| Summary: | spammers can read the email addresses of the users | ||
|---|---|---|---|
| Product: | Gentoo Infrastructure | Reporter: | Jerome <jerome.bouat> |
| Component: | Bugzilla | Assignee: | Bugzilla Admins <bugzilla> |
| Status: | RESOLVED FIXED | ||
| Severity: | critical | CC: | alecm_88, bircoph, bugs_gentoo_org.korobkov, gentoo.bugs.10, gentoo, gentooBugs, jb.faq, jer, jlec, m3q, notordoktor, nunomilheiro, pchrist, please.no.spam.here, spatz |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 213782 | ||
|
Description
Jerome
2008-11-27 21:59:14 UTC
You may have a valid point there somehow, but should we close half the Internet down because of abuse? I think that email addresses shouldn't be shown for anonymous users. *** Bug 251045 has been marked as a duplicate of this bug. *** I also think that this a problematic thing. This is even more annoying, that it is quite easy to fix - just use nicknames without domain. And you would not have to "close half the Internet down because of abuse" ;) Devs/Admins: you can find discussion and couple of ways how to do it here: http://groups.google.com/group/mozilla.support.bugzilla/browse_thread/thread/10722f83dd3d13b1/bcfd087173004055?pli=1 +1 (or more), and mask the mails in the activity logs. Other communities mask the email (e.g. nouveau mailinglist: My email is shown as <jb.faq-Mmb7MZpHnFY@xxxxxxxxxxxxxxxx> or <[EMAIL PROTECTED]>; or wine-devel:<jb.faq@???> ) Just use a good spam filter and stop worrying (In reply to comment #6) > Just use a good spam filter and stop worrying > Are you serious? IMHO such a solution is not suitable! An example: The best spam filter cannot guarantee that you delete an important email. While this bug is present you boost getting more unnecessary emails. But if you get many emails per day you don't check all of them. Ok, I propose to limit it to any users with editbugs for now. This DOES mean that users cannot directly contact each other anymore. (In reply to comment #8) > Ok, I propose to limit it to any users with editbugs for now. Could display depend on being logged in or not? Is editbugs bugzilla-global or does it work on a per bug basis? (In reply to comment #9) > (In reply to comment #8) > > Ok, I propose to limit it to any users with editbugs for now. > > Could display depend on being logged in or not? > Is editbugs bugzilla-global or does it work on a per bug basis? > editbugs is usually for developer. So a user who is not logged in can only see @gentoo.org addresses but no other. I think that allowing all logged-in users to see email addresses, and anonymous users to see obfuscated addresses would be better than the current proposed solution. Even better would be hidden addresses, and a form which allows users to email each other through bugzilla without giving away email addresses. (but my first proposal would be easier) (In reply to comment #11) > Even better would be hidden addresses, and a form which allows users to email > each other through bugzilla without giving away email addresses. (but my first > proposal would be easier) In my opinion contact forms suck because: - No copy in "Sent" folder - No support for attachments (e.g. patches) When somebody forces me to a contact form I start Googling, searching whois and key servers until I find a real address... Just my two cents. (In reply to comment #12) > In my opinion contact forms suck because: > - No copy in "Sent" folder > - No support for attachments (e.g. patches) - Won't really solve the problem because bots can fill out forms, too. And captchas have their own problems. I think just mangling email addresses would be the easiest and one of the most effective solutions. I gave my points to this bug because up until I started contributing to this bugzilla I had been able to keep my account completely spam-free, and I kinda miss that. > - Won't really solve the problem because bots can fill out forms, too.
A form can discard bots by proposing a chalenge which is known to be solved only by human :
- characters lost into a smogged image
- ask a question in english
- ...
All the other web site do it.
Why Bugzilla install should be the only web site which has this bug ?
(In reply to comment #14) > A form can discard bots by proposing a chalenge which is known to be solved > only by human... Yeah... it's called captcha. Like I said, they're not failproof either and aren't as trivially implemented. A bot-check at registration is far superior for users than one required to email. Re-iterating that registered users should continue to see email addresses, users that are not logged in should not. A spammer can create a legitimated account and later: - execute a query in order to get all email addresses into Bugzilla - or use a bot in order to send email through the form (if no human test) (In reply to comment #17) > A spammer can create a legitimated account and later: > - execute a query in order to get all email addresses into Bugzilla > - or use a bot in order to send email through the form (if no human test) > True, but either requires a lot more effort, and directed specific effort than just spidering bugzilla as it is. Guys, please take a look at: https://forums.gentoo.org/viewtopic-t-810344.html This has been going on for a couple of years. Can someone flip the switch finally? I get enough spam as it is, I don't need more. :( Bug 115796 Comment #34 I received 168 spams within the latest 24 hours. I think this bug is critical. If you decide it is a low priority it is an other question but your can't tell that this bug is just major : 168 spams requires me about half an hour in order to process them from my junk folder in order to report them to spamcomplaint, spamcop.net, signal-spam.fr, etc. My time isn't free. I'm harmed by this bug. Well, currently getting over 100 spams a day... for an account, which is not used for anything but Gentoo bugzilla. Thanks to Gmail only ~5 end in normal mail folder, the rest gets moved to spam. Good that I've won about $100M so far and getting lot of investment offers from Nigeria and elsewhere. It took about a month. Is it enough as a proof that this bugzilla is a wonderful harvesting source for spammers? > the rest gets moved to spam
I also have a spam filter either with my web-mail or my client program.
