Carl Hutzler's Blog

Photography, Technology Musings, and other Completely Random Thoughts. Hey, it's free.

Top Coder Comes Through

September 19th, 2006 | Category: Uncategorized

AOL has been experimenting with Top Coder of late. We asked them to create a couple of Thunderbird client plugins which extend some of the features of the AOL Mail system to Thunderbird users. The features are bundled into two plugins:

AOL_Extended_IMAP
- REPORT SPAM (obvious)
- STATUS (to see if someone has read or deleted a mail)
- UNSEND (to unsend a message if no one has read it)

AOL_SMTP_Authentication
- Force the SMTP password to be the same as the IMAP password
this mostly helps users who have passwords that change once/min – like AOL employees who use securID

So far, I have been pleased with Top Coder’s efforts. They did what they said they would, produced a product that works, and did it on-time. Not bad!

They have asked us to beta test the products. Below are the applications for your downloading pleasure.

AOL_Extended_IMAP.XPI

AOL_SMTP_Authentication Linux
AOL_SMTP_Authentication Mac/Apple Universal
AOL_SMTP_Authentication Windows32

Enjoy and let me know how it works for you, bugs, suggestions for improvements, etc.

UPDATE: January 20th, 2007

John Snow created a “patch” for Thunderbird on Windows which basically removes the legacy feature whereby Thunderbird tries to detect whether it is talking to an AOL IMAP server versus another generic IMAP server. Why would you want to remove this functionality? Well, Thunderbird behaves differently if it thinks it is talking to AOL. For example, some of the rules for filing mail (filtering) do not work right. In addition we have noticed that some of the ways TB displays things like the SENDER of an email work differently as well – instead of displaying FROM: Carl Hutzler, TB displays FROM: cdhutzler@aol.com when it is talking to AOL. When it talks to other mail systems, it displays the display name if that is available. I am sure there are more differences, but these are the ones we know about right now.

Just so everyone is understanding why this happens, I want to be clear this has nothing to do with AOL’s email/IMAP server implementation. It has more to do with how the original Mozilla client email code (created by AOL) worked from a product standpoint. The product folks wanted to be sure that spammers/hackers/phishers could not spoof their “display name” like “George W Bush”. Not that spammers could not already pretend to be george.w.bush@whitehouse.gov anyway, but that’s not the point :-).

Anyway, long story short, this is a link to the TBIRD Patch that will change the application (fool it) into thinking it is always talking to non-AOL servers and hence cause it to act just like it does with any other mail server.

If you apply the patch and use the AOL_IMAP.XPI extension, you will also want to download a slightly updated Tbird plugin for the AOL_IMAP.XPI as well. Otherwise the extension won’t work with the patched TB. Thanks to John for updating this as well!

25 comments

25 Comments so far

  1. Dossy Shiobara September 19th, 2006 6:51 pm

    Carl, why are there three different .xpi’s for the SMTP auth reuse extension? What did they do differently from Godwin Babu’s extension that claims to do the same thing?

    Makes me hesitant to try them out, unless they really knew what they were doing and had a good reason for doing it the way they did.

  2. cdhutzler September 19th, 2006 7:31 pm

    They did this plugin in C or C++ and therefor had builds for each platform. The reason they chose C vs JS was told to me, but I forget every detail. It had something to do with the UI the wanted which the JS stuff would not allow them to do. Perhaps they had an option they were not aware of. Also, I did tell TC that someone internally did it in JS and they were interested in seeing it. I guess it all boils down to some design decisions. I don’t know if one was a better choice or not at this point.

  3. Alan Keister September 20th, 2006 5:44 pm

    This is really nice. The only problem I saw was “status” I can only get status for mail I sent. Is that intentional?

  4. cdhutzler September 20th, 2006 6:47 pm

    Working as Designed. You can only get status on messages you send to others. Perhaps status should be changed to allow recipients of the message to also see status. But the mail system does not allow this function today. (and the sender can see BCC recipient status as well – so if we did allow recipients to do status, we would have to ensure they could not see who was BCC’d!! :-)

  5. Stu Brandt September 21st, 2006 10:51 am

    Umm…see WAOL9.0. Anyone can check status, not just sender.

