Open Bug 1306750 (bugzilla-spam) Opened 5 years ago Updated 4 years ago
[tracking] Bugzilla Anti-Spam Measures
Lots of people have problems with bugzilla bug/comment/account spam. BMO handles this with our own AntiSpam extension. Other sites make use of things are the firewall or load balancer level. Fundamentally, you cannot run Bugzilla on the public internet and not get spammed. This isn't acceptable! I've heard from buovjaga that this is a huge problem for Libre Office, and I see from tweets this is a problem for Eclipse bugzilla. I've looked at the previous bugs about spam, and many are victims of creeping scope. I think making one person ultimately responsible for this task will make it more likely to be done and not have too much scope creep. With that consideration made, I'm putting Sina (a new contributor) in charge of adding features to Bugzilla to make spam less of a problem.
This is a dupe of bug 261326, which already has dependencies set and interested people in the CC list.
No, it's not a duplicate because this is about preventing comment spam and that bug is about harvesting emails.
See Also: → bugz_anti-spam_meta
This is also a problem for Linux Kernel and Netbeans: https://lkml.org/lkml/2016/7/13/819 http://forums.netbeans.org/ptopic65811.html (discussions from spring/summer 2016) I think the honeypot form field, bug 1306758, is a good start as I guess it is fairly easy to implement. We have discussed on IRC about plugging into various blacklist services. I had good results with them during my forum admin days. Admins love CAPTCHAs, but users hate them. CAPTCHAs are discussed in bug 380489. Adding CAPTCHA support is probably a low-hanging fruit, but blacklists would be great to avoid user annoyance.
(In reply to buovjaga from comment #3) > This is also a problem for Linux Kernel and Netbeans: > https://lkml.org/lkml/2016/7/13/819 > http://forums.netbeans.org/ptopic65811.html > (discussions from spring/summer 2016) > > I think the honeypot form field, bug 1306758, is a good start as I guess it > is fairly easy to implement. > > We have discussed on IRC about plugging into various blacklist services. I > had good results with them during my forum admin days. Yep. Sina and I discussed a few different solutions. - akismet - various dnsrbls I think out of the box bugzilla should offer some protection from comment spam, and then make it easy for extensions to provide additional checks.
On our Wiki and Forums, a simple moderation system (Moderate X first posts) is very effective at keeping things clean, especially when the pool of moderators can be defined in a group.
WineHQ's bugzilla is now getting regularly spammed in comments now (usually 1-800 phone numbers and website urls)
Wireshark's Bugzilla is getting spam as well.
Khronos Group Bugzilla was hit very hard with the 1-800 spam. We've been forced to close Bugzilla and are looking at moving to another platform. Bugzilla really needs something to combat comment spam.
How can we help?
As a user of Bugzilla (on Eclipse.org infrastructure), I find this issue is very dangerous for whatever community or project and may quickly become a showstopper for usage of Bugzilla, as opposed to other trackers such as GitHub that don't show such issue. In the current state, either the regular users get slow down in their work because spam, or some manual anti-spam system has to be set up, costing a lot of effort and resulting in potentially too strong restrictions, reducing the ability of the average new user to get started on Bugzilla and then to join the community/project easily. In any of those case, the general health of the project/community is getting worse. Despite I love the Eclipse.org infrastructure, this Bugzilla issue is really horrible for the individual projects I work on -as Eclipse.org infra went for more restrictions, it prevents some new contributors to join easily- and I am strongly considering moving away from Eclipse.org's Bugzilla in favor of other tracker allowed by the Foundation. And as we spoke about it with others Eclipse contributors, more and more people are considering fully dropping their usage of Bugzilla because of this issue. So are there any concrete plans or ETA of a solution for this issue? I'm just trying to make my mind about whether it's already time to drop Bugzilla or if there is still hope of a prompt fix.
For the records, in GNOME Bugzilla, Olav wrote and deployed a custom extension which allows blocking certain strings and regular expressions: https://git.gnome.org/browse/bugzilla-gnome-org-customizations/tree/extensions/AntiSpam?h=production
The GNOME Bugzilla one is pretty heavily inspired by the upstream AntiSpam extension, but had to work around our Bugzilla version. We don't get any comment spam (strangely), nor any recent attachment spam. Once we get this I'll add more methods for it. The 1-800 spam is pretty easy to prevent with a regexp. Just be careful not to match valid bugs! In our extension I've made it immediately block/ban the user. From watching the logs it appears someone is doing this manually.
Thank you everyone for the suggestions. I've installed AntiSpam and some regex's and custom words. Along with LimitedEmail modified to block certain email domains that appear to be used almost exclusively for spam. We've reopened our bugzilla instance and will see if this helps. @OlavVitters would you be open to sharing the code modifications to block/ban the user? I see no reason to allow spammers to keep their accounts active.
(In reply to James Riordon from comment #13) > would you be open to sharing the code modifications to block/ban the user? https://git.gnome.org/browse/bugzilla-gnome-org-customizations/tree/extensions/AntiSpam/Extension.pm?h=production#n85
Thank you. Next time I will look at the code before posting.
(In reply to Andre Klapper from comment #11) > For the records, in GNOME Bugzilla, Olav wrote and deployed a custom > extension which allows blocking certain strings and regular expressions: > https://git.gnome.org/browse/bugzilla-gnome-org-customizations/tree/ > extensions/AntiSpam?h=production The README says: Recommend not to use this extension anywhere else. The functionality is really specific. Apparently it still works just fine for Khronos Group. Any details about the specific functionality?
Copy & paste mistake from https://git.gnome.org/browse/bugzilla-gnome-org-customizations/tree/extensions/GNOME/README I'm afraid. :) Glad to hear things work for you!
(In reply to Andre Klapper from comment #11) > For the records, in GNOME Bugzilla, Olav wrote and deployed a custom > extension which allows blocking certain strings and regular expressions: > https://git.gnome.org/browse/bugzilla-gnome-org-customizations/tree/ > extensions/AntiSpam?h=production Thanks for that! Such a simple extension, I was asking for exactly that some time ago. I've deployed it to two of our smaller BZ instances, will deploy to bugs.e.o tomorrow morning.
Would it be useful to set noindex+nofollow for recently-modified bugs, e.g. https://github.com/geraldcombs/bugzilla/commit/3577c07f18d6f671f52856a6385cbaa8982aacbf ? This wouldn't necessarily keep people from posting spam, but it might make Bugzilla a less useful spam publishing platform.
You need to log in before you can comment on or make changes to this bug.