getting spammed on bugzilla

getting spammed on bugzilla

[Joel Brobecker]

Hello,

Our bugzilla instance is being used as a spamming platform.
Spammers do so by just posting answers to random PRs.

As a result of this:

   - The PRs gets polluted with these annoying messages that
     we cannot remove (just mark as spam, which is a game of
     wack-a-mole and personally a waste of our precious time);

   - People on the Cc: list get emails about them.

     I wouldn't be exagerating if I said that 95% of emails I am
     getting from bugzilla, at the moment, is spam.

I think the problem is that spammers can create their account
without any form of validation.

Is there something we could do about this?

Pedro tells us that:
> LLVM has solved this by disabling new user self-registration:
>
>   https://bugs.llvm.org/enter_bug.cgi
>
> "New user self-registration is disabled due to spam. For an account please email
> bugs-admin@lists.llvm.org
> with your e-mail address and full name."

I'm happy to help with answering those legitimate account
creations, if that makes a differnce.

Any other ideas, perhaps?

Thank you!
-- 
Joel

Re: getting spammed on bugzilla

[Andrew Pinski]

On Wed, Nov 10, 2021 at 7:29 PM Joel Brobecker via Overseers
<overseers@sourceware.org> wrote:
>
> Hello,
>
> Our bugzilla instance is being used as a spamming platform.
> Spammers do so by just posting answers to random PRs.
>
> As a result of this:
>
>    - The PRs gets polluted with these annoying messages that
>      we cannot remove (just mark as spam, which is a game of
>      wack-a-mole and personally a waste of our precious time);
>
>    - People on the Cc: list get emails about them.
>
>      I wouldn't be exagerating if I said that 95% of emails I am
>      getting from bugzilla, at the moment, is spam.
>
> I think the problem is that spammers can create their account
> without any form of validation.
>
> Is there something we could do about this?
>
> Pedro tells us that:
> > LLVM has solved this by disabling new user self-registration:
> >
> >   https://bugs.llvm.org/enter_bug.cgi
> >
> > "New user self-registration is disabled due to spam. For an account please email
> > bugs-admin@lists.llvm.org
> > with your e-mail address and full name."
>
> I'm happy to help with answering those legitimate account
> creations, if that makes a differnce.
>
> Any other ideas, perhaps?

GCC already disables new account creation; while sourceware does not.
I know the gcc bugzilla did get some spam last week and even at that
point, the account had been created manually too (GCC has had new
accounts disable for over a few years now even).
So what looked like a legitimate request and turned out not to be, did
slip through.  Fixing that is hard really.

Thanks,
Andrew Pinski

>
> Thank you!
> --
> Joel

Re: getting spammed on bugzilla

[Joel Brobecker]

> > > LLVM has solved this by disabling new user self-registration:
> > >
> > >   https://bugs.llvm.org/enter_bug.cgi
> > >
> > > "New user self-registration is disabled due to spam. For an account please email
> > > bugs-admin@lists.llvm.org
> > > with your e-mail address and full name."
> >
> > I'm happy to help with answering those legitimate account
> > creations, if that makes a differnce.
> >
> > Any other ideas, perhaps?
> 
> GCC already disables new account creation; while sourceware does not.
> I know the gcc bugzilla did get some spam last week and even at that
> point, the account had been created manually too (GCC has had new
> accounts disable for over a few years now even).
> So what looked like a legitimate request and turned out not to be, did
> slip through.  Fixing that is hard really.

Interesting. Thanks for sharing Andrew.

My thinking on this is that we should try doing the same for
sourceware's bugzilla, and see how it goes. I'm hoping the extra
step will be a high enough barrier that it'll encourage the majority
of spammers to find somewhere else to go. Even if not perfect, if
we can block the majority of spam, that'll already be a great win
for us.

