Bugzilla feeds spammers with valid mail addresses




12 years ago
12 years ago


(Reporter: Oliver Kluge, Unassigned)





12 years ago
User-Agent:       Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.7.12) Gecko/20050922
Build Identifier: Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.7.12) Gecko/20050922

For years I have used a "real" e-mail address for reporting Mozilla bugs on Bugzilla. After the level of spam went too high, I registered a new "disposable" address with Bugzilla. This address is only used on Bugzilla, nowhere else. That was four weeks ago.

Not one single spam arrived at the new address.

Two days ago I reported a new Mozilla bug (320696), used the new address for the first time,and almost immediately, on the next day, I received the first spam mail, coming from china.

Because nothing happened for four weeks, I assume that no spam mail harvester looked at my old comments on previous bugs, which is why I believe that the previously opened Bugzilla bug reports about spam address feeding have no relation to this one. _Somehow_ the spam harvester took note of my new bug filing.

Reproducible: Always

Comment 1

12 years ago

*** This bug has been marked as a duplicate of 218917 ***
Last Resolved: 12 years ago
Resolution: --- → DUPLICATE

Comment 2

12 years ago
*** Bug 320864 has been marked as a duplicate of this bug. ***

Comment 3

12 years ago
My apology for the dupe #320864. But I still think the spam I received is unrelated to the issues discussed in #218917. How can a spammer in china find my new address on a new bug within 24 hours?

Comment 4

12 years ago
They can query for example the bugs filled in the last 24 hours. Or even more simple, they know the last valid bug ID, and they can try to fetch the next one every X minutes or so until it becomes valid (and they move to the next one).

A non-predictable bug ID would help only if it weren't for the "bugs filled in the last 24 hours" query :)

So it wouldn't help :)


12 years ago
OS: OS/2 → All
Hardware: PC → All

Comment 5

12 years ago
Okay, obviously even simpler to harvest mail addresses from Bugzilla than I though. We _must_ get rid of e-mail displaying to anyone...

And your argument clearly invalidates the arguments of others I have read on the other Bugzilla spam bug reports, that "no one cares about Bugzilla, because m.b.o. as the biggest Bugzilla installation is still too small to be of interest to spammers" and "spammers will never get accounts" or "spammers cannot harvest mail addresses using m.b.o. accounts because they would reveal themselves because of ridiculously high hit counters for that account".

Sadly, and obviously, there are folks in China with enough time and energy to harvest m.b.o. and immediately use the generated addresses for new spam...
You need to log in before you can comment on or make changes to this bug.