Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   ArchLinux User Repository (http://www.linux-archive.org/archlinux-user-repository/)
-   -   Random (?) out-of-date marking (http://www.linux-archive.org/archlinux-user-repository/708562-random-out-date-marking.html)

Limao Luo 09-30-2012 07:00 PM

Random (?) out-of-date marking
 
My package mcobj [1] has been repeatedly been marked out of date 580
times in 10 minutes, with 61 out-of-date marks per minute (picture for
proof [2]). Checking through the email, I saw that the user that was
doing this was named invented [3]. I'm not really sure what's going on,
particularly whether this is malicious or not. I have emailed invented,
and am posting this to try to get to the bottom of this. Has invented
(or have other users) done this before?


[1] https://aur.archlinux.org/packages.php?ID=49697
[2] http://i49.tinypic.com/8zh0sn.png
[3] https://aur.archlinux.org/account.php?Action=AccountInfo&ID=25347

Dave Reisner 09-30-2012 07:11 PM

Random (?) out-of-date marking
 
On Sun, Sep 30, 2012 at 03:00:01PM -0400, Limao Luo wrote:
> My package mcobj [1] has been repeatedly been marked out of date 580
> times in 10 minutes, with 61 out-of-date marks per minute (picture
> for proof [2]). Checking through the email, I saw that the user that
> was doing this was named invented [3]. I'm not really sure what's
> going on, particularly whether this is malicious or not. I have
> emailed invented, and am posting this to try to get to the bottom of
> this. Has invented (or have other users) done this before?
>
> [1] https://aur.archlinux.org/packages.php?ID=49697
> [2] http://i49.tinypic.com/8zh0sn.png
> [3] https://aur.archlinux.org/account.php?Action=AccountInfo&ID=25347

Well they're certainly doing something weird. I found an odd package of
their own with a large amount of spam on it, and a rather spammy name,
as well.

Seems that the AUR doesn't actually check to see if a package is out of
date before sending the email, meaning that you can just submit a dummy
form with the do_Flag action and get this lovely result.

I've already:

- suspended the account (not that it's very effective).
- deleted the suspcious package.

And I'll be filing a bug against the AUR.

Thanks for bringing this to our attention.

d

Lukas Jirkovsky 09-30-2012 07:56 PM

Random (?) out-of-date marking
 
On 30 September 2012 21:11, Dave Reisner <d@falconindy.com> wrote:
> Well they're certainly doing something weird. I found an odd package of
> their own with a large amount of spam on it, and a rather spammy name,
> as well.

Given that the other package of this user seems to be perfectly OK, I
have a feeling that invented's account may have been hijacked.

On a related note, it may be good to add some time limit between
unflagging/flagging package out of date. This would make life of
notorious flaggers more difficult.

Have a nice day,
Lukas

Dave Reisner 09-30-2012 08:08 PM

Random (?) out-of-date marking
 
On Sun, Sep 30, 2012 at 09:56:20PM +0200, Lukas Jirkovsky wrote:
> On 30 September 2012 21:11, Dave Reisner <d@falconindy.com> wrote:
> > Well they're certainly doing something weird. I found an odd package of
> > their own with a large amount of spam on it, and a rather spammy name,
> > as well.
>
> Given that the other package of this user seems to be perfectly OK, I
> have a feeling that invented's account may have been hijacked.
>
> On a related note, it may be good to add some time limit between
> unflagging/flagging package out of date. This would make life of
> notorious flaggers more difficult.
>
> Have a nice day,
> Lukas

There's little reason to hijack an account, particularly one with only 2
packages, when you create one with a phony email address (mailinator,
etc) and do whatever you want with it. I filed a bug report for what I
thought was the more obvious fix:

https://bugs.archlinux.org/task/31745

If you have someone trying to spam you with out of date messages, its
at least rate limited by your own sense of apathy.

dave


All times are GMT. The time now is 05:19 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.