-- 
Joel

Re: getting spammed on bugzilla

[Mark Wielaard]

Hi,

On Fri, Nov 12, 2021 at 08:40:33AM +0400, Joel Brobecker via Overseers wrote:
> My thinking on this is that we should try doing the same for
> sourceware's bugzilla, and see how it goes. I'm hoping the extra
> step will be a high enough barrier that it'll encourage the majority
> of spammers to find somewhere else to go. Even if not perfect, if
> we can block the majority of spam, that'll already be a great win
> for us.

I don't like it, but I don't see another solution.  I did tweak the
spam filters to count http[s]:// and reject any comments containing
10+ urls. That seems to have worked a little. But soon after we saw
even more spam comments that simply use 1 url (and copy/paste some
earlier comment text). Currently I am blocking ~3 users and tagging
~10 comments as spam a day. Which isn't really productive use of my
time, and not really sustainable. So unless someone knows a better way
of automatically detecting spam bugzilla comments and blocking users
that post them I am afraid we will have to restrict who can sign up
for a bugzilla account or explicitly approve first time bug posters.

Cheers,

Mark

Re: getting spammed on bugzilla

[Carlos O'Donell]

On 11/12/21 03:55, Mark Wielaard via Overseers wrote:
> Hi,
> 
> On Fri, Nov 12, 2021 at 08:40:33AM +0400, Joel Brobecker via Overseers wrote:
>> My thinking on this is that we should try doing the same for
>> sourceware's bugzilla, and see how it goes. I'm hoping the extra
>> step will be a high enough barrier that it'll encourage the majority
>> of spammers to find somewhere else to go. Even if not perfect, if
>> we can block the majority of spam, that'll already be a great win
>> for us.
> 
> I don't like it, but I don't see another solution.  I did tweak the
> spam filters to count http[s]:// and reject any comments containing
> 10+ urls. That seems to have worked a little. But soon after we saw
> even more spam comments that simply use 1 url (and copy/paste some
> earlier comment text). Currently I am blocking ~3 users and tagging
> ~10 comments as spam a day. Which isn't really productive use of my
> time, and not really sustainable. So unless someone knows a better way
> of automatically detecting spam bugzilla comments and blocking users
> that post them I am afraid we will have to restrict who can sign up
> for a bugzilla account or explicitly approve first time bug posters.

I'd say we disable new account creation.

It saddens me, but it's the only solution.

For the glibc wiki new account creation requires EditGroup and that requires talking
to the community and that solved all spam problems.

-- 
Cheers,
Carlos.

Re: getting spammed on bugzilla

[Joel Brobecker]

Hello,

Thanks everyone who provided feedback on this issue.

I think we all agree to change the bugzilla configuration to force
users who want to create an account to talk to someone from the
community first.

Does anyone know how this would work? Do we redirect people to
a mailing-list, and then those in the mailing-list create accounts
for those new users?

-- 
Joel

Re: getting spammed on bugzilla

[Mark Wielaard]

Hi,

On Mon, 2021-11-22 at 08:03 +0400, Joel Brobecker wrote:
> I think we all agree to change the bugzilla configuration to force
> users who want to create an account to talk to someone from the
> community first.
> 
> Does anyone know how this would work? Do we redirect people to
> a mailing-list, and then those in the mailing-list create accounts
> for those new users?

Unfortunately I don't know how to set this up. But given gcc apparently
has this in place already hopefully we can borrow their setup (and
mailing-list?). Both are hosted on sourceware.

I'll try poking some gcc developers to see if someone knows how it is
setup for them and if we can share resources.

Cheers,

Mark

Re: getting spammed on bugzilla

[Frank Ch. Eigler]

Hi -

> > Does anyone know how this would work? Do we redirect people to
> > a mailing-list, and then those in the mailing-list create accounts
> > for those new users?
> 
> Unfortunately I don't know how to set this up.  [...]

How about let's keep simple and direct people to overseers@ for now.

