Launchpad itself

Mailing lists must reject emails that claim to be from teams.

Bug #770329 reported by Curtis Hovey
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Critical
Ian Booth

Bug Description

The message is a forgery. We cannot disable the team, nor do we want to. The underling issue is a bad isLaunchpadUser() check in the mailing list rules. The email address is indeed valid, but emails are sent by users, not groups of users. The fix will be to ensure the email address belongs to a user, not a team.

The message:
A launchpad list I moderate just received spam from the ~fenics-authors team. It seems like a legit team, with active members and an active mailing list.

Subject: "*.YOUR BLOOD WILL BOIL AGAIN!.*"
From: "Sildenafil.co.uk" <email address hidden> (fenics-authors)
Date: 2011-04-25 02:45:06+00:00
Message-ID: <email address hidden>

Cialis is an indication of true [...]
machohttp://enjxpills.ru/?zZ=4BjwxG4j

Related branches

lp:~wallyworld/launchpad/reject-mail-from-teams
Steve Kowalik (community): Approve (code)
Diff: 31 lines (+6/-1)
2 files modified
lib/lp/registry/tests/test_mailinglistapi.py (+4/-0)
lib/lp/registry/xmlrpc/mailinglist.py (+2/-1)
Curtis Hovey (sinzui)
tags: added: chr mailing-lists
Changed in launchpad:
status: New → Triaged
importance: Undecided → Critical
Curtis Hovey (sinzui)
tags: added: easy
Ian Booth (wallyworld)
Changed in launchpad:
assignee: nobody → Ian Booth (wallyworld)
Revision history for this message
Martin Pool (mbp) wrote : Re: [Bug 770329] Re: Mailing lists must reject emails that claim to be from teams.

Tangentially, and only low priority, it would be nice to 1- dkim-sign
outgoing lists.launchpad.net mail; 2- set a policy that all such mail
is signed; 3- bounce incoming dkim untrusted mail.

Ian Booth (wallyworld)
Changed in launchpad:
status: Triaged → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r13070 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/13070>.

tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
Curtis Hovey (sinzui) wrote :

This cannot be tested until it is on staging.

Revision history for this message
Curtis Hovey (sinzui) wrote :

I have a script that I used to test emails. I often use it for mailing lists. SMTP tells me I cannot send messages to qastaging. Once the code is on staging, I will test this. This is the script I have used.

#!/usr/bin/python
"""Send a test email."""

__version__ = "0.1"

from email.mime.text import MIMEText
import smtplib
from textwrap import dedent

# config
smtp_server = 'xxxxxxxxxxxxxxxx'
smtp_user = 'yyyyyy'
smtp_pass = 'zzzzzzz'
to_addrs = ["<email address hidden>"]

def make_message():
    text_msg = MIMEText(dedent("""\
        This message should be discarded since it is not from a registered
        lp user.
        """))
    text_msg['Subject'] = "Testing SSO email to list."
    text_msg['From'] = "<email address hidden>"
    text_msg['To'] = ', '.join(to_addrs)
    return text_msg

def make_list_message():
    text_msg = MIMEText("This message should be discarded.")
    text_msg['Subject'] = "Testing message claims to be from the list"
    text_msg['From'] = '<email address hidden>'
    text_msg['To'] = ', '.join(to_addrs)
    return text_msg

def send(msg):
    smtp = smtplib.SMTP(smtp_server)
    smtp.login(smtp_user, smtp_pass)
    smtp.sendmail(msg['From'], to_addrs, msg.as_string())
    smtp.quit()

def main():
    message = make_list_message()
    send(message)

if __name__ == '__main__':
    main()

Curtis Hovey (sinzui)
tags: added: qa-ok
removed: qa-needstesting
William Grant (wgrant)
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.