What is mandrillap?


#1

I just signed up to this forum as i usually reside in the yahoogroup. bus in my activation link I got a warning that the link could be a scam and indeed the words say
https://forum.kicad.info/users/activate-account/4151f7f8e173370dd62c8a08264d5805, but the link is dsomething entirely different:

http://mandrillapp.com/track/click/30243700/forum.kicad.info?p=eyJzIjoiQnV4WW4yeTZINjluNkkyQnRBaGV1UEpHMFRVIiwidiI6MSwicCI6IntcInVcIjozMDI0MzcwMCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2ZvcnVtLmtpY2FkLmluZm9cXFwvdXNlcnNcXFwvYWN0aXZhdGUtYWNjb3VudFxcXC80MTUxZjdmOGUxNzMzNzBkZDYyYzhhMDgyNjRkNTgwNVwiLFwiaWRcIjpcIjUzNmIwZWQ0NDQ1NTRlODI4YmVkNTgyOTZhNzdmNTNkXCIsXCJ1cmxfaWRzXCI6W1wiYTVjNzM2OGZjY2VjODQyN2M1ZTVjODRmNjE3OTdiZjBkOGNmMjkwZlwiXX0ifQ

I do not like these masquerading things . what’s happening?

oh, and to be on topic. I’m a regular user of the daily builds on Ubuntu 14.04, doing stuff with smd up till 0402 and qfn so i can make my own prototypes


#2

I tested your link and used wireshark to analyze it.
Does not seem dangerous to me. It is just a forwarder it seems.
(It would be better though if the link would be correctly spelled out.)

The http stream data:
My browser to the server:
GET /track/click/30243700/forum.kicad.info?p=eyJzIjoiQnV4WW4yeTZINjluNkkyQnRBaGV1UEpHMFRVIiwidiI6MSwicCI6IntcInVcIjozMDI0MzcwMCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2ZvcnVtLmtpY2FkLmluZm9cXFwvdXNlcnNcXFwvYWN0aXZhdGUtYWNjb3VudFxcXC80MTUxZjdmOGUxNzMzNzBkZDYyYzhhMDgyNjRkNTgwNVwiLFwiaWRcIjpcIjUzNmIwZWQ0NDQ1NTRlODI4YmVkNTgyOTZhNzdmNTNkXCIsXCJ1cmxfaWRzXCI6W1wiYTVjNzM2OGZjY2VjODQyN2M1ZTVjODRmNjE3OTdiZjBkOGNmMjkwZlwiXX0ifQ HTTP/1.1
Host: mandrillapp.com
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

Server answer:
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.8.0
Date: Mon, 27 Mar 2017 19:02:34 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Set-Cookie: PHPSESSID=7523f19807079abea13a29d7c98b3683; expires=Tue, 28-Mar-2017 05:02:34 GMT; path=/; secure; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=7523f19807079abea13a29d7c98b3683; expires=Tue, 28-Mar-2017 05:02:34 GMT; path=/; secure; httponly
Location: https://forum.kicad.info/users/activate-account/4151f7f8e173370dd62c8a08264d5805
Content-Encoding: gzip
Vary: Accept-Encoding

After that your browser makes some dns lookups for kicad info forum and then asks very nicely for the page. This time encryption (https) is used so the steam data is useless.

I don’t know either why the first server is needed.
It does set a cookie. Will try again to use the direct link without the cookie.
Typing in the link directly does get you to the same final page. @ChrisGammell Can you bring light into this. (I hope you are the right person to ask here.)


#3

Do Linux users not have access to Google? That is a pity, because a lot of useful information can be found that way.


#4

Well we can google. But it’s much more fun to investigate http steam data and see what happens in the background.
The direct link works. Even without the cookie set by mandrill app.
The answers in this question thread are good at explaining what mandrill app is:
https://www.quora.com/What-is-Mandrillapp
Tldr: mandrillap is a service to send out (mass) emails via a webapi. it is part of mail chimp. It is used by many webservices to send out emails to their users. For example the mail confirmation or password reset mails.

The question remains: Why the fuck does mandrill give a different link in textform than in the href part? (This is just bad praxis and should not be done this way!)
Also why does it set the cookie if it is not needed for the mail conformation? Do they maybe want to get some tracking data? I think i need a tinfoil hat.
(Answer in the question thread i provided: Yes they use this link and maybe also the cookie to see how “effective” their mails are. So yes they track how many people click on the link sent by the mail service.)


#5

Ah, now i understand. Thank bobc for taking the time to write this
elaborate answer. It is truly amazing how you can give so much
information is such compact writing.

and yes, http://www.lmgtfy.com works flawlessly on my machine…


#6

Hey thanks.
I am not fluent with wireshark yet. It is on my very long todo list.

what I understand from your stream is that it drops some tracking
coockies and passes than on to the real site.
As my Firefox has both the “selfdestructing-coockies” and “I don’t care
about coockies” extensions, they would have taken care of this nicely.

My concern was merely the idea that this forum was hacked and used for
harvesting data from users without their knowing (as typing messages is
“legit” harvesting. :wink: )

Also fine to notice that you can use regular mail as the interface.

Simon


#7

This is right. It’s used to preserve the integrity of the main forum server without hosting mail via a PHP app or similar. Mandrill is pretty standard these days and it is the recommended sender service by Discourse (the forum software). Mailgun is another example.


#8

Ah, so this is a hybrid forum, both web and mail based. good to know. As I have up till now never worked with discourse I have to get familiar with its quirks, like simple machines and older web based stuff.


#9

The forum about the forum software itself can be found here: https://meta.discourse.org/

We use it with very few modifications, as the backend is not meant for amateur webadmins such as myself.


#10

Kudos to @ChrisGammell for answering. So many websites pull in so much external crap that seems to serve no purpose other than to use bandwidth and make sure as many people as possible know which websites I visit…always nice to see a site whose external services have rational justifications.