  6. cdhutzler September 21st, 2006 1:01 pm

    I was wrong! In fact, as Stu points out, we do allow STATUS on all mail, not just mail you authored. I never knew this and have verified it works in webmail (not just WAOL). So my apologies to Alan for doubting him.

    I took this feedback and asked TC to build a new version without the restriction. I think it will be easy for them as the actual implementation of the restriction was the real work.

    Just goes to show that managers should not specify technical requirements :-)

  7. Dan Gilliam September 21st, 2006 1:50 pm

    The “classic” AOL clients _do_ let you see the status of messages you’ve received — the client shows the status for the non-BCC recipients.

  8. mihir Apte January 19th, 2007 2:50 pm

    Is there a plugin that allows you to view inbox senders as firtsname, lastname instead of only by email address for thunderbird?

  9. cdhutzler January 20th, 2007 2:20 pm

    I see this for just about every email I get to my AOL.COM account. But if I look at one of my other email accounts (within TB) I find that thunderbird DOES display the person’s name.

    To be honest, I don’t know what is causing it. Could be OLD mozilla code from the AOL developers and not wanting to show the “display name” to the user for security/phish/spam reasons. As every other account I have (cdhutzler@mac.com, cdhutzler@gmail.com, etc) shows it the way you want.

    I am going to email a developer at AOL who might know more. I will let you know if he has the answer. But I don’t think any plugin exists to fix this.

  10. cdhutzler January 20th, 2007 4:21 pm

    How bout that. I was right! :-)

    From John Snow (AOL Developer), posted with permission:

    Your response was correct. The problem is that TB detects that it’s talking to AOL and uses the IMAP extension XAOL-ENVELOPE. XAOL-ENVELOPE uses only the info in Tandem, which is only the email address. When TB talks to non-aol imap servers it uses ENVELOPE instead. The ENVELOPE response includes the Name along with the email address.

    I wrote a program to hack the TB binary to not detect the AOL IMAP server so that it uses ENVELOPE instead of XAOL-ENVELOPE. I did it originally so that TB filters that were based on envelope information would work as expected. I have attached that program. It is only a windows program, so it won’t help your Mac. The patching program is just a binary search and replace of the keyword that TB is looking for to identify the AOL server (XAOL-OPTION). I change it to XAOL=OPTION, so that TB never detects AOL. SO, you could modify you mac version with a simple Hex editor. Or possibly, copy the mac binary to a PC and use my program. But make a backup copy first.

    There is a catch. After patching TB, the Topcoder aol-imap-extension.xpi no longer works. So, I had to fix that as well. The aol-imap extension will now be active no matter what IMAP server you’re connected to. This will, of course, allow you to send the XAOL-UNSEND, XAOL-STATUS, and XAOL-REPORTSPAM commands to any imap server. Those servers should just respond BAD and ignore the command, so no harm should be done. I have attached the modified aol-imap extension also.

    FROM CARL – I will post these up later today as links in this blog post.

  11. Miles January 24th, 2007 9:24 pm

    I’m curious how (or perhaps why) the password stuff works. What kind (static or tokened) of password does the SMTP and IMAP server expect? If tokened, whats the expiry? I guess I don’t understand why forcing the client to use a particular password will make the server understand it (instead of the expected pwd). Or, perhaps I don’t understand the typical use — like IT requires a token/password entry for every email sync and send (which I’d think would drive everyone to stop using that email server or quit).

  12. cdhutzler January 24th, 2007 10:04 pm

    Miles –

    AOL employees currently have normal AOL accounts just like every one of our members (well their are certain privledges we have, but otherwise they are the same). It is these normal AOL accounts that used to get hacked into all the time, thus spilling valuable corporate secrets, etc.

    So about 5 or 6 years ago, in an effort to prevent the compromise of employee accounts, the security folks implemented SecurID for all employees. So now employees login with their normal password and then they have to type in their 6 digit number (which changes every minute). Also, the number they type can only be used once….so if you get prompted for a token again (say in the HR website) you have to wait a minute to give the next number.

