[Slackbuilds-users] ★ Slackbuilds Users, Mark left a message for you...

Klaatu klaatu at straightedgelinux.com
Mon Mar 4 14:53:45 UTC 2013 

On Saturday, March 02, 2013 11:08:37 PM Robby Workman wrote:
> On Wed, 27 Feb 2013 08:31:56 +0000
> 
> Badoo <noreply+45740624 at badoo.com> wrote:
> > Snipped Badoo spam...
> 
> Sorry to everyone for this getting through to the list.  To
> be honest, I still don't know how that happened, but I'll give
> a summary here of what I do know.  There were four messages
> sent around the same time from the same @badoo.com address:
> the first one was accepted while the other three were held
> for moderation.  The Reply-to header contained the name of a
> list subscriber (Iskar Enev), and while I do *not* think that
> user had anything to do with this, I *do* think it's possible
> that Mailman was "tricked" into accepting the mail because of
> that header.  I have not looked into Mailman's code, however.
> 
> Now, I know the old adage about "never attribute to malice that
> which can be explained by incompetence," but I'm not sure about
> this one.  See, several months ago, this list got *many* messages
> sent to it from LinkedIn, as if slackbuilds-users at slackbuilds.org
> had signed up for a LinkedIn profile, and apparently our name was
> Ivan.  You never saw any of those messages because they were held
> for moderation (and so I deleted them).  I eventually got tired
> of deleting them, so I went to LinkedIn's site, tried to sign in
> as "Ivan" (using this list's address), told it I had forgotten
> my password (which sent a reset link to the list address, which
> I viewed and later deleted), and then I changed the password and
> deleted the profile - problem solved.
> 
> Well...  guess what?  This "Ivan" had also created a profile at
> Badoo using the list address.  I have no idea how that is even
> possible - it seems to me that the confirmation mail would never
> be received (after all, it's held for moderation, and besides,
> I never saw one sent to the list address), but somehow, that's
> what's happening, I guess.  I don't know if this "Ivan" is that
> much of a dumbass or if there's some spambot that's doing it or
> if maybe something else is going on.   Anyway, the Badoo profile
> has also been deleted now, so maybe "Ivan" will leave us alone.
> We'll see.
> 
> In the meantime, I've upgraded our Mailman installation to 2.1.15,
> and the NEWS mentions a few security-related bugfixes:
>   - Strengthened the validation of email addresses.
>   - An XSS vulnerability, CVE-2011-0707, has been fixed.
>   - The web admin interface has been hardened against CSRF attacks
>     by adding a hidden, encrypted token with a time stamp to form
>     submissions and not accepting authentication by cookie if the
>     token is missing, invalid or older than the new mm_cfg.py
>     setting FORM_LIFETIME which defaults to one hour.  Posthumous
>     thanks go to Tokio Kikuchi for this implementation which is
>     only one of his many contributions to Mailman prior to his
>     death from cancer on 14 January 2012.
> 
> -RW

Thanks for the detailed report, Robby. It was both educational and 
informative, and - not that I had any doubt, but - it is re-assuring to know 
that real people with working brains actually do bother monitoring the 
Slackbuild infrastructure.

-klaatu

More information about the SlackBuilds-users mailing list