- FChE

Re: getting spammed on bugzilla

[Mark Wielaard]

Hi Frank,

On Wed, Nov 24, 2021 at 09:55:11AM -0500, Frank Ch. Eigler wrote:
> > > Does anyone know how this would work? Do we redirect people to
> > > a mailing-list, and then those in the mailing-list create accounts
> > > for those new users?
> > 
> > Unfortunately I don't know how to set this up.  [...]
> 
> How about let's keep simple and direct people to overseers@ for now.

That is fine if all volunteers are subscribed to overseers and you
aren't afraid it will overwhelm this list.  But we also need a way to
disable new user signups, make people aware they need to provide
(which?) information to the mailinglist and a way for volunteers to
take that information and create new accounts.

Cheers,

Mark

Re: getting spammed on bugzilla

[Frank Ch. Eigler]

Hi -

> > How about let's keep simple and direct people to overseers@ for now.
> 
> That is fine if all volunteers are subscribed to overseers and you
> aren't afraid it will overwhelm this list.  But we also need a way to
> disable new user signups

Ummmmmmmmmmmm about that.  How is this part supposed to work on gcc's
bugzilla?  I just made myself a test user there, with no one else's
approval, and ended up with a user that could append to an existing
bug.  I think someone may have pooched the bugzilla administrative
setting "createemailregexp", setting it to ".*", at some point.
Should these be set to a magic value to actually impose restrictions?

> make people aware they need to provide (which?) information to the
> mailinglist and

That's a matter of <template/en/default/account/create.html.tmp>, which
is now updated on sourceware-bugzilla.

> a way for volunteers to take that information and create new
> accounts.

That's a matter of any bugzilla administrator reading this mailing list
and doing the deed on the administrative Users/New form:

https://sourceware.org/bugzilla/editusers.cgi?action=add

- FChE

Re: getting spammed on bugzilla

[Joseph Myers]

On Wed, 24 Nov 2021, Frank Ch. Eigler via Overseers wrote:

> Hi -
> 
> > > How about let's keep simple and direct people to overseers@ for now.
> > 
> > That is fine if all volunteers are subscribed to overseers and you
> > aren't afraid it will overwhelm this list.  But we also need a way to
> > disable new user signups
> 
> Ummmmmmmmmmmm about that.  How is this part supposed to work on gcc's
> bugzilla?  I just made myself a test user there, with no one else's
> approval, and ended up with a user that could append to an existing
> bug.  I think someone may have pooched the bugzilla administrative
> setting "createemailregexp", setting it to ".*", at some point.
> Should these be set to a magic value to actually impose restrictions?

See extensions/GCC/lib/Constants.pm, BLACKLISTED_DOMAINS.  The idea is 
that users of a range of typically free webmail domains have to go through 
the manual account creation process, while users with other domains 
(personal, corporate, academic, etc.) can typically create their own 
accounts without needing manual approval.  Note that the message in 
template/en/default/account/create.html.tmpl about account creation 
failure (customized for GCC) says "If creating an account fails" - whether 
it fails depends on the domain (and 
template/en/default/global/user-error.html.tmpl has the message given if 
an attempt to create an account fails, again customized for GCC).

-- 
Joseph S. Myers
joseph@codesourcery.com

Re: getting spammed on bugzilla

[Frank Ch. Eigler]

Hi -

On Thu, Nov 25, 2021 at 05:49:39PM +0000, Joseph Myers wrote:
> [...]
> > Ummmmmmmmmmmm about that.  How is this part supposed to work on gcc's
> > bugzilla?  I just made myself a test user there, with no one else's
> > approval [...]
> 
> See extensions/GCC/lib/Constants.pm, BLACKLISTED_DOMAINS.  The idea is 
> that users of a range of typically free webmail domains have to go through 
> the manual account creation process, while users with other domains 
> (personal, corporate, academic, etc.) can typically create their own 
> accounts without needing manual approval.  [...]

Ah.  My vanity domain must not be blacklisted, whew.  After that
email, earlier today, I "fixed" gcc bugzilla to direct all account
requests through to the gcc bugzilla-account-requester list.  Would
you like this set back, or shall we try the new non-discriminating
"everyone gets to ask" format for a while?

