Addon GUID format attracts spam



Developer Documentation
8 years ago
4 years ago


(Reporter: John Mellor (Jomel), Unassigned)





8 years ago
Extensions are recommended ([1], [2]) to use ids of the format extensionname@organization.tld, where organization.tld is typically a valid domain name owned by the author. Unfortunately, spammers find these ids (more likely because people list them online than by actually unpacking extensions) and send email to them. I'm currently receiving over 200 spam emails a day sent to my addon id email addresses (which I have never publicised). While in theory this is easy to block, spammers also email hundreds of variants of the email addresses, rendering it very difficult to use a catch-all email address on the domain.

If id's continue to be in email address format, perhaps Mozilla should recommend (on the pages below) that users use a fake domain name, and/or domains like ?


P.S. Sorry if this isn't the right category - there wasn't anything very appropriate.

Comment 1

8 years ago
If you own a domain name and use it anywhere for anything you're going to get some spam. No way to avoid that. I don't think using a fake domain is a good idea here, because the point of using one you own is to prevent the possibility of someone else having it. I also don't foresee this format being dropped at any point, as that would obviously break quite a bit. If you're worried about spam from this I suggest you just use a generated xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx style GUID instead.

Yeah, AMO Policy isn't really the right place for this. If you're suggesting a page change to mention this problem then I guess filing it for MDC might be better.
Component: Policy → Documentation Requests
Product: → Mozilla Developer Center
QA Contact: policy → doc-request
I think AMO is promoting the email style GUID over the generated style.  CCing nick.

Comment 3

8 years ago
(In reply to comment #2)
> I think AMO is promoting the email style GUID over the generated style.

Really? Where is this mentioned on AMO then?
(In reply to comment #2)
> I think AMO is promoting the email style GUID over the generated style.  CCing
> nick.

Yeah I don't think AMO advertises anything related to GUIDs, so it's a question of documentation, and I think MDC is a good place for this bug. I feel empathy with the authors, as I can see the effect of randomized spam attacks in my own log files daily ;) Promoting a dummy email address over a valid one may help keep unexperienced add-on authors from stepping into this "trap", so I am in favor of mentioning that on MDC.
Changing this on MDC would involve changing a lot of pages. I don't have time to deal with it right now, so this may sit around for a while unless someone else wants to deal with it; the email address route is recommended in a *lot* of places. :)
We don't promote anything, perhaps we put in a little helper text on the id field that suggests using generated GUIDs to avoid spam.


7 years ago
Depends on: 647741
No longer depends on: 647741


5 years ago
Component: Documentation Requests → Documentation
Product: Mozilla Developer Network → Mozilla Developer Network
Component: Documentation → General
Product: Mozilla Developer Network → Developer Documentation
The email format is what we recommend because it works as a better identifier that a generated one. Using your personal email address as a public id is not a very good idea, specially if your add-on is open source and its source is published somewhere. I feel that this should be common sense and no further action is required, but I'll let the docs people make the call.
Updated both of the articles mentioned in c#0 to clearly say not to use email addresses.
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.