Open
Bug 467763
Opened 16 years ago
Updated 11 years ago
add a parameter to ban whole domains from creating accounts
Categories
(Bugzilla :: Administration, task)
Bugzilla
Administration
Tracking
()
NEW
People
(Reporter: ot, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_5; en-us) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1
Build Identifier:
Our public bugzilla instance has been marred by comment spam issues lately: people registering for an account, and commenting on bugs with spam URLs.
The routine of:
* disabling the account
* delete from longdescs where who=XXXX
is now well established, but the spammers keep coming back with new addresses from the same domain.
A cooloff feature such as the one described in Bug 376135 would not be helpful here, since it would only limit the rate at which the spammers do their deed.
createaccount.cgi does use the createemailregexp parameter, but it can only be used to limit accounts to a given domain, not ban certain domains and let anyone else use the bugzilla, as most open source projects would probably prefer. createemailregexp might be used to match "anything but this domain" but with a level of regexp complexity alien even to decent programmers.
I suggest a banemaildomains parameter, possibly a comma separated list of domains which, if matched, would be prevented from creating accounts, logging in, or performing any action.
Reproducible: Always
Steps to Reproduce:
1. install a public bugzilla on a high-pagerank domain
2. secure the bugzilla but let anyone fill bugs, comment (for open source project)
3. wait for spammers to come
Actual Results:
SPAM! :)
Expected Results:
SPAM!... but the kind one could ideally clean up automatically, and at least prevent from happening again.
|
||
Comment 1•16 years ago
|
||
I don't think it makes sense to have another parameter to ban domains. Which domains do you see as being abused by spammers?
|
Reporter | |
Comment 2•16 years ago
|
||
(In reply to comment #1)
> I don't think it makes sense to have another parameter to ban domains.
Well, maybe it's a very limited need, but I do see a value for it! Unless you can suggest solutions to limit the spam other than 1) not letting anyone create an account (not a good idea for our open source projects) or 2) keep wasting time cleaning up the spam every day.
> Which domains do you see as being abused by spammers?
W3C's public bugzilla.
|
||
Comment 3•16 years ago
|
||
(In reply to comment #1)
> I don't think it makes sense to have another parameter to ban domains. Which
> domains do you see as being abused by spammers?
If installation use disable_mail (or disabled_text) only as disabling spammers, I think following SQL is worth for this issue..
> SELECT count(*) FROM profiles WHERE disable_mail = 1 AND RIGHT(login_name, LENGTH("@domain")) = "@domain";
|
||
Comment 4•16 years ago
|
||
It's easy enough to do this like: createemailregexp = (?!somedomain.com)$
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Comment 5•16 years ago
|
||
(In reply to comment #4)
> It's easy enough to do this like: createemailregexp = (?!somedomain.com)$
Hi Max,
I'm afraid that does not work. We talked about it on IRC yesterday, and it seem that this usage of zero-width negative lookahead assertion would basically match any string...
Try this:
#!/usr/local/bin/perl
$a='x@evildoers.com';
print "$a\n";
print $a =~ /(?!evildoers.com)$/;
$a='x@goodguys.com';
print "$a\n";
print $a =~ /(?!evildoers.com)$/;
... both match.
Consequently, I'd like to reopen the Bug.
|
|
||
Comment 6•16 years ago
|
||
Yeah, the negative regexp doesn't work. Reopening for now. This doesn't mean we are going to implement this, though.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
|
|
||
Comment 7•11 years ago
|
||
I changed my mind, and I think it would indeed be a good idea, and much easier than any complex regexp in createemailregexp.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 9•11 years ago
|
||
Prime example of why this is needed: bug 923590 comments 127-130. User banned for profane rant, then immediately created a new account. Banned that one too, currently waiting to see if they're up for a 3rd round. The sharklasers.com provider has been used by ~40 other bugzilla accounts, most of which seem to have been banned in the past.
|
||
Comment 10•11 years ago
|
||
It's also commonplace nowadays for users to have a personal domain, where anything in front of the @ goes to them on that domain. (I have one myself).
|
|
||
Comment 11•11 years ago
|
||
Look who's back! Can we _please_ do something about this? Bugzilla's lack of abuse controls is really annoying.
https://bugzilla.mozilla.org/page.cgi?id=user_activity.html&action=run&from=-14d&who=odrszlrr%40sharklasers.com
|
|
||
Comment 12•11 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•