[GH-ISSUE #654] Link to deactivate alias not removed from plain text

kerem commented

2026-03-14 11:32:53 +03:00

Owner

Originally created by @andre-paulo98 on GitHub (Jun 26, 2024).
Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/654

When someone sends an email with HTML, and I reply to the email with HTML, the banner gets removed on the HTML side, however it can still be seen in the email (by looking at the "original message")

Steps

Create an alias (alias@anonaddy.me)
Send a normal email to the alias (to confirm you can add some bold to the text)
See that you have the banner "This email was sent to ..."
Reply to the email
Once you get the reply check the full email (in Outlook it's called "Message Source", Gmail is "Show Original")
Search for "This email was sent"

You'll see the banner which is available on Plain Text only.

I also confirmed that different email providers might have a different format, for example, when the alias recipient is on Gmail and you reply, you'll see this:

On Wed, 26 Jun 2024 at 22:27, Name 'myemail at example.com'=
 <
alias@anonaddy.me> wrote:

> This email was sent to alias@anonaddy.me from myemail@example.com
> Click here
> <https://app.addy.io/deactivate/thetoken>
> to deactivate this alias
> email body

And if the alias recipient is Outlook it will be like this:

________________________________
From: Name 'myemail at example.com' <alias@anonaddy.me>
Sent: 26 June 2024 23:14
To: alias@anonaddy.me <alias@anonaddy.me>

This email was sent to alias@anonaddy.me from myemail@example.com
Click here<https://app.addy.io/deactivate/thetoken> to deactivate this alias
email body

Originally created by @andre-paulo98 on GitHub (Jun 26, 2024). Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/654 When someone sends an email with HTML, and I reply to the email with HTML, the banner gets removed on the HTML side, however it can still be seen in the email (by looking at the "original message") ## Steps 1. Create an alias (alias@anonaddy.me) 2. Send a normal email to the alias (to confirm you can add some bold to the text) 3. See that you have the banner "This email was sent to ..." 4. Reply to the email 5. Once you get the reply check the full email (in Outlook it's called "Message Source", Gmail is "Show Original") 6. Search for "This email was sent" You'll see the banner which is available on Plain Text only. I also confirmed that different email providers might have a different format, for example, when the alias recipient is on Gmail and you reply, you'll see this: ``` On Wed, 26 Jun 2024 at 22:27, Name 'myemail at example.com'= < alias@anonaddy.me> wrote: > This email was sent to alias@anonaddy.me from myemail@example.com > Click here > <https://app.addy.io/deactivate/thetoken> > to deactivate this alias > email body ``` And if the alias recipient is Outlook it will be like this: ``` ________________________________ From: Name 'myemail at example.com' <alias@anonaddy.me> Sent: 26 June 2024 23:14 To: alias@anonaddy.me <alias@anonaddy.me> This email was sent to alias@anonaddy.me from myemail@example.com Click here<https://app.addy.io/deactivate/thetoken> to deactivate this alias email body ```

kerem closed this issue

2026-03-14 11:32:58 +03:00

kerem commented

2026-03-14 11:33:04 +03:00

Author

Owner

@willbrowningme commented on GitHub (Jun 27, 2024):

Thanks, you're right. The issue seems to be with the email client adding a plain text version of the HTML reply that includes the banner when replying.

The html email that is forwarded to you only includes the banner in the HTML version and not the plain text version:

Other-Headers...
Content-Type: multipart/alternative; boundary=_jWZSmlz

--_jWZSmlz
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

*html* email

--_jWZSmlz
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<table style=3D"width:100%;">
        <tbody>
                         =
               <tr>
    <td>
        <div style=3D"margin:0px auto;max-=
width:896px;padding:10px 20px;background-color:#f5f7fa;text-align:center;li=
ne-height:1.5;font-size:12px;width:100%;border-left: 3px solid #19216c;font=
-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, 'Sego=
e UI', Roboto, 'Helvetica Neue', Arial, 'Noto Sans', sans-serif, 'Apple Col=
or Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol', 'Noto Color Emoji';color:#3=
23f4b;overflow-wrap:break-word;">
            This email was sent to <spa=
n style=3D"font-weight:500;color:#19216c;">alias@addy.io</span> (Testing=
) from <span style=3D"font-weight:500;color:#19216c;">exampl=
e@gmail.com</span><br>Click <a href=3D"https://app.addy.io/deactivate/..."=
style=3D"color:#2d3a8c;text-decoration:u=
nderline;" target=3D"_blank" rel=3D"noreferrer noopener nofollow">here</a> =
to deactivate this alias
        </div>
    </td>
</tr>              =
          <tr>
                <td style=3D"padding:10px 0;width:100%;">=

