Bug 1306750 (bugzilla-spam)

[tracking] Bugzilla Anti-Spam Measures

NEW
Assigned to

Status

()

enhancement
P1
normal
3 years ago
2 years ago

People

(Reporter: dylan, Assigned: sina)

Tracking

(Depends on 1 bug, {meta})

5.1.1
Bugzilla 6.0

Details

Lots of people have problems with bugzilla bug/comment/account spam.

BMO handles this with our own AntiSpam extension. Other sites make use of things are the firewall or load balancer level.

Fundamentally, you cannot run Bugzilla on the public internet and not get spammed. This isn't acceptable!

I've heard from buovjaga that this is a huge problem for Libre Office,
and I see from tweets this is a problem for Eclipse bugzilla.

I've looked at the previous bugs about spam, and many are victims of creeping scope. I think making one person ultimately responsible for this task will make it more likely to be done and not have too much scope creep.

With that consideration made, I'm putting Sina (a new contributor) in charge of adding features to Bugzilla to make spam less of a problem.
(Assignee)

Updated

3 years ago
Depends on: 1306758

Comment 1

3 years ago
This is a dupe of bug 261326, which already has dependencies set and interested people in the CC list.
Keywords: meta
(Reporter)

Comment 2

3 years ago
No, it's not a duplicate because this is about preventing comment spam and that bug is about harvesting emails.
See Also: → bugz_anti-spam_meta

Comment 3

3 years ago
This is also a problem for Linux Kernel and Netbeans:
https://lkml.org/lkml/2016/7/13/819
http://forums.netbeans.org/ptopic65811.html
(discussions from spring/summer 2016)

I think the honeypot form field, bug 1306758, is a good start as I guess it is fairly easy to implement.

We have discussed on IRC about plugging into various blacklist services. I had good results with them during my forum admin days.

Admins love CAPTCHAs, but users hate them. CAPTCHAs are discussed in bug 380489. Adding CAPTCHA support is probably a low-hanging fruit, but blacklists would be great to avoid user annoyance.
(Reporter)

Comment 4

3 years ago
(In reply to buovjaga from comment #3)
> This is also a problem for Linux Kernel and Netbeans:
> https://lkml.org/lkml/2016/7/13/819
> http://forums.netbeans.org/ptopic65811.html
> (discussions from spring/summer 2016)
> 
> I think the honeypot form field, bug 1306758, is a good start as I guess it
> is fairly easy to implement.
> 
> We have discussed on IRC about plugging into various blacklist services. I
> had good results with them during my forum admin days.

Yep. Sina and I discussed a few different solutions.
 - akismet
 - various dnsrbls

I think out of the box bugzilla should offer some protection from comment spam, and then
make it easy for extensions to provide additional checks.

Comment 5

3 years ago
On our Wiki and Forums, a simple moderation system (Moderate X first posts) is very effective at keeping things clean, especially when the pool of moderators can be defined in a group.

Comment 6

2 years ago
WineHQ's bugzilla is now getting regularly spammed in comments now (usually 1-800 phone numbers and website urls)

Comment 7

2 years ago
Wireshark's Bugzilla is getting spam as well.

Comment 8

2 years ago
Khronos Group Bugzilla was hit very hard with the 1-800 spam. We've been forced to close Bugzilla and are looking at moving to another platform. Bugzilla really needs something to combat comment spam.

Comment 9

2 years ago
How can we help?

Comment 10

2 years ago
As a user of Bugzilla (on Eclipse.org infrastructure), I find this issue is very dangerous for whatever community or project and may quickly become a showstopper for usage of Bugzilla, as opposed to other trackers such as GitHub that don't show such issue.
In the current state, either the regular users get slow down in their work because spam, or some manual anti-spam system has to be set up, costing a lot of effort and resulting in potentially too strong restrictions, reducing the ability of the average new user to get started on Bugzilla and then to join the community/project easily. In any of those case, the general health of the project/community is getting worse.
Despite I love the Eclipse.org infrastructure, this Bugzilla issue is really horrible for the individual projects I work on -as Eclipse.org infra went for more restrictions, it prevents some new contributors to join easily- and I am strongly considering moving away from Eclipse.org's Bugzilla in favor of other tracker allowed by the Foundation. And as we spoke about it with others Eclipse contributors, more and more people are considering fully dropping their usage of Bugzilla because of this issue.
So are there any concrete plans or ETA of a solution for this issue? I'm just trying to make my mind about whether it's already time to drop Bugzilla or if there is still hope of a prompt fix.

Comment 11

2 years ago
For the records, in GNOME Bugzilla, Olav wrote and deployed a custom extension which allows blocking certain strings and regular expressions:
https://git.gnome.org/browse/bugzilla-gnome-org-customizations/tree/extensions/AntiSpam?h=production

Comment 12

2 years ago
The GNOME Bugzilla one is pretty heavily inspired by the upstream AntiSpam extension, but had to work around our Bugzilla version. We don't get any comment spam (strangely), nor any recent attachment spam. Once we get this I'll add more methods for it. The 1-800 spam is pretty easy to prevent with a regexp. Just be careful not to match valid bugs!

In our extension I've made it immediately block/ban the user. From watching the logs it appears someone is doing this manually.

Comment 13

2 years ago
Thank you everyone for the suggestions. I've installed AntiSpam and some regex's and custom words. Along with LimitedEmail modified to block certain email domains that appear to be used almost exclusively for spam. We've reopened our bugzilla instance and will see if this helps. @OlavVitters would you be open to sharing the code modifications to block/ban the user? I see no reason to allow spammers to keep their accounts active.

Comment 14

2 years ago
(In reply to James Riordon from comment #13)
> would you be open to sharing the code modifications to block/ban the user?

https://git.gnome.org/browse/bugzilla-gnome-org-customizations/tree/extensions/AntiSpam/Extension.pm?h=production#n85

Comment 15

2 years ago
Thank you. Next time I will look at the code before posting.

Comment 16

2 years ago
(In reply to Andre Klapper from comment #11)
> For the records, in GNOME Bugzilla, Olav wrote and deployed a custom
> extension which allows blocking certain strings and regular expressions:
> https://git.gnome.org/browse/bugzilla-gnome-org-customizations/tree/
> extensions/AntiSpam?h=production

The README says: Recommend not to use this extension anywhere else. The functionality is really specific.

Apparently it still works just fine for Khronos Group. Any details about the specific functionality?

Comment 17

2 years ago
Copy & paste mistake from https://git.gnome.org/browse/bugzilla-gnome-org-customizations/tree/extensions/GNOME/README I'm afraid. :) Glad to hear things work for you!

Comment 18

2 years ago
(In reply to Andre Klapper from comment #11)
> For the records, in GNOME Bugzilla, Olav wrote and deployed a custom
> extension which allows blocking certain strings and regular expressions:
> https://git.gnome.org/browse/bugzilla-gnome-org-customizations/tree/
> extensions/AntiSpam?h=production

Thanks for that!  Such a simple extension, I was asking for exactly that some time ago.

I've deployed it to two of our smaller BZ instances, will deploy to bugs.e.o tomorrow morning.

Comment 19

2 years ago
Would it be useful to set noindex+nofollow for recently-modified bugs, e.g.

https://github.com/geraldcombs/bugzilla/commit/3577c07f18d6f671f52856a6385cbaa8982aacbf ?

This wouldn't necessarily keep people from posting spam, but it might make Bugzilla a less useful spam publishing platform.
You need to log in before you can comment on or make changes to this bug.