- FChE

Re: getting spammed on bugzilla

[Joseph Myers]

On Thu, 25 Nov 2021, Frank Ch. Eigler via Overseers wrote:

> Hi -
> 
> On Thu, Nov 25, 2021 at 05:49:39PM +0000, Joseph Myers wrote:
> > [...]
> > > Ummmmmmmmmmmm about that.  How is this part supposed to work on gcc's
> > > bugzilla?  I just made myself a test user there, with no one else's
> > > approval [...]
> > 
> > See extensions/GCC/lib/Constants.pm, BLACKLISTED_DOMAINS.  The idea is 
> > that users of a range of typically free webmail domains have to go through 
> > the manual account creation process, while users with other domains 
> > (personal, corporate, academic, etc.) can typically create their own 
> > accounts without needing manual approval.  [...]
> 
> Ah.  My vanity domain must not be blacklisted, whew.  After that
> email, earlier today, I "fixed" gcc bugzilla to direct all account
> requests through to the gcc bugzilla-account-requester list.  Would
> you like this set back, or shall we try the new non-discriminating
> "everyone gets to ask" format for a while?

I think it should be set back so account requests are only needed for 
blacklisted domains such as gmail.com.

-- 
Joseph S. Myers
joseph@codesourcery.com

Re: getting spammed on bugzilla

[Mark Wielaard]

Hi Frank,

On Wed, Nov 24, 2021 at 07:19:25PM -0500, Frank Ch. Eigler via Overseers wrote:
> > > How about let's keep simple and direct people to overseers@ for now.
> > 
> > That is fine if all volunteers are subscribed to overseers and you
> > aren't afraid it will overwhelm this list.  But we also need a way to
> > disable new user signups
> 
> Ummmmmmmmmmmm about that.  How is this part supposed to work on gcc's
> bugzilla?  I just made myself a test user there, with no one else's
> approval, and ended up with a user that could append to an existing
> bug.  I think someone may have pooched the bugzilla administrative
> setting "createemailregexp", setting it to ".*", at some point.
> Should these be set to a magic value to actually impose restrictions?

So how does this work now?  As far as I can see the createemailregexp
for gcc is ".*" but for sourceware it is "^$".  So gcc allows
everything, but filters (how?) on the email domain? Would it make
sense to use the same settings for both?

> > make people aware they need to provide (which?) information to the
> > mailinglist and
> 
> That's a matter of <template/en/default/account/create.html.tmp>, which
> is now updated on sourceware-bugzilla.

I would like to update the text so that it asks people to mention the
project they want to report a bug for. So that it is more clear
whether the request is for gcc or a sourceware project. But I don't
really understand how the templates are updated/generated.

> > a way for volunteers to take that information and create new
> > accounts.
> 
> That's a matter of any bugzilla administrator reading this mailing list
> and doing the deed on the administrative Users/New form:
> 
> https://sourceware.org/bugzilla/editusers.cgi?action=add

I find this hard to use. It seems to demand a password and 'Notify
User' isn't enabled by default (should it?). Do people need edituser
permisssion to use this form (who has this and could we maybe make it
so that anybody with editbugs permissions can bless new users?)?

GCC seemed to have a specialized form (although I cannot find it now)
that had more defaults setup correctly. It seems to be defined in
gcc-bugzilla/data/template/extensions/GCC/template/en/default/pages/gcc/addusers.html.tmpl
but I don't know how it is being used.

Cheers,

Mark

Re: getting spammed on bugzilla

[Frank Ch. Eigler]

Hi -

> So how does this work now?  As far as I can see the createemailregexp
> for gcc is ".*" but for sourceware it is "^$".  So gcc allows
> everything, but filters (how?) on the email domain? Would it make
> sense to use the same settings for both?