                    <div dir=3D"ltr"><b>html</b> email<br></div>

  =
              </td>
            </tr>
                    </tbody>
  =
  </table>

--_jWZSmlz--

But then when replying, the email client (in my case Thunderbird) adds in a plain text version (unless you specifically inform it to send html only):

Other-Headers...
Content-Type: multipart/alternative;
 boundary="------------Lz20A0EqMY0Ql0q1eJHoV9N8"

This is a multi-part message in MIME format.
--------------Lz20A0EqMY0Ql0q1eJHoV9N8
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

reply

On 27/06/2024 09:52, Will Browning wrote:
> This email was sent to alias@addy.io (Testing) from 
> example@gmail.com
> Click here 
> <https://app.addy.io/deactivate/...> 
> to deactivate this alias
> *html* email
>

--------------Lz20A0EqMY0Ql0q1eJHoV9N8
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    reply<br>
    <br>
    <div class="moz-cite-prefix">On 27/06/2024 09:52, Will Browning
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:...@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <table style="width:100%;">
        <tbody>
          <tr>
            <td>
              <div
style="margin:0px auto;max-width:896px;padding:10px 20px;background-color:#f5f7fa;text-align:center;line-height:1.5;font-size:12px;width:100%;border-left: 3px solid #19216c;font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, 'Noto Sans', sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol', 'Noto Color Emoji';color:#323f4b;overflow-wrap:break-word;">
                This email was sent to <span
                  style="font-weight:500;color:#19216c;"><a class="moz-txt-link-abbreviated" href="mailto:alias@addy.io">alias@addy.io</a></span>
                (Testing) from <span
                  style="font-weight:500;color:#19216c;"><a class="moz-txt-link-abbreviated" href="mailto:example@gmail.com">example@gmail.com</a></span><br>
                Click <a
href="https://app.addy.io/deactivate/..."
                  style="color:#2d3a8c;text-decoration:underline;"
                  target="_blank" rel="noreferrer noopener nofollow"
                  moz-do-not-send="true">here</a> to deactivate this
                alias </div>
            </td>
          </tr>
          <tr>
            <td style="padding:10px 0;width:100%;">
              <div dir="ltr"><b>html</b> email<br>
              </div>
            </td>
          </tr>
        </tbody>
      </table>
    </blockquote>
    <br>
  </body>
</html>

--------------Lz20A0EqMY0Ql0q1eJHoV9N8--

addy.io is able to match and remove the HTML banner but it looks for:

<!--banner-info-->
...
<!--banner-info-->

The plain text banner between these tags and these are not present.

The deactivate alias link only works if the user is logged in so there is no risk of anyone disabling your alias.

I need to come up with a foolproof way to always match the plain text even if it has been altered as above by an email client.

