lol

I'll never validate some of the 💩 I've learnt today.

16
piccoloreply
sh.itjust.works

Validation should just check if it has a @ and send an email and wait for a response... because who knows if mailservers "respect" the spec anyway.

2
Speiser0
feddit.org

Pretty much everything I've seen in e-mail is needlessly complicated and weird. So of course addresses are as well.

14
wellheh
lemmy.sdf.org

I scored 14/21 on https://e-mail.wtf/ and all I got was this lousy text to share on social media.

I actually died at the poop emoji one. Actually amazing awareness to test for that

14
Natanaelreply
infosec.pub

Needs to be IPv6, including support for subnets to message multiple devices

7
Nighed
feddit.uk

15

Going to have to try some of those.... Can you actually register emojis as a domain, or is that just the email validation that allows them?

Edit: most TLDs don't. Smaller ones do sometimes.

12
NeatNitreply
discuss.tchncs.de

Emoji domains can be registered using punycode, and you're right that it's up to the TLD whether they're allowed or not.

For example: http://xn--yt8h.la/%F0%9F%90%B6

📙.la is encoded using punycode to http://xn--yt8h.la/

🐶 is URL-encoded to %F0%9F%90%B6

Giving the 'true' URL http://xn--yt8h.la/%F0%9F%90%B6 which then redirects to https://emojipedia.org/dog-face

Emails should generally use @xn--yt8h.la instead of @📙.la for maximum compatibility. I'm not sure if the email spec allows punycode.

8
geissi
feddit.org

I vaguely remember a panel where a guy went through various cases like these.

One of the things that stood out is that not every email provides implements the same specs, so one provider might allow you to set up a "valid" email address that might not be able to communicate with other providers as they consider it "invalid".

10
Turret3857
infosec.pub

12/21

are things that are considered out of current spec really "valid" though?

10
Echolynxreply
lemmy.zip

And is it really valid if my email provider doesn't accept it? If it's not universally accepted or standard, then it doesn't matter if it's technically valid.

4
NoiseColor
lemmy.world

Jesus effin Christ! I had no idea! This is madness! This is ... Omfg I just can't

9
sp3ctr4l
lemmy.dbzer0.com

I rage quit gave up at 12.

A fork bomb is apparently a valid email address.

I quit, this is stupid.

7
Err(()).unwrap()
lemmy.world

You can easily validate e-mail addresses using this simple regex pattern.

:::spoiler regex

(?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t]
)+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:
\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(
?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ 
\t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\0
31]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\
](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+
(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:
(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z
|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)
?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\
r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[
 \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)
?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t]
)*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[
 \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*
)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t]
)+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*)
*:(?:(?:\r\n)?[ \t])*)?(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+
|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r
\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:
\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t
]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031
]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](
?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?
:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?
:\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*)|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?
:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?
[ \t]))*"(?:(?:\r\n)?[ \t])*)*:(?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] 
\000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|
\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>
@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"
(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t]
)*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\
".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?
:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[
\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-
\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(
?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;
:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([
^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\"
.\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\
]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\
[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\
r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] 
\000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]
|\\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)?(?:[^()<>@,;:\\".\[\] \0
00-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\
.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,
;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?
:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*
(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".
\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[
^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]
]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*)(?:,\s*(
?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\
".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(
?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[
\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t
])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t
])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?
:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|
\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:
[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\
]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)
?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["
()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)
?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>
@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[
 \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,
;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t]
)*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\
".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)?
(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".
\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:
\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[
"()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])
*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])
+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\
.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z
|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*\>(?:(
?:\r\n)?[ \t])*))*)?;\s*)

:::

5
bajaboundreply
lemmy.world

Nothing reminds me more of beating my head into a wall while fucking with sendmail 30 years ago.

1
thomasloven
lemmy.world

If qoutes are removed and internal spaces are invalid, how could ":(){␣:|:&␣};:"@example.com be valid?

5
rumbareply
lemmy.zip

Yeah they're processed, but not passed through.

1
bambooreply
lemmy.blahaj.zone

Not too sure, but a previous one says spaces are allowed in comments. I would assume the {} is similar?

1
shalafi
lemmy.world

17/21. Would have been 18 but the first example of spaces screwed me.

4
lefaucet
slrpnk.net

So much better than I thought it would be! Thank you for making the world a better & more informed place

2
NaibofTabr
infosec.pub

#18 seems really bad, like no-one-has-ever-sanity-checked-this bad.

2
zwergreply
feddit.org

Im still trying to figure out what that means. How does @ resolve to an IP address?

3
gedhrel
lemmy.world

I kind of expected a lot of this; I remember the sendmail 4 book from back in the day when O'Reilly had that, DNS and BIND, and Perl as the entirety of its corpus.

1
Mikelius
lemmy.ml

And after that, I now can't wait for the next pull request with a regular expression on email validation to come through.

1