The GCC side of sourceware uses a domain list to further filter
the .*-accepted ones.  The sourceware side just blocks them all at
the regex level.


> > That's a matter of <template/en/default/account/create.html.tmp>, which
> > is now updated on sourceware-bugzilla.
> 
> I would like to update the text so that it asks people to mention the
> project they want to report a bug for. So that it is more clear
> whether the request is for gcc or a sourceware project. But I don't
> really understand how the templates are updated/generated.

The file name I posted is for the template input: just modify it and
bob is your uncle.  OTOH, only the sourceware bugzilla points people
to overseers@, so it's unambiguous.


> > https://sourceware.org/bugzilla/editusers.cgi?action=add
> 
> I find this hard to use. It seems to demand a password and 'Notify
> User' isn't enabled by default (should it?). Do people need edituser
> permisssion to use this form (who has this and could we maybe make it
> so that anybody with editbugs permissions can bless new users?)?

I don't know.  The people with editusers should be about the same
people as those with editbugs, i.e., bugzilla administrators.  The
higher, the fewer.  The few, the proud.

- FChE

Re: getting spammed on bugzilla

[Mark Wielaard]

Hi,

On Sun, Nov 28, 2021 at 12:35:51PM -0500, Frank Ch. Eigler via Overseers wrote:
> > > That's a matter of <template/en/default/account/create.html.tmp>, which
> > > is now updated on sourceware-bugzilla.
> > 
> > I would like to update the text so that it asks people to mention the
> > project they want to report a bug for. So that it is more clear
> > whether the request is for gcc or a sourceware project. But I don't
> > really understand how the templates are updated/generated.
> 
> The file name I posted is for the template input: just modify it and
> bob is your uncle.

Updated.

> > I find this hard to use. It seems to demand a password and 'Notify
> > User' isn't enabled by default (should it?). Do people need edituser
> > permisssion to use this form (who has this and could we maybe make it
> > so that anybody with editbugs permissions can bless new users?)?
> 
> I don't know.  The people with editusers should be about the same
> people as those with editbugs, i.e., bugzilla administrators.  The
> higher, the fewer.  The few, the proud.

It seems only "admins" can use the form. A user with just editbugs
cannot and gets a permission denied: "Sorry, you aren't a member of
the 'editusers' group, and you don't have permissions to add or remove
people from a group, and so you are not authorized to add, modify or
delete users."

Can we somehow make it so that we have a special user creation page so
that also normal editbugs people can add new users? Is there someone
we can ask how this works on the gcc side?

Cheers,

Mark

Re: getting spammed on bugzilla

[Joseph Myers]

On Sun, 28 Nov 2021, Mark Wielaard via Overseers wrote:

> It seems only "admins" can use the form. A user with just editbugs
> cannot and gets a permission denied: "Sorry, you aren't a member of
> the 'editusers' group, and you don't have permissions to add or remove
> people from a group, and so you are not authorized to add, modify or
> delete users."
> 
> Can we somehow make it so that we have a special user creation page so
> that also normal editbugs people can add new users? Is there someone
> we can ask how this works on the gcc side?

I think it's part of the GCC extension to Bugzilla (an addusers 
permission, since editusers is extremely powerful, effectively full admin 
rights).

https://sourceware.org/pipermail/overseers/2017q4/016024.html

-- 
Joseph S. Myers
joseph@codesourcery.com

Re: getting spammed on bugzilla

[Joel Brobecker]

Hi everyone,

I just realized that I hadn't received any spam from bugzilla, recently.
And I saw that, indeed, the account creation is now going through
overseers. I wanted to thank you all for making that happen.

Thanks again,
-- 
Joel

Re: getting spammed on bugzilla

[Frank Ch. Eigler]

Hi -

> I just realized that I hadn't received any spam from bugzilla, recently.
> And I saw that, indeed, the account creation is now going through
> overseers. I wanted to thank you all for making that happen.

Hey no problem, and thanks Mark for handling 95% of the requests so far.

- FChE