[aur-general] Random (?) out-of-date marking
My package mcobj [1] has been repeatedly been marked out of date 580 times in 10 minutes, with 61 out-of-date marks per minute (picture for proof [2]). Checking through the email, I saw that the user that was doing this was named invented [3]. I'm not really sure what's going on, particularly whether this is malicious or not. I have emailed invented, and am posting this to try to get to the bottom of this. Has invented (or have other users) done this before? [1] https://aur.archlinux.org/packages.php?ID=49697 [2] http://i49.tinypic.com/8zh0sn.png [3] https://aur.archlinux.org/account.php?Action=AccountInfo&ID=25347
On Sun, Sep 30, 2012 at 03:00:01PM -0400, Limao Luo wrote:
My package mcobj [1] has been repeatedly been marked out of date 580 times in 10 minutes, with 61 out-of-date marks per minute (picture for proof [2]). Checking through the email, I saw that the user that was doing this was named invented [3]. I'm not really sure what's going on, particularly whether this is malicious or not. I have emailed invented, and am posting this to try to get to the bottom of this. Has invented (or have other users) done this before?
[1] https://aur.archlinux.org/packages.php?ID=49697 [2] http://i49.tinypic.com/8zh0sn.png [3] https://aur.archlinux.org/account.php?Action=AccountInfo&ID=25347
Well they're certainly doing something weird. I found an odd package of their own with a large amount of spam on it, and a rather spammy name, as well. Seems that the AUR doesn't actually check to see if a package is out of date before sending the email, meaning that you can just submit a dummy form with the do_Flag action and get this lovely result. I've already: - suspended the account (not that it's very effective). - deleted the suspcious package. And I'll be filing a bug against the AUR. Thanks for bringing this to our attention. d
On 30 September 2012 21:11, Dave Reisner <d@falconindy.com> wrote:
Well they're certainly doing something weird. I found an odd package of their own with a large amount of spam on it, and a rather spammy name, as well.
Given that the other package of this user seems to be perfectly OK, I have a feeling that invented's account may have been hijacked. On a related note, it may be good to add some time limit between unflagging/flagging package out of date. This would make life of notorious flaggers more difficult. Have a nice day, Lukas
On Sun, Sep 30, 2012 at 09:56:20PM +0200, Lukas Jirkovsky wrote:
On 30 September 2012 21:11, Dave Reisner <d@falconindy.com> wrote:
Well they're certainly doing something weird. I found an odd package of their own with a large amount of spam on it, and a rather spammy name, as well.
Given that the other package of this user seems to be perfectly OK, I have a feeling that invented's account may have been hijacked.
On a related note, it may be good to add some time limit between unflagging/flagging package out of date. This would make life of notorious flaggers more difficult.
Have a nice day, Lukas
There's little reason to hijack an account, particularly one with only 2 packages, when you create one with a phony email address (mailinator, etc) and do whatever you want with it. I filed a bug report for what I thought was the more obvious fix: https://bugs.archlinux.org/task/31745 If you have someone trying to spam you with out of date messages, its at least rate limited by your own sense of apathy. dave
participants (3)
-
Dave Reisner
-
Limao Luo
-
Lukas Jirkovsky