However, I still have a look at those spams in order to trap any true message which could be discarded from my inbox folder.
The best way to avoid anoying the email reader is to lower the spam source or maybe used network addresses black lists.
I think the poll results from Comment #19 are pretty clear, and considering that this one of the top three most voted-for bugs (just 10 votes away from the top), it's obvious that this is a pretty major problem. Is anyone actually going to do anything about this? (In reply to comment #24) > I think the poll results from Comment #19 are pretty clear, and considering > that this one of the top three most voted-for bugs (just 10 votes away from the > top), it's obvious that this is a pretty major problem. > > Is anyone actually going to do anything about this? > Yes but it is TODO for bugzilla 3 only. *** Bug 315563 has been marked as a duplicate of this bug. *** Looks like this has been fixed by the upgrade to bugzilla 4 :D Fixed through the upgrade to Bugzilla-4.x. Not logged in users will no longer see the entire email address. The issue is that the logged in users can see the actual email addresses. For example, each person of this discussion could be spammed. But nobody would know for who it comes from and the system can't block the spammer. I just filed the bug #365981 : logged in spammers can read the email addresses of the users (In reply to comment #30) > I just filed the bug #365981 : > logged in spammers can read the email addresses of the users I think this This is true of pretty much any bugzilla - kde, xfce, mozilla, redhat, freedesktop and kernel.org - all show emails to registered users. In fact, I don't even know of a bugzilla does *not* show email addresses. Furthermore, if you look at the poll in Comment 19, the majority find this reasonable. (In reply to comment #30) > I just filed the bug #365981 : > logged in spammers can read the email addresses of the users A priori spammers should not be able to register in the first place. If they are, this is another issue and should be solved independently. Sometimes you need to mail commenter directly. And I see nothing wrong if registered *person* will know your e-mail. In reply to comment #31 : Widely used solution doesn't mean it is the best. Since Redmond OS is the is most widely used, then it is the best. (In reply to comment #32) > A priori spammers should not be able to register in the first place. If they > are, this is another issue and should be solved independently. How are you sure a user isn't a spammer ? > Sometimes you need to mail commenter directly. And I see nothing wrong if > registered *person* will know your e-mail. Then, you can use a web from which will make the link between the users by providing the message without the sender email address. Moreover, the message will not be anonymous. Next both can get their actual email address during this private exchange. Openoffice.org choose an other alternative, they made private email address like "user@openoffice.org". Thus nobody could get the actual private email address and the openoffice.org origin of any spam could be known and possibly reported to the openoffice.org admin team. (In reply to comment #34) > (In reply to comment #32) > > A priori spammers should not be able to register in the first place. If they > > are, this is another issue and should be solved independently. > > How are you sure a user isn't a spammer ? Because of probability. In the absolute majority of cases spammers do use program bots to spam people. Spam is, first of all, a *massive* unwanted message delivery and that's obvious that spam lists are acquired automatically. To assume that some *person* will deliberately register at bugzilla and enter capcha just to spam someone is nonsense in real life, though it is theoretically possible. Let's say this probability is at the same degree, as that you will be directly hit by meteorite during your lifetime. I agree with the previous comment #35. It is necessary, however, that developers do not copy the email addresses from the bugzilla to version control commit texts, because they will be revealed to the public (and not just on packages.gentoo.org). A new rule should be made on this issue. (In reply to comment #36) > I agree with the previous comment #35. > It is necessary, however, that developers do not copy the email addresses from > the bugzilla to version control commit texts, because they will be revealed to > the public (and not just on packages.gentoo.org). A new rule should be made on > this issue. It seems you have missed the note that is displayed when you registered your account here: "PRIVACY NOTICE: Gentoo's Bugzilla is an open bug tracking system. Activity on most bugs, including email addresses, will be visible to the public. We recommend using a secondary account or free web email service (such as Gmail, Yahoo, Hotmail, or similar) to avoid receiving spam at your primary email address." If you don't want that email address to appear publicly, don't use it here. That simple. There is nothing more that needs discussing on this bug. Thanks. (In reply to comment #36) > I agree with the previous comment #35. > It is necessary, however, that developers do not copy the email addresses from > the bugzilla to version control commit texts, because they will be revealed to > the public (and not just on packages.gentoo.org). A new rule should be made on > this issue. So you are of the persuasion that to kill e-mail is the way to kill spam. (In reply to comment #38 & #37) Based on my experience with Gentoo bug reporting, I feel there's no use to save email addresses with the changes, referring to a bug number is more than enough. That was my suggestion, shoot here. |
