Bug Description
The email (IMAP/SMTP) gateway adapter auto-replies to every incoming email with no sender filtering. This includes:
noreply@, no-reply@, donotreply@ addressesmailer-daemon@, postmaster@ bounce notifications- Newsletters, marketing emails, automated alerts
- GitHub notifications, bank alerts, Substack digests
Unauthorized senders get pairing code replies
Emails from senders not in EMAIL_ALLOWED_USERS trigger the unauthorized DM handler in _handle_message(), which sends back:
Hi~ I don't recognize you yet!
Here's your pairing code: QBLYPM34
Ask the bot owner to run:
hermes pairing approve email QBLYPM34
This means every noreply address that emails you receives a reply containing a pairing code.
Authorized senders get full AI responses
Emails from whitelisted senders trigger the full agent loop, generating AI responses sent back via SMTP — even to automated notification emails.
Real-world impact
In my case, enabling the email adapter resulted in 64 auto-replies sent to noreply addresses, bounce notifications, newsletters, bank alerts, and more — before I caught it and disabled the adapter. Some of those replies bounced, generating further bounce-reply loops.
Root cause
email.py has zero pre-dispatch filtering:
- No inspection of
Precedence: bulk/list headers
- No inspection of
Auto-Submitted: auto-* headers
- No inspection of
List-Unsubscribe headers
- No address pattern matching for noreply/no-reply/donotreply/mailer-daemon
- No read-only / ingest-only mode
- The only filter is self-message skipping (line ~348)
Precedent from other adapters
Other platform adapters have already solved this class of problem:
The email adapter has no equivalent mechanism.
Proposed fix
- Noreply address filtering — silently drop emails from common noreply patterns before dispatching
- Header-based filtering — inspect
Precedence, Auto-Submitted, List-Unsubscribe, X-Auto-Response-Suppress to detect bulk/automated mail
- Read-only / ingest mode — config option to process inbound email without sending any SMTP replies
- Never send pairing codes via email — the unauthorized handler should
ignore on email by default, not pair
Environment
Bug Description
The email (IMAP/SMTP) gateway adapter auto-replies to every incoming email with no sender filtering. This includes:
noreply@,no-reply@,donotreply@addressesmailer-daemon@,postmaster@bounce notificationsUnauthorized senders get pairing code replies
Emails from senders not in
EMAIL_ALLOWED_USERStrigger the unauthorized DM handler in_handle_message(), which sends back:This means every noreply address that emails you receives a reply containing a pairing code.
Authorized senders get full AI responses
Emails from whitelisted senders trigger the full agent loop, generating AI responses sent back via SMTP — even to automated notification emails.
Real-world impact
In my case, enabling the email adapter resulted in 64 auto-replies sent to noreply addresses, bounce notifications, newsletters, bank alerts, and more — before I caught it and disabled the adapter. Some of those replies bounced, generating further bounce-reply loops.
Root cause
email.pyhas zero pre-dispatch filtering:Precedence: bulk/listheadersAuto-Submitted: auto-*headersList-UnsubscribeheadersPrecedent from other adapters
Other platform adapters have already solved this class of problem:
DISCORD_ALLOW_BOTSwith none/mentions/all modesSLACK_ALLOW_BOTSproposed (feat: Add SLACK_ALLOW_BOTS env var (parity with Discord's DISCORD_ALLOW_BOTS) #3198)The email adapter has no equivalent mechanism.
Proposed fix
Precedence,Auto-Submitted,List-Unsubscribe,X-Auto-Response-Suppressto detect bulk/automated mailignoreon email by default, notpairEnvironment