https://bugzilla.wikimedia.org/show_bug.cgi?id=48786
--- Comment #17 from Krinkle <[email protected]> --- (In reply to Casey Brown from comment #12) > (In reply to comment #11) > > Depending on what box the email is being sent from it may even match SPF ... > > since I know some of our boxes are on the SPF records. > > > > Most of the options described in this ticket would actually break the whole > > list (it wouldn't get New Wiki emails from either the cluster OR labs). If > > we > > can find a good way to fix this just in mailman 'great' (though I haven't > > seen > > an obvious way yet to do so from my brief poking around). It seems the most > > likely angle of attack will be the script. > > This. ^ > > I don't think there's really anything we can do from the mailman angle to > fix this. The script's really the only way to change this. That being said > though -- are we sure it's really a problem that labs project creations get > sent to the list? How often does that happen / will it happen? If it's > something that happens infrequently, it probably doesn't matter if the list > gets notifications. However then what's keeping any old tool labs project from creating wikis within their project (e.g. not "<enwiki>.beta.wmflabs.org", but "whatever.wmflabs.org/<wiki-[001-999]>") and for fun also spam this list? I'm pretty sure something somewhere already ensures that you can't just imitate someone @wikimedia.org from outside production (e.g. my home computer) and successfully post to a members-only list like mediawiki-announce. So why is beta able to imitate [email protected] and end up on newprojects-l? This looks like a security problem. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