    So now comes SMTP and IMAP. Both of these servers require authentication. For employees that AUTH includes both the username (cdhutzler) plus the password and securid. To make things a little easier on employees and since the employee’s IMAP password is the same as their SMTP password, the mail team was permitted cache the password/securid combination and keep it active for several hours (so you could reuse the original token on the mail system). So if you login to imap with MYPASSWORD/123456, you could send mail using the same credential of MYPASSWORD/123456. No need to wait for a minute for that next token.

    Certain mail clients (Outlook and Entrouage for the Mac) had a setting for SMTP AUTH that said “use the IMAP password for authentication to SMTP” or something like that. So when outlook went to send mail via SMTP it would use the IMAP password. Worked well for employees as they just entered their password+securid at the beginning of the day to log into IMAP and then SMTP would get and accept that password all day.

    But thunderbird, mail.app and many other clients did not have this setting. So employees would have to re-enter their password+securid throughout the day to send mail. So to make a very long story short, this plugin solves the problem for AOL employees. It does just about nothing for people who have passwords that do NOT change every minute :-)

  13. Miles January 24th, 2007 10:37 pm

    Cool — the exemption/permission to cache/reuse/not timeout/whatever, was my missing piece. Sounds like both servers expect tokened passwords, and 1 token gets a get out of jail card from the expiry policy. The add-on is to ensure both servers get the same exempted token. I seem to remember AOL offering tokens for extra $s to consumers, so this plugin probably also helps some normal (but paranoid) people too.

  14. cdhutzler January 24th, 2007 10:46 pm

    Correct, Miles. We did sell a few to normal members and it would help them. But a few is all it was and I think AOL did away with it after that. But it is fun to see Paypal introducing it….maybe there is a place for SecurID for the consumer in the banking area.

  15. Eain February 1st, 2007 5:23 am

    Hi Carl, i think these extensions make email at aol just about useable, do you know of any plans to upgrade them for thunderbird 2.0?

    Cheers,
    Eain

  16. cdhutzler February 1st, 2007 8:18 am

    Eain – sounds like your experience is the opposite of my experience and several other AOL employees. Can you tell me what you are seeing?

    As to plans for a TB 2.0 release, I am not sure. I actually left AOL recently. But I will pass your email to the folks that are in my old team. – Carl

  17. cdhutzler February 1st, 2007 8:25 am

    Whoops! Eain said USEable. :-) Damn, I have to get some bigger fonts. Glad you like it :-)

    I did pass along to the team to see if an update is coming :-)

  18. Eain February 1st, 2007 10:07 am

    Thanks for your time Carl, sorry to hear you have left AOL.

  19. Michael Bond February 5th, 2007 6:29 pm

    I won’t swear to the two extensions in the original article but the JS based auth reuse extension by Godwin works fine with the latest 2.0 pre-release.

  20. Joy February 26th, 2007 8:46 pm

    Any chance for a Mac version of the patch?

    P.S. Hope things are going well for you post-AOL.

  21. cdhutzler February 26th, 2007 8:48 pm

    I believe the IMAP version works fine on a Mac – was that what you were asking?

  22. zhemarcus April 20th, 2007 4:21 pm

    Hi,

    This extension will be compatible with thunderbird 2 ?

  23. Nathan May 7th, 2007 11:07 am

    Are there Thunderbird 2.0 versions of these extensions available anywhere? Thanks!

  24. John Snow May 8th, 2007 7:40 am

    I have submitted the AOL mail extension to the Mozilla addons site and I’m waiting for it to be approved for public use. If you register at the mozilla site, you can select the sandbox and find the AOL mail extension there.

    https://addons.mozilla.org/en-US/thunderbird/addon/4860

    This version is compatible with Thunderbird 2.0. I aslo added a minor change that splits up the 3 toolbar buttons, allowing them to be placed individually.

  25. John Snow June 4th, 2007 7:43 am

    Well, it’s been over a month and this extension has still not been approved to appear on the public side of addons.mozilla.org. The reason they give is that there are no reviews from any users of the extension. So please, if you have a few minutes and find this extension useful, go write a quick review.

    thanks,

    john.

Leave a reply