Open Bug 1112698 Opened 9 years ago Updated 8 years ago

a lot of spam from basket@basket.mozilla.org

Categories

(www.mozilla.org :: Newsletters, defect)

Production
x86
macOS
defect
Not set
normal

Tracking

(Not tracked)

People

(Reporter: jbertsch, Unassigned)

References

Details

On Wed, Dec 17, 2014 at 11:08 AM, Amy Tsay <atsay@mozilla.com> wrote:

    I have 15K+ emails from basket@basket.mozilla.org since yesterday...all spam, I think. The comment field says "20".

    What's going on?

    Thanks,
    Amy
Note:  this is probably related to the Get Involved page set up since Amy is a steward.
Amy is the steward for the Add-Ons and Marketplace areas, which show up under Testing, Writing, and Coding on the /contribute page.

Janet Swisher (who handles the documentation section) reported 10 "test" messages over the last 24 hours maybe related, maybe not, certainly not 15k.
Does sound like a spam attack. We can look into adding some spam prevention, but there is very little we've been able to do so far on other forms.
The Web Compat team reports 10k+ spam messages to their area of Get Involved, example to follow

-------- Forwarded Message --------
Subject: Inquiry about Web Compatibility
Date: Tue, 30 Dec 2014 12:15:47 -0000
From: basket@basket.mozilla.org
To: miket@mozilla.com

Name: file:///etc/passwd
Email: sample@email.tst
Area of Interest: Web Compatibility
Language: en-US
Comment: 20 

(I'm documenting this in the event that we do find resources to add spam prevention to the page, and adding Mike Taylor from Web Compat)
I'm starting to wonder if this is some security testing someone at Mozilla is doing. I'm not aware of any, but it could be. It could also just be a random script testing sites for common vulnerabilities. We'll see what we can do.
Francesco,

I happened today again. Whether 1138174 should be reported as duplicate I am not sure
More than 500 emails for Coding, Addons and Marketplace.
I got about 11,000 emails for Web Compatibility, all from "sample@email.tst" yesterday. Made Thunderbird choke for about 40 minutes before filters could run. :'(

Suggestion - add "sample@email.tst" to a blacklist immediately, and start blocking IPs/email addresses if they send more than N requests per minute.
See Also: → 1138531
I'm adding a bug as being dependent on this one and keeping it open for now. It's a frequent category of web bounty submission, this bug is a good exemplar. 

Can someone please explain what happens when an email is submitted, vs when many are submitted at once? I just tried it out and was able to sign myself up several times. Someone could use the form to either flood one persons mailbox or flood a large list of addresses to cause Mozilla be flagged as a spammer by blacklists etc. 

There are major problems with every kind of reverse turing test[1] but I there are is one abuse case we could prevent, email flooding of a single user.

Lookup the email address, check if someone is already subscribed. If so,  don't send them another mail. Say, "If you weren't already subscribed, you are now" or something like that so as not to provide an oracle to identify subscribed email addresses. Make sure to account for + in the email address since google and other email systems allow for example user+something@gmail.com, ignoring the + and thereafter for delivery purposes. 


1. https://www.w3.org/TR/turingtest/
No longer blocks: 1273757
You need to log in before you can comment on or make changes to this bug.