[Slackbuilds-users] ★ Slackbuilds Users, Mark left a message for you...
Klaatu
klaatu at straightedgelinux.com
Mon Mar 4 14:53:45 UTC 2013
On Saturday, March 02, 2013 11:08:37 PM Robby Workman wrote:
> On Wed, 27 Feb 2013 08:31:56 +0000
>
> Badoo <noreply+45740624 at badoo.com> wrote:
> > Snipped Badoo spam...
>
> Sorry to everyone for this getting through to the list. To
> be honest, I still don't know how that happened, but I'll give
> a summary here of what I do know. There were four messages
> sent around the same time from the same @badoo.com address:
> the first one was accepted while the other three were held
> for moderation. The Reply-to header contained the name of a
> list subscriber (Iskar Enev), and while I do *not* think that
> user had anything to do with this, I *do* think it's possible
> that Mailman was "tricked" into accepting the mail because of
> that header. I have not looked into Mailman's code, however.
>
> Now, I know the old adage about "never attribute to malice that
> which can be explained by incompetence," but I'm not sure about
> this one. See, several months ago, this list got *many* messages
> sent to it from LinkedIn, as if slackbuilds-users at slackbuilds.org
> had signed up for a LinkedIn profile, and apparently our name was
> Ivan. You never saw any of those messages because they were held
> for moderation (and so I deleted them). I eventually got tired
> of deleting them, so I went to LinkedIn's site, tried to sign in
> as "Ivan" (using this list's address), told it I had forgotten
> my password (which sent a reset link to the list address, which
> I viewed and later deleted), and then I changed the password and
> deleted the profile - problem solved.
>
> Well... guess what? This "Ivan" had also created a profile at
> Badoo using the list address. I have no idea how that is even
> possible - it seems to me that the confirmation mail would never
> be received (after all, it's held for moderation, and besides,
> I never saw one sent to the list address), but somehow, that's
> what's happening, I guess. I don't know if this "Ivan" is that
> much of a dumbass or if there's some spambot that's doing it or
> if maybe something else is going on. Anyway, the Badoo profile
> has also been deleted now, so maybe "Ivan" will leave us alone.
> We'll see.
>
> In the meantime, I've upgraded our Mailman installation to 2.1.15,
> and the NEWS mentions a few security-related bugfixes:
> - Strengthened the validation of email addresses.
> - An XSS vulnerability, CVE-2011-0707, has been fixed.
> - The web admin interface has been hardened against CSRF attacks
> by adding a hidden, encrypted token with a time stamp to form
> submissions and not accepting authentication by cookie if the
> token is missing, invalid or older than the new mm_cfg.py
> setting FORM_LIFETIME which defaults to one hour. Posthumous
> thanks go to Tokio Kikuchi for this implementation which is
> only one of his many contributions to Mailman prior to his
> death from cancer on 14 January 2012.
>
> -RW
Thanks for the detailed report, Robby. It was both educational and
informative, and - not that I had any doubt, but - it is re-assuring to know
that real people with working brains actually do bother monitoring the
Slackbuild infrastructure.
-klaatu
More information about the SlackBuilds-users
mailing list