In the last few days, I have received two email messages from pidgeon.gentoo.org [69.77.167.62] on the gentoo-hardened list with a the faked sender <adwords-noreply@google.com>. The email contains a link to a probably malicious website. Since all email addresses subscribing to gentoo lists have to be confirmed before activation, this indicates either a malconfiguration of the gentoo-hardened lists or a compromise of the list server. Please fix in either case. Please Reproducible: Always Steps to Reproduce: 1. 2. 3.
Reassigning to Infra.
You're on crack and overreacting. It is not a compromise nor misconfiguration. It's called spam. Lots of lists can be easily spammed by having the spammer send mail to auto-responder forging both the subscription address AND the list itself (two separate mails). 1. Spammer mails $LIST-subscribe, forging the envelope "MAIL FROM: $AUTORESPONDER" AND the From header. 2. List sends a confirmation to the auto-responder. 3. Autoresponder returns the original confirmation mail inline, now subscribing itself to the list. 4. Spammer mails $LIST, doing the same forging as before, and the mail is delivered to the entire list. In any case, you're way too slow. I unsubscribed and blacklisted that auto-responder when it was reported to me yesterday.
