Bug 321207 - Spam on gentoo address
Summary: Spam on gentoo address
Description Gerald Grevrend 2010-05-23 14:49:24 UTC
I have started to receive spam on my email address dedicated to gentoo (ML and Bugs).
Since I have only given this emaild to Gentoo, it means that your email database have been stolen and you have a security issue.
Contact me if you want spamples of spam.

Comment 1 Petteri Räty (RETIRED) gentoo-dev 2010-05-23 15:03:34 UTC
Any email you use in our bugzilla becomes public. Your email is available to crawlers on this page for example. I'll still relay this report to the correct page for the right people to respond however they want. This report has nothing to do with handling human resources: Developer Relations: For handling human resources excluding recruiting.
Comment 2 Christian Ruppert (idl0r) gentoo-dev 2010-05-23 15:41:53 UTC
Email addresses in bugzilla will be invisible for unregistered users as soon as we've done the migration to bugzilla-3.
Addresses from mailinglists are available via gmane, archives etc. as Petteri already wrote.

Also we will change our mail system soonish and that will reduce the spam a lot more than now.

bug 249123, bug 251204
Comment 3 Mike Doty (RETIRED) gentoo-dev 2010-05-23 16:41:19 UTC
Crawlers pick up email addresses from every site they visit, and is no exception.  We're working to obfuscate email addresses, but this won't be perfect.  The only suggestion I can make is that you utilize spam filtering in your MTA and MUA.
Comment 4 Gerald Grevrend 2010-05-23 17:22:14 UTC
Thanks for your answer.
As it is a security issue but not related to a product, I did'nt where to post it ?

As said by Christian, you should'nt disclose emails in the first place (or give the user the option to hide it event to registered users who are not admins).
Spamassassin is far from bullet proof and they missed this one.

For the time being, I have to close and blacklist this mails :( until you migrate to Bugzilla 3.

Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-05-23 17:44:10 UTC
Keep this account for now, until Bugzie3 comes out, unless you don't plan on filing any bugs at all.

It does show up in Google as well.