Last Comment Bug 495087 - Addon GUID format attracts spam
: Addon GUID format attracts spam
Product: Developer Documentation
Classification: Other
Component: General (show other bugs)
: unspecified
: All All
-- minor (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
Depends on:
  Show dependency treegraph
Reported: 2009-05-27 10:14 PDT by John Mellor (Jomel)
Modified: 2013-04-11 13:38 PDT (History)
9 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Description User image John Mellor (Jomel) 2009-05-27 10:14:49 PDT
Extensions are recommended ([1], [2]) to use ids of the format extensionname@organization.tld, where organization.tld is typically a valid domain name owned by the author. Unfortunately, spammers find these ids (more likely because people list them online than by actually unpacking extensions) and send email to them. I'm currently receiving over 200 spam emails a day sent to my addon id email addresses (which I have never publicised). While in theory this is easy to block, spammers also email hundreds of variants of the email addresses, rendering it very difficult to use a catch-all email address on the domain.

If id's continue to be in email address format, perhaps Mozilla should recommend (on the pages below) that users use a fake domain name, and/or domains like ?


P.S. Sorry if this isn't the right category - there wasn't anything very appropriate.
Comment 1 User image Dave Garrett 2009-05-27 10:48:35 PDT
If you own a domain name and use it anywhere for anything you're going to get some spam. No way to avoid that. I don't think using a fake domain is a good idea here, because the point of using one you own is to prevent the possibility of someone else having it. I also don't foresee this format being dropped at any point, as that would obviously break quite a bit. If you're worried about spam from this I suggest you just use a generated xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx style GUID instead.

Yeah, AMO Policy isn't really the right place for this. If you're suggesting a page change to mention this problem then I guess filing it for MDC might be better.
Comment 2 User image Wil Clouser [:clouserw] 2009-05-27 10:50:52 PDT
I think AMO is promoting the email style GUID over the generated style.  CCing nick.
Comment 3 User image Dave Garrett 2009-05-27 11:01:22 PDT
(In reply to comment #2)
> I think AMO is promoting the email style GUID over the generated style.

Really? Where is this mentioned on AMO then?
Comment 4 User image Fred Wenzel [:wenzel] 2009-05-27 12:09:15 PDT
(In reply to comment #2)
> I think AMO is promoting the email style GUID over the generated style.  CCing
> nick.

Yeah I don't think AMO advertises anything related to GUIDs, so it's a question of documentation, and I think MDC is a good place for this bug. I feel empathy with the authors, as I can see the effect of randomized spam attacks in my own log files daily ;) Promoting a dummy email address over a valid one may help keep unexperienced add-on authors from stepping into this "trap", so I am in favor of mentioning that on MDC.
Comment 5 User image Eric Shepherd [:sheppy] 2009-05-28 12:16:13 PDT
Changing this on MDC would involve changing a lot of pages. I don't have time to deal with it right now, so this may sit around for a while unless someone else wants to deal with it; the email address route is recommended in a *lot* of places. :)
Comment 6 User image Nick Nguyen [:osunick] 2009-05-28 17:59:41 PDT
We don't promote anything, perhaps we put in a little helper text on the id field that suggests using generated GUIDs to avoid spam.
Comment 7 User image Jorge Villalobos [:jorgev] 2012-12-31 07:09:12 PST
The email format is what we recommend because it works as a better identifier that a generated one. Using your personal email address as a public id is not a very good idea, specially if your add-on is open source and its source is published somewhere. I feel that this should be common sense and no further action is required, but I'll let the docs people make the call.
Comment 8 User image Eric Shepherd [:sheppy] 2013-04-11 13:38:58 PDT
Updated both of the articles mentioned in c#0 to clearly say not to use email addresses.

Note You need to log in before you can comment on or make changes to this bug.