Hello, Am 04.10.2013 17:12, schrieb Marc A. Pelletier: I got no mail, but MediaWiki logged me out and forced me to change my password (so I guess that I’m affected). Sincerely, DaB.

On 10/04/2013 12:15 PM, DaB. wrote: Well, the email was indeed sent to you: 2013-10-03 06:57:40 1VRcqy-0000fo-78 => dab.(a)gmx.de <DaB.(a)gmx.de> R=wiki_mail T=remote_smtp S=3309 H=wiki-mail.wikimedia.org [208.80.152.133] C="250 OK id=1VRcqy-00086y-Gf" DT=0s 2013-10-03 06:57:40 1VRcqy-0000fo-78 Completed so I guess it ended up in your spam trap or something? -- Marc

On 10/04/2013 04:59 PM, K. Peachey wrote: I have, and it was a goof. This is a known email for DaB, and one which is attached to his public PGP key, so it didn't flag any warnings in my head despite how the association was made. DaB; please accept my apologies if that bugged you -- my intent was obviously to help you debug the issue you had. -- Marc

On 10/04/2013 05:34 PM, DaB. wrote: Your second question is easy: the mail was sent to the email address associated with the exposed account. I expect you have that email address still on the project that was on the list, so this is where the email was sent. For your first question: we would notice mail being rejected by the MTA, but not a bounce that came in after the fact. gmx.de did accept the mail for delivery, but sent a bounce asynchronously. Since the from: of the email points to OTRS, and OTRS rejects bounces to avoid starting bounce loops, it got lost. Sadly, we were under severe time pressure to warn as many users as possible as quickly as possible, and it was not practical to construct a mail system that was robust enough to handle edge cases. Since there was a second layer of protection (ending sessions and forcing password changes) that would come into play even for editors that had invalid or no email set, this was viewed as the right compromise to avoid delaying warning users by days. It's of course preferable if editors get the email before they wonder why their session timed out (because, as you yourself experienced, it's a little confusing to end up being forced to change your password without warning) -- but safeguarding the security of users quickly has priority. -- Marc