Open
Bug 399010
Opened 17 years ago
Updated 11 years ago
email_in mails "not a valid user" error notifications to spammers with invalid email addresses
Categories
(Bugzilla :: Incoming Email, defect)
Tracking
()
NEW
People
(Reporter: fe, Unassigned)
Details
Attachments
(1 file)
627 bytes,
patch
|
Details | Diff | Splinter Review |
User-Agent: Opera/9.23 (Windows NT 5.0; U; en) Build Identifier: 3.02 Bugzilla should have option "NOT email error notification to invalid users" Reproducible: Always Steps to Reproduce: 1. Spammer send to bugzilla an email Actual Results: Bugzilla sends him a reply. Expected Results: Bugzilla should have option "NOT email error notification to invalid users". And if this option is enabled - bugzilla should not send such kind of emails. I've got a VERY big /var/spool/mqueue, all filled with nondelivered replies of this kind.
Reporter | ||
Updated•17 years ago
|
Version: unspecified → 3.0.2
Comment 1•17 years ago
|
||
You can just disable email to them using editusers.cgi.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Comment 2•17 years ago
|
||
Oh wait, I see what you mean. You want email_in to not send an error to somebody if they're not a valid user. Or at least, an option to do that. Okay, we should express this as a problem instead: Bugzilla responds to spammers with invalid email addresses and tells them they're not a valid user.
Severity: enhancement → normal
Status: RESOLVED → UNCONFIRMED
OS: Windows 2000 → All
Hardware: PC → All
Resolution: WONTFIX → ---
Summary: Bugzilla should have option "NOT email error notification to invalid users" → email_in mails "not a valid user" error notifications to spammers with invalid email addresses
Updated•17 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter | ||
Comment 3•17 years ago
|
||
By the way. Bugzilla must check a validity of user BEFORE any other checks and even before any other mail parsing. Otherwise, Bugzilla will be send an errors message, like in Bug 399004, to spammers too.
Reporter | ||
Comment 4•17 years ago
|
||
This is a hacky patch. There is no new option in Bugzilla, just exit if user is invalid.
Comment 5•16 years ago
|
||
Fedor, you mean the error is thrown when parsing the email, right? Because if the user is invalid, then email_in.pl already won't call post_bug.cgi/process_bug.cgi. If that's what you are talking about, I think your fix is correct. But in this case, we should remove the check at the end of the script as you won't be able to alter the reporter field when bug 419188 will be fixed.
Assignee: incoming.email → fe
Target Milestone: --- → Bugzilla 3.0
Comment 6•16 years ago
|
||
If we implement this, we also need to implement confirmation for successful changes or newly-filed bugs, or people could not realize that their change never happened. The confirmations should be a user preference. (And should be done in a separate bug, one I think is already filed.)
Comment 7•16 years ago
|
||
(In reply to comment #6) > If we implement this, we also need to implement confirmation for successful > changes or newly-filed bugs, or people could not realize that their change > never happened. Yes, I agree. This would be good to have. When I entered wrong labels on landfill, and saw no changes, I first thought Gmail was slow at sending my email. The confirmations should be a user preference. (And should be > done in a separate bug, one I think is already filed.) A user pref is indeed useful as some users may already get normal bugmail for changes they did, and wouldn't want to get another notification. But I cannot find the bug you are talking about. Maybe not filed yet.
Reporter | ||
Comment 8•16 years ago
|
||
(In reply to comment #5) > Fedor, you mean the error is thrown when parsing the email, right? If my memory doesn't lies to me - no. Error on parsing the email is described in Bug 399004 > Because if the user is invalid, then email_in.pl already won't call > post_bug.cgi/process_bug.cgi. Yeah, becourse it breaks on this line: my $user = Bugzilla::User->new({ name => $username }) || ThrowUserError('invalid_username', { name => $username }); And this line sends an "invalid username" error report to spammer. Spammer is happy :) I think, that in some cases an "invalid username" error report may be useful. For example, internal Bugzilla's installation in some huge organisations. There is no worldwide emails, but there is invalid usernames (new employee). So, I think, that Bugzilla should have a system option for this. > But in this case, we should remove the check at the end of the script as you > won't be able to alter the reporter field when bug 419188 will be fixed. Unfortunately, I'm not authorized to access this bug.
Reporter | ||
Comment 9•16 years ago
|
||
(In reply to comment #7) > But I cannot find the bug you are talking about. Maybe not filed yet. Done. Bug 422345
Comment 10•16 years ago
|
||
The Bugzilla 3.0 branch is now locked to security bugs and dataloss fixes only. This bug doesn't fit into one of these two categories and is retargetted to 3.2 as part of a mass-change. To catch bugmails related to this mass-change, use lts081207 in your email client filter.
Target Milestone: Bugzilla 3.0 → Bugzilla 3.2
Comment 11•15 years ago
|
||
Bugzilla 3.2 is restricted to security bugs only. Moreover, this bug is either assigned to nobody or got no traction for several months now. Rather than retargetting it at each new release, I'm clearing the target milestone and the bug will be retargetted to some sensible release when someone starts fixing this bug for real (Bugzilla 3.8 more likely).
Target Milestone: Bugzilla 3.2 → ---
Updated•14 years ago
|
Assignee: fe → incoming.email
You need to log in
before you can comment on or make changes to this bug.
Description
•