[Slackbuilds-users] ★ Slackbuilds Users, Mark left a message for you...

Robby Workman rworkman at slackbuilds.org
Sun Mar 3 05:08:37 UTC 2013

On Wed, 27 Feb 2013 08:31:56 +0000
Badoo <noreply+45740624 at badoo.com> wrote:

> Snipped Badoo spam...

Sorry to everyone for this getting through to the list.  To
be honest, I still don't know how that happened, but I'll give
a summary here of what I do know.  There were four messages 
sent around the same time from the same @badoo.com address:
the first one was accepted while the other three were held
for moderation.  The Reply-to header contained the name of a
list subscriber (Iskar Enev), and while I do *not* think that
user had anything to do with this, I *do* think it's possible
that Mailman was "tricked" into accepting the mail because of
that header.  I have not looked into Mailman's code, however.

Now, I know the old adage about "never attribute to malice that
which can be explained by incompetence," but I'm not sure about
this one.  See, several months ago, this list got *many* messages
sent to it from LinkedIn, as if slackbuilds-users at slackbuilds.org
had signed up for a LinkedIn profile, and apparently our name was
Ivan.  You never saw any of those messages because they were held
for moderation (and so I deleted them).  I eventually got tired 
of deleting them, so I went to LinkedIn's site, tried to sign in
as "Ivan" (using this list's address), told it I had forgotten
my password (which sent a reset link to the list address, which
I viewed and later deleted), and then I changed the password and
deleted the profile - problem solved.

Well...  guess what?  This "Ivan" had also created a profile at
Badoo using the list address.  I have no idea how that is even
possible - it seems to me that the confirmation mail would never
be received (after all, it's held for moderation, and besides,
I never saw one sent to the list address), but somehow, that's
what's happening, I guess.  I don't know if this "Ivan" is that
much of a dumbass or if there's some spambot that's doing it or
if maybe something else is going on.   Anyway, the Badoo profile
has also been deleted now, so maybe "Ivan" will leave us alone.
We'll see.

In the meantime, I've upgraded our Mailman installation to 2.1.15,
and the NEWS mentions a few security-related bugfixes:
  - Strengthened the validation of email addresses.
  - An XSS vulnerability, CVE-2011-0707, has been fixed.
  - The web admin interface has been hardened against CSRF attacks
    by adding a hidden, encrypted token with a time stamp to form 
    submissions and not accepting authentication by cookie if the 
    token is missing, invalid or older than the new mm_cfg.py 
    setting FORM_LIFETIME which defaults to one hour.  Posthumous 
    thanks go to Tokio Kikuchi for this implementation which is 
    only one of his many contributions to Mailman prior to his 
    death from cancer on 14 January 2012.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20130302/ab088633/attachment.asc>

More information about the SlackBuilds-users mailing list