On Wed, 27 Feb 2013 08:31:56 +0000 Badoo <[email protected]> wrote:
> Snipped Badoo spam... Sorry to everyone for this getting through to the list. To be honest, I still don't know how that happened, but I'll give a summary here of what I do know. There were four messages sent around the same time from the same @badoo.com address: the first one was accepted while the other three were held for moderation. The Reply-to header contained the name of a list subscriber (Iskar Enev), and while I do *not* think that user had anything to do with this, I *do* think it's possible that Mailman was "tricked" into accepting the mail because of that header. I have not looked into Mailman's code, however. Now, I know the old adage about "never attribute to malice that which can be explained by incompetence," but I'm not sure about this one. See, several months ago, this list got *many* messages sent to it from LinkedIn, as if [email protected] had signed up for a LinkedIn profile, and apparently our name was Ivan. You never saw any of those messages because they were held for moderation (and so I deleted them). I eventually got tired of deleting them, so I went to LinkedIn's site, tried to sign in as "Ivan" (using this list's address), told it I had forgotten my password (which sent a reset link to the list address, which I viewed and later deleted), and then I changed the password and deleted the profile - problem solved. Well... guess what? This "Ivan" had also created a profile at Badoo using the list address. I have no idea how that is even possible - it seems to me that the confirmation mail would never be received (after all, it's held for moderation, and besides, I never saw one sent to the list address), but somehow, that's what's happening, I guess. I don't know if this "Ivan" is that much of a dumbass or if there's some spambot that's doing it or if maybe something else is going on. Anyway, the Badoo profile has also been deleted now, so maybe "Ivan" will leave us alone. We'll see. In the meantime, I've upgraded our Mailman installation to 2.1.15, and the NEWS mentions a few security-related bugfixes: - Strengthened the validation of email addresses. - An XSS vulnerability, CVE-2011-0707, has been fixed. - The web admin interface has been hardened against CSRF attacks by adding a hidden, encrypted token with a time stamp to form submissions and not accepting authentication by cookie if the token is missing, invalid or older than the new mm_cfg.py setting FORM_LIFETIME which defaults to one hour. Posthumous thanks go to Tokio Kikuchi for this implementation which is only one of his many contributions to Mailman prior to his death from cancer on 14 January 2012. -RW
signature.asc
Description: PGP signature
_______________________________________________ SlackBuilds-users mailing list [email protected] http://lists.slackbuilds.org/mailman/listinfo/slackbuilds-users Archives - http://lists.slackbuilds.org/pipermail/slackbuilds-users/ FAQ - http://slackbuilds.org/faq/
