Closed Bug 320863 Opened 19 years ago Closed 19 years ago

Bugzilla feeds spammers with valid mail addresses

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 218917

People

(Reporter: ok34, Unassigned)

References

Details

User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.7.12) Gecko/20050922 Build Identifier: Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.7.12) Gecko/20050922 For years I have used a "real" e-mail address for reporting Mozilla bugs on Bugzilla. After the level of spam went too high, I registered a new "disposable" address with Bugzilla. This address is only used on Bugzilla, nowhere else. That was four weeks ago. Not one single spam arrived at the new address. Two days ago I reported a new Mozilla bug (320696), used the new address for the first time,and almost immediately, on the next day, I received the first spam mail, coming from china. Because nothing happened for four weeks, I assume that no spam mail harvester looked at my old comments on previous bugs, which is why I believe that the previously opened Bugzilla bug reports about spam address feeding have no relation to this one. _Somehow_ the spam harvester took note of my new bug filing. Reproducible: Always
*** This bug has been marked as a duplicate of 218917 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
*** Bug 320864 has been marked as a duplicate of this bug. ***
My apology for the dupe #320864. But I still think the spam I received is unrelated to the issues discussed in #218917. How can a spammer in china find my new address on a new bug within 24 hours?
They can query for example the bugs filled in the last 24 hours. Or even more simple, they know the last valid bug ID, and they can try to fetch the next one every X minutes or so until it becomes valid (and they move to the next one). A non-predictable bug ID would help only if it weren't for the "bugs filled in the last 24 hours" query :) So it wouldn't help :)
OS: OS/2 → All
Hardware: PC → All
Okay, obviously even simpler to harvest mail addresses from Bugzilla than I though. We _must_ get rid of e-mail displaying to anyone... And your argument clearly invalidates the arguments of others I have read on the other Bugzilla spam bug reports, that "no one cares about Bugzilla, because m.b.o. as the biggest Bugzilla installation is still too small to be of interest to spammers" and "spammers will never get accounts" or "spammers cannot harvest mail addresses using m.b.o. accounts because they would reveal themselves because of ridiculously high hit counters for that account". Sadly, and obviously, there are folks in China with enough time and energy to harvest m.b.o. and immediately use the generated addresses for new spam...
You need to log in before you can comment on or make changes to this bug.