[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]

On Mon, 2015-01-19 at 16:57 -0500, Michael Gilbert wrote:
> Isn't the spam vector already wide open for
> nnnnnn-subscribe@bugs.debian.org, which isn't much (ab)used today?
> I fail to see how any of the discussed changes open an abuse vector
> that doesn't already exist.

OK, so let me help you see.

The vector you are pointing to doesn't exist.  You can _not_ subscribe
to a bug by sending email to nnnn-subscribe@bugs.debian.org.  You
subscribe to a bug by sending an email to an address that looks like


I presume this "invite" address is unforgeable (because Ian Jackson's
expertise is in crypto, and he said earlier he designed the system).

Sending an email to nnnn-subscribe@bugs.debian.org just asks the system
to send an invite containing such an address to someone.  I'm not sure
what email address gets the invite - it could be the envelope MAIL FROM,
or the Reply-To, or the From.  But really "who" doesn't matter.  All the
matters is the only a person controlling an email address is able to
subscribe it to a bug, not some random noob.

For what it's worth, the invitation contains full text of the
subscription request, including all the RFC5322 headers.  If it was
someone doing something unpleasant it gives you some hope of tracking
them down, or blocking them.

In other words the current system contains robust defences against such
an attack.  All I (and I presume Ben) are saying is removing those
defences is not a good idea, given it's easy enough to design a system
that keeps them.  Currently most of the auto subscription proposals
appearing here do remove them.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: