FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux User Repository

 
 
LinkBack Thread Tools
 
Old 09-30-2012, 07:00 PM
Limao Luo
 
Default Random (?) out-of-date marking

My package mcobj [1] has been repeatedly been marked out of date 580
times in 10 minutes, with 61 out-of-date marks per minute (picture for
proof [2]). Checking through the email, I saw that the user that was
doing this was named invented [3]. I'm not really sure what's going on,
particularly whether this is malicious or not. I have emailed invented,
and am posting this to try to get to the bottom of this. Has invented
(or have other users) done this before?


[1] https://aur.archlinux.org/packages.php?ID=49697
[2] http://i49.tinypic.com/8zh0sn.png
[3] https://aur.archlinux.org/account.php?Action=AccountInfo&ID=25347
 
Old 09-30-2012, 07:11 PM
Dave Reisner
 
Default Random (?) out-of-date marking

On Sun, Sep 30, 2012 at 03:00:01PM -0400, Limao Luo wrote:
> My package mcobj [1] has been repeatedly been marked out of date 580
> times in 10 minutes, with 61 out-of-date marks per minute (picture
> for proof [2]). Checking through the email, I saw that the user that
> was doing this was named invented [3]. I'm not really sure what's
> going on, particularly whether this is malicious or not. I have
> emailed invented, and am posting this to try to get to the bottom of
> this. Has invented (or have other users) done this before?
>
> [1] https://aur.archlinux.org/packages.php?ID=49697
> [2] http://i49.tinypic.com/8zh0sn.png
> [3] https://aur.archlinux.org/account.php?Action=AccountInfo&ID=25347

Well they're certainly doing something weird. I found an odd package of
their own with a large amount of spam on it, and a rather spammy name,
as well.

Seems that the AUR doesn't actually check to see if a package is out of
date before sending the email, meaning that you can just submit a dummy
form with the do_Flag action and get this lovely result.

I've already:

- suspended the account (not that it's very effective).
- deleted the suspcious package.

And I'll be filing a bug against the AUR.

Thanks for bringing this to our attention.

d
 
Old 09-30-2012, 07:56 PM
Lukas Jirkovsky
 
Default Random (?) out-of-date marking

On 30 September 2012 21:11, Dave Reisner <d@falconindy.com> wrote:
> Well they're certainly doing something weird. I found an odd package of
> their own with a large amount of spam on it, and a rather spammy name,
> as well.

Given that the other package of this user seems to be perfectly OK, I
have a feeling that invented's account may have been hijacked.

On a related note, it may be good to add some time limit between
unflagging/flagging package out of date. This would make life of
notorious flaggers more difficult.

Have a nice day,
Lukas
 
Old 09-30-2012, 08:08 PM
Dave Reisner
 
Default Random (?) out-of-date marking

On Sun, Sep 30, 2012 at 09:56:20PM +0200, Lukas Jirkovsky wrote:
> On 30 September 2012 21:11, Dave Reisner <d@falconindy.com> wrote:
> > Well they're certainly doing something weird. I found an odd package of
> > their own with a large amount of spam on it, and a rather spammy name,
> > as well.
>
> Given that the other package of this user seems to be perfectly OK, I
> have a feeling that invented's account may have been hijacked.
>
> On a related note, it may be good to add some time limit between
> unflagging/flagging package out of date. This would make life of
> notorious flaggers more difficult.
>
> Have a nice day,
> Lukas

There's little reason to hijack an account, particularly one with only 2
packages, when you create one with a phony email address (mailinator,
etc) and do whatever you want with it. I filed a bug report for what I
thought was the more obvious fix:

https://bugs.archlinux.org/task/31745

If you have someone trying to spam you with out of date messages, its
at least rate limited by your own sense of apathy.

dave
 

Thread Tools




All times are GMT. The time now is 01:40 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org