Spammers continue to find new ways to do their business and new ways to cause frustration for those of us who administer software that fosters small, open communities. These communities are fragile and grow up in a delicate environment. The environment needs to remain open: self-registration, the ability to post content, and the option of remaining anonymous is the key to success. Unfortunately, it is also a ripe environment for spammers to abuse.
Spammers have now discovered that bugzilla is one of those environments. For those who don’t know, bugzilla is one of the most common open source bug tracking tools. It is used by many open source projects to allow the community to assist in reporting bugs on and enhancement ideas for each project. The original version of Bugzilla was first created at Netscape in the mid-nineties (back when I was working at Netscape). It was rewritten in 1998 and made available as open source). After AOL bought Netscape, it became one of a number of projects released by the Mozilla Foundation. Although bugzilla continues to be used by many projects, development of bugzilla itself became somewhat stagnant over the years. It hasn’t kept up with the times and as such, has practically no support for handling spam in the 2007 world. (Version 3.0 just came out in May 2007, nine years after version 2.0 came out.)
At Solid, we’ve been using Bugzilla to track bugs for our solidDB for MySQL product. Around April, people from other open source projects such as Samba, XFCE, and Eclipse started having problems with spammers adding spam as attachments to existing bugs in their bugzilla bug tracking databases. I didn’t notice the problem until Solid got its first bugzilla spam last week (July). I was used to cleaning out spam every day from Solid’s forums, but dealing with spam in Bugzilla is extremely difficult and annoying.
I first tried to upgrade to the new Bugzilla 3.0 in our development instance to see if that would be able to help with the spam problem. Although 3.0 does have support for deleting attachments (finally!), it still takes too many clicks to delete attachments. Spammers can create attachments automatically, and I get stuck with the manual work. In addition, Bugzilla still doesn’t support deleting comments, which spammers can also easily create and place inappropriate content into. Deleting bugs is also not supported, which is also an easy target for spammers to hit. Even trying to delete a user (the spammer) gives a scary message that warns you not to do it or risk causing referential integrity problems in your database (what kind of choice is that?).
After some testing, I decided it wasn’t worth upgrading to 3.0 for the minimal help it would give. It seems like it should pretty easy to write a small script that automatically deletes all data associated with a spammer, while still keeping referential integrity intact. So that’s what I decided to do. I now have a bugzilla_spammer.rb script (written in Ruby) that helps me keep spam in Bugzilla in check.
What Bugzilla really needs is full application support for protecting against the increasingly sophisticated methods that spammers use to bypass applications. It would be much better to stop spam from getting into Bugzilla in the first place. My program does not help with that at all. It does, however, provide a simple way for you to remove the junk created by spammers that gets entered into your Bugzilla, once it is there. This should be a good enough workaround until the Bugzilla developers add some serious spam protection that will help protect again current-day spammes techniques. If you want this feature, please let them know it’s important. And if you’re interested in doing some coding, offer to help! A bug has already been filed against Bugzilla about this problem - bug 380489.
Update: Several people from the Bugzilla team (thanks, Max Kanat-Alexander and Frédéric Buclin!) have pointed out that it is possible to delete a bug in Bugzilla. I should have been more clear, but what I meant was that it is not easy or practical to delete a bug. Deleting a bug requires creating a new product and component and then moving the bug into that product and finally deleting the entire product. And it still doesn’t help in the case that the spammer adds a comment to an existing bug.
August 5th, 2007 at 6:15 pm
Hi Jonathan,
In terms of blocking spam before it gets into a bugzilla database, are you thinking of some kind of captcha facility?
August 6th, 2007 at 1:50 am
You can delete bugs, and you can for a long time. The reason there is no trivial “Delete” button on each bug page is because this is still something you have to be *really* sure before doing it. Some users may prefer to delete an invalid bug rather than marking it as INVALID, which is a bad approach IMO (e.g. because you cannot track if some given reporter already reported many invalid bugs and if his account should be closed; which is something we do sometimes).
To delete a bug, create a “Trash” product (any random name will do it, “Trash” is not a magical product name). Then move the bug you want to kill into this product and delete the product. To do that, you need to turn on the allowbugdeletion parameter, which is off by default for the reason explained above. As you can see, this is not straightforward, but we do this because this is not something you usually want to do. Or you could even keep these bugs in the “Trash” product, this doesn’t hurt (you could restrict this product to some mandatory group to keep it out of view of other users).
August 6th, 2007 at 10:50 am
Bob: CAPTCHA is a good thing for Bugzilla to add and it would definitely help to decrease the number of spam-bots. Unfortunately, that won’t help against (human) spammers signing up for a Bugzilla account. I think a much better idea is to add support for OpenID. Take a look at my comment #7 for bug 380489 as well as bug 294608.
August 6th, 2007 at 1:35 pm
LpSolit: thanks for the comment. I understand that in the past, Bugzilla developers had good reasons for making it non-trivial to delete a bug. I agree with you that users should mark invalid bugs as INVALID instead of deleting them. I have no complaint with the goal to help users avoid doing the wrong thing.
However, Bugzilla administrators do need an easy way to clean up spam. Your suggestion to move spam to a Trash product is workable, but administrators don’t want to leave pornography and spam sitting on their servers even if viewing the bugs can be completely restricted to a “no one” group. I think some way to “delete every bug, comment, and attachment this user ever made” would help a lot.
August 21st, 2007 at 2:20 am
I got bugzilla spammed by 83.167.120.x tonight.
My solution was to do some sql updates, changing the content of the attachments (HTML pages) to contain meta refresh redirects to a christian, anti-masturbation website…
February 18th, 2008 at 12:00 pm
I’m also looking into deleting bugzilla spam.
The thing that worries me about the “Move to dummy product / delete product” trick is that I don’t want to risk any email getting sent to the spammer’s address that might have my email address in it.
February 19th, 2008 at 7:36 am
DaveK: I have the same concern as you with regards to the “Move to dummy” trick. In my feature request to the bugzilla team, I specify that spammers should not get any email when their spam is removed.
March 5th, 2008 at 8:42 am
Hello,
I want a little info about the Bugzilla framework. Kindly any one have such info email it to me. i am basically doing my Thesis
thanks in advance for your corporation
March 5th, 2008 at 9:47 am
zeeshan: I am not a bugzilla developer myself, so I’m not the right person to ask. I’d suggest you start by looking in the following places:
* http://wiki.mozilla.org/Bugzilla:FAQ
* http://www.bugzilla.org/docs/tip/html/
* http://www.bugzilla.org/docs/developer.html
You also might try posting a question on the Mozilla developers list at developers@bugzilla.org.