Bastard Spammers – Brian Tarricone

Last week, Xfce Bugzilla got its first spam. Someone created an account, and attached some HTML cialis ads to an existing bug. I quickly disabled the account, and marked the attachments as obsolete and changed their content types to application/octet-stream, so browsers wouldn’t attempt to display them.

I figured, eh, whatever, it’s a one-off thing.

Nope. Someone just did it again, with a new account.

So I figured I’d google a bit to see if I can find some Bugzilla spam solutions, and I came upon this mailing list thread. How fucking devious. The spammers are attaching their HTML ad files to Bugzilla bugs, and then linking to the Bugzilla attachment URL in email spam, or blog spam, or whatever, instead of using their own websites to host the ads.

There’s talk of implementing some optional CAPTCHAs (which suck), but aside from active filtering of comments and attachments using some sort of heuristics (i.e., building an email junk filter into Bugzilla), there don’t appear to be any solutions. If anyone has seen anything to combat Bugzilla spam, or has some tips to make this more difficult, please let me know.

God dammit.