sorted by: recent | see : popular

Content Tagged with for + Software

Spammers continue to find new ways to do their business and new ways to cause frustration for those of us who administer software that fosters small, open communities. These communities are fragile and grow up in a delicate environment. The environment needs to remain open: self-registration, the ability to post content, and the option of remaining anonymous is the key to success. Unfortunately, it is also a ripe environment for spammers to abuse. ¶

Spammers have now discovered that bugzilla is one of those environments. For those who don’t know, bugzilla is one of the most common open source bug tracking tools. It is used by many open source projects to allow the community to assist in reporting bugs on and enhancement ideas for each project. The original version of Bugzilla was first created at Netscape in the mid-nineties (back when I was working at Netscape). It was rewritten in 1998 and made available as open source). After AOL bought Netscape, it became one of a number of projects released by the Mozilla Foundation. Although bugzilla continues to be used by many projects, development of bugzilla itself became somewhat stagnant over the years. It hasn’t kept up with the times and as such, has practically no support for handling spam in the 2007 world. (Version 3.0 just came out in May 2007, nine years after version 2.0 came out.) ¶

At Solid, we’ve been using Bugzilla to track bugs for our solidDB for MySQL product. Around April, people from other open source projects such as Samba, XFCE, and Eclipse started having problems with spammers adding spam as attachments to existing bugs in their bugzilla bug tracking databases. I didn’t notice the problem until Solid got its first bugzilla spam last week (July). I was used to cleaning out spam every day from Solid’s forums, but dealing with spam in Bugzilla is extremely difficult and annoying. ¶

I first tried to upgrade to the new Bugzilla 3.0 in our development instance to see if that would be able to help with the spam problem. Although 3.0 does have support for deleting attachments (finally!), it still takes too many clicks to delete attachments. Spammers can create attachments automatically, and I get stuck with the manual work. In addition, Bugzilla still doesn’t support deleting comments, which spammers can also easily create and place inappropriate content into. Deleting bugs is also not supported, which is also an easy target for spammers to hit. Even trying to delete a user (the spammer) gives a scary message that warns you not to do it or risk causing referential integrity problems in your database (what kind of choice is that?). ¶

After some testing, I decided it wasn’t worth upgrading to 3.0 for the minimal help it would give. It seems like it should pretty easy to write a small script that automatically deletes all data associated with a spammer, while still keeping referential integrity intact. So that’s what I decided to do. I now have a bugzilla_spammer.rb script (written in Ruby) that helps me keep spam in Bugzilla in check. ¶

What Bugzilla really needs is full application support for protecting against the increasingly sophisticated methods that spammers use to bypass applications. It would be much better to stop spam from getting into Bugzilla in the first place. My program does not help with that at all. It does, however, provide a simple way for you to remove the junk created by spammers that gets entered into your Bugzilla, once it is there. This should be a good enough workaround until the Bugzilla developers add some serious spam protection that will help protect again current-day spammes techniques. If you want this feature, please let them know it’s important. And if you’re interested in doing some coding, offer to help! A bug has already been filed against Bugzilla about this problem - bug 380489. ¶

Update: Several people from the Bugzilla team (thanks, Max Kanat-Alexander and Frédéric Buclin!) have pointed out that it is possible to delete a bug in Bugzilla. I should have been more clear, but what I meant was that it is not easy or practical to delete a bug. Deleting a bug requires creating a new product and component and then moving the bug into that product and finally deleting the entire product. And it still doesn’t help in the case that the spammer adds a comment to an existing bug. ¶