On Saturday, March 02, 2013 11:08:37 PM Robby Workman wrote: > On Wed, 27 Feb 2013 08:31:56 +0000 > > Badoo <[email protected]> wrote: > > Snipped Badoo spam... > > Sorry to everyone for this getting through to the list. To > be honest, I still don't know how that happened, but I'll give > a summary here of what I do know. There were four messages > sent around the same time from the same @badoo.com address: > the first one was accepted while the other three were held > for moderation. The Reply-to header contained the name of a > list subscriber (Iskar Enev), and while I do *not* think that > user had anything to do with this, I *do* think it's possible > that Mailman was "tricked" into accepting the mail because of > that header. I have not looked into Mailman's code, however. > > Now, I know the old adage about "never attribute to malice that > which can be explained by incompetence," but I'm not sure about > this one. See, several months ago, this list got *many* messages > sent to it from LinkedIn, as if [email protected] > had signed up for a LinkedIn profile, and apparently our name was > Ivan. You never saw any of those messages because they were held > for moderation (and so I deleted them). I eventually got tired > of deleting them, so I went to LinkedIn's site, tried to sign in > as "Ivan" (using this list's address), told it I had forgotten > my password (which sent a reset link to the list address, which > I viewed and later deleted), and then I changed the password and > deleted the profile - problem solved. > > Well... guess what? This "Ivan" had also created a profile at > Badoo using the list address. I have no idea how that is even > possible - it seems to me that the confirmation mail would never > be received (after all, it's held for moderation, and besides, > I never saw one sent to the list address), but somehow, that's > what's happening, I guess. I don't know if this "Ivan" is that > much of a dumbass or if there's some spambot that's doing it or > if maybe something else is going on. Anyway, the Badoo profile > has also been deleted now, so maybe "Ivan" will leave us alone. > We'll see. > > In the meantime, I've upgraded our Mailman installation to 2.1.15, > and the NEWS mentions a few security-related bugfixes: > - Strengthened the validation of email addresses. > - An XSS vulnerability, CVE-2011-0707, has been fixed. > - The web admin interface has been hardened against CSRF attacks > by adding a hidden, encrypted token with a time stamp to form > submissions and not accepting authentication by cookie if the > token is missing, invalid or older than the new mm_cfg.py > setting FORM_LIFETIME which defaults to one hour. Posthumous > thanks go to Tokio Kikuchi for this implementation which is > only one of his many contributions to Mailman prior to his > death from cancer on 14 January 2012. > > -RW
Thanks for the detailed report, Robby. It was both educational and informative, and - not that I had any doubt, but - it is re-assuring to know that real people with working brains actually do bother monitoring the Slackbuild infrastructure. -klaatu _______________________________________________ SlackBuilds-users mailing list [email protected] http://lists.slackbuilds.org/mailman/listinfo/slackbuilds-users Archives - http://lists.slackbuilds.org/pipermail/slackbuilds-users/ FAQ - http://slackbuilds.org/faq/
