Mailing lists must reject emails that claim to be from teams.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Ian Booth |
Bug Description
The message is a forgery. We cannot disable the team, nor do we want to. The underling issue is a bad isLaunchpadUser() check in the mailing list rules. The email address is indeed valid, but emails are sent by users, not groups of users. The fix will be to ensure the email address belongs to a user, not a team.
The message:
A launchpad list I moderate just received spam from the ~fenics-authors team. It seems like a legit team, with active members and an active mailing list.
Subject: "*.YOUR BLOOD WILL BOIL AGAIN!.*"
From: "Sildenafil.co.uk" <email address hidden> (fenics-authors)
Date: 2011-04-25 02:45:06+00:00
Message-ID: <email address hidden>
Cialis is an indication of true [...]
machohttp:
Related branches
- Steve Kowalik (community): Approve (code)
-
Diff: 31 lines (+6/-1)2 files modifiedlib/lp/registry/tests/test_mailinglistapi.py (+4/-0)
lib/lp/registry/xmlrpc/mailinglist.py (+2/-1)
tags: | added: chr mailing-lists |
Changed in launchpad: | |
status: | New → Triaged |
importance: | Undecided → Critical |
tags: | added: easy |
Changed in launchpad: | |
assignee: | nobody → Ian Booth (wallyworld) |
Changed in launchpad: | |
status: | Triaged → In Progress |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
Tangentially, and only low priority, it would be nice to 1- dkim-sign
outgoing lists.launchpad.net mail; 2- set a policy that all such mail
is signed; 3- bounce incoming dkim untrusted mail.