@willbrowningme commented on GitHub (Jun 27, 2024): Thanks, you're right. The issue seems to be with the email client adding a plain text version of the HTML reply that includes the banner when replying. The html email that is forwarded to you only includes the banner in the HTML version and not the plain text version: ```eml Other-Headers... Content-Type: multipart/alternative; boundary=_jWZSmlz --_jWZSmlz Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable *html* email --_jWZSmlz Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <table style=3D"width:100%;"> <tbody> = <tr> <td> <div style=3D"margin:0px auto;max-= width:896px;padding:10px 20px;background-color:#f5f7fa;text-align:center;li= ne-height:1.5;font-size:12px;width:100%;border-left: 3px solid #19216c;font= -family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, 'Sego= e UI', Roboto, 'Helvetica Neue', Arial, 'Noto Sans', sans-serif, 'Apple Col= or Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol', 'Noto Color Emoji';color:#3= 23f4b;overflow-wrap:break-word;"> This email was sent to <spa= n style=3D"font-weight:500;color:#19216c;">alias@addy.io</span> (Testing= ) from <span style=3D"font-weight:500;color:#19216c;">exampl= e@gmail.com</span><br>Click <a href=3D"https://app.addy.io/deactivate/..."= style=3D"color:#2d3a8c;text-decoration:u= nderline;" target=3D"_blank" rel=3D"noreferrer noopener nofollow">here</a> = to deactivate this alias </div> </td> </tr> = <tr> <td style=3D"padding:10px 0;width:100%;">= <div dir=3D"ltr"><b>html</b> email<br></div> = </td> </tr> </tbody> = </table> --_jWZSmlz-- ``` But then when replying, the email client (in my case Thunderbird) adds in a plain text version (unless you specifically inform it to send html only): ```eml Other-Headers... Content-Type: multipart/alternative; boundary="------------Lz20A0EqMY0Ql0q1eJHoV9N8" This is a multi-part message in MIME format. --------------Lz20A0EqMY0Ql0q1eJHoV9N8 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit reply On 27/06/2024 09:52, Will Browning wrote: > This email was sent to alias@addy.io (Testing) from > example@gmail.com > Click here > <https://app.addy.io/deactivate/...> > to deactivate this alias > *html* email > --------------Lz20A0EqMY0Ql0q1eJHoV9N8 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> </head> <body> reply<br> <br> <div class="moz-cite-prefix">On 27/06/2024 09:52, Will Browning wrote:<br> </div> <blockquote type="cite" cite="mid:...@mail.gmail.com"> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <table style="width:100%;"> <tbody> <tr> <td> <div style="margin:0px auto;max-width:896px;padding:10px 20px;background-color:#f5f7fa;text-align:center;line-height:1.5;font-size:12px;width:100%;border-left: 3px solid #19216c;font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, 'Noto Sans', sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol', 'Noto Color Emoji';color:#323f4b;overflow-wrap:break-word;"> This email was sent to <span style="font-weight:500;color:#19216c;"><a class="moz-txt-link-abbreviated" href="mailto:alias@addy.io">alias@addy.io</a></span> (Testing) from <span style="font-weight:500;color:#19216c;"><a class="moz-txt-link-abbreviated" href="mailto:example@gmail.com">example@gmail.com</a></span><br> Click <a href="https://app.addy.io/deactivate/..." style="color:#2d3a8c;text-decoration:underline;" target="_blank" rel="noreferrer noopener nofollow" moz-do-not-send="true">here</a> to deactivate this alias </div> </td> </tr> <tr> <td style="padding:10px 0;width:100%;"> <div dir="ltr"><b>html</b> email<br> </div> </td> </tr> </tbody> </table> </blockquote> <br> </body> </html> --------------Lz20A0EqMY0Ql0q1eJHoV9N8-- ``` addy.io is able to match and remove the HTML banner but it looks for: ```eml  ...  ``` The plain text banner between these tags and these are not present. The deactivate alias link only works if the user is logged in so there is no risk of anyone disabling your alias. I need to come up with a foolproof way to always match the plain text even if it has been altered as above by an email client.

kerem commented

2026-03-14 11:33:09 +03:00

Author

Owner

@andre-paulo98 commented on GitHub (Jul 31, 2024):

Just to note that this also leaks the description of the alias to the recipient.

@andre-paulo98 commented on GitHub (Jul 31, 2024): Just to note that this also leaks the description of the alias to the recipient.

kerem commented

2026-03-14 11:33:14 +03:00

Author

Owner

@willbrowningme commented on GitHub (Aug 1, 2024):

This should now be resolved, please could you try again and let me know if you are still having issues.

@willbrowningme commented on GitHub (Aug 1, 2024): This should now be resolved, please could you try again and let me know if you are still having issues.

Rows
Columns

[GH-ISSUE #654] Link to deactivate alias not removed from plain text #1032

Steps