And if your regex engine has vulns? ;)

   On 10 July 2015 22:41:23 GMT+01:00, grarpamp <grarpamp@gmail.com>
   wrote:

On Fri, Jul 10, 2015 at 4:11 AM, Georgi Guninski <guninski@guninski.com> wrote:

     On Fri, Jul 10, 2015 at 12:17:57AM -0700, Seth wrote:

     On Fri, 10 Jul 2015 00:00:20 -0700, Tom <tom@vondein.org> wrote:

     [1]http://ptrace.fefe.de/fpalm30c3.jpg

     I actually appreciate content posted in message, get tired of having
     to fire up a browser for links. Also every click on a browser link
     is a potential attack whereas plain-text in an email is not.

     Are you sure plain-text email is not potential attack?
     There have been many bugs in text mail clients.
     IIRC shell shock affected qmail local delivery (and maybe
     procmail).

     Affection is possible...
     [2]http://www.gossamer-threads.com/lists/qmail/users/138578
     Moral: Validate input and pipelines. Even if only a silly regex
     sanity filter on
     instruction metadata (email addresses), ie: [A-Za-z0-9._@+-] mod
     utf-8
     Security is not being liberal in what you accept.

   --
   Sent from my Android device with K-9 Mail. Please excuse my brevity.

References

   1. http://ptrace.fefe.de/fpalm30c3.jpg
   2. http://www.gossamer-threads.com/lists/qmail/users/138578