Vincent Caron <[EMAIL PROTECTED]> a tapoté : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > [EMAIL PROTECTED] wrote: > | Someone attempted to change a password via email verification > | on gna.org > | > | Someone is maybe trying to steal a user account. > > ~ Why should be notified on this ML about this event ? I understand it > should be logged, but what is our role here ?
This mail password change is unsecure by nature (and there is nothing to do about it unless the GPG method I suggested since a year get implemented). So at some point I felt necessary to have all that request available on public archives, for users to be able to find that information without our help. Since then, I added a method for users to discard the request by themselves, if it does not comes from them. However, I still feel important to keep publicly tracks of these requests, since someone can be of the net for a long period (6 month), go back to the net, find his gna account cracked without really being sure of it, and have no meaning for us and him to really now what happened. My own anti-annoyance solution is the following rule in my .procmailrc :0 * ^Subject: password change - savannah. $IMAPDIR/.trash/ I suggest others admins to do the same, as creating a mailing list for this only purpose seems a bit extreme to me. It would also require a hack of the code to handle an extra address differing from the sys admin address, while the best solution is still to gpg encrypt all lost password requests. I anyway think that gpg encryption of lost password mails should definitely be a priority, and these lost password mails sent to administrators should be an effective reminder :)) -- Mathieu Roy +---------------------------------------------------------------------+ | General Homepage: http://yeupou.coleumes.org/ | | Computing Homepage: http://alberich.coleumes.org/ | | Not a native english speaker: | | http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english | +---------------------------------------------------------------------+
