[GRASS-dev] spam in bug tracker

On Wednesday 20 September 2006 11:39, Maciej Sieczka wrote:

Eric has found that spam is being added to existing BT tickets.

See eg. at the bottom of
http://intevation.de/rt/webrt?serial_num=1107
http://intevation.de/rt/webrt?serial_num=2904

Is there anything we can do about it?

unfortunately, our RT tracker has been flooded by a SPAM
attack that used HTTP (not mail).
We switched off opportunity to add comments as anonymous.
(we had to patch rt for this at its configuration does only allow to
switch of new bugs send by anonymous).

Another good reason to the new bug tracker.
There, it is also only allowed to comment/submit if you are
a registered user. But unlike for rt, there you can
create a user account on your own easily.

Best

  Jan
--
Jan-Oliver Wagner: www.intevation.de/~jan | GISpatcher: www.gispatcher.de
Kolab Konsortium : www.kolab-konsortium.de | Thuban : thuban.intevation.org
Intevation GmbH : www.intevation.de | Kolab : www.kolab.org
FreeGIS : www.freegis.org | GAV : www.grass-verein.de

Jan-Oliver Wagner wrote:

> Is there anything we can do about it?

unfortunately, our RT tracker has been flooded by a SPAM
attack that used HTTP (not mail).
We switched off opportunity to add comments as anonymous.
(we had to patch rt for this at its configuration does only allow to
switch of new bugs send by anonymous).

Another good reason to the new bug tracker.
There, it is also only allowed to comment/submit if you are
a registered user. But unlike for rt, there you can
create a user account on your own easily.

Thanks for the quick service Jan, and thanks to Maciek and Eric for all
their efforts too. It's a frustrating business.

I guess the sooner we migrate to the new bug tracker the better then.
After that we can start on CVS->SVN and OSGeo migrations :wink:

Hamish

Hi

I fully second Hamish that we should keep bug reporting possible for
anonymous users. I prefer to have to deal with spam from time to time
(yuck!) than to miss a usefull message.

But I hope that the new bugtracker that Grass some-day will have, will
provide a possibility to delete or modify single past records in the
given ticket, not only to kill the whole bogus ticket. Anybody knows if
Trac has such thing?

Maciek

Maciej Sieczka wrote on 09/28/2006 02:52 PM:

Hi

I fully second Hamish that we should keep bug reporting possible for
anonymous users. I prefer to have to deal with spam from time to time
(yuck!) than to miss a usefull message.

But I hope that the new bugtracker that Grass some-day will have, will
provide a possibility to delete or modify single past records in the
given ticket, not only to kill the whole bogus ticket. Anybody knows if
Trac has such thing?
  

Hi,

I think that this is the key - being able to delete individual posts to
a bug
report. Given that, we could keep it open as before.

Markus

On Thursday 28 September 2006 15:32, Markus Neteler wrote:

Maciej Sieczka wrote on 09/28/2006 02:52 PM:
> I fully second Hamish that we should keep bug reporting possible for
> anonymous users. I prefer to have to deal with spam from time to time
> (yuck!) than to miss a usefull message.
>
> But I hope that the new bugtracker that Grass some-day will have, will
> provide a possibility to delete or modify single past records in the
> given ticket, not only to kill the whole bogus ticket. Anybody knows if
> Trac has such thing?

I think that this is the key - being able to delete individual posts to
a bug
report. Given that, we could keep it open as before.

the tracker of GForge does not offer to remove comments.
Only attachments can be deleted.

I know that RoundUp allows to remove comments, but this tracker
is not integrated (yet) in GForge.

Best

  Jan

--
Jan-Oliver Wagner: www.intevation.de/~jan | GISpatcher: www.gispatcher.de
Kolab Konsortium : www.kolab-konsortium.de | Thuban : thuban.intevation.org
Intevation GmbH : www.intevation.de | Kolab : www.kolab.org
FreeGIS : www.freegis.org | GAV : www.grass-verein.de

Has anybody disabled posting as guest to BT? It gives:

"You are not allowed to reply on requests as guest"

Will people be able to reply via email at least?

Maciek

Maciej Sieczka wrote:

Has anybody disabled posting as guest to BT? It gives:

"You are not allowed to reply on requests as guest"

Will people be able to reply via email at least?

As Jan-Oliver wrote earlier today (yesterday...) guest posting is blocked for the moment. See http://grass.itc.it/pipermail/grass5/2006-September/026115.html

Moritz

Maciek

_______________________________________________
grass-dev mailing list
grass-dev@grass.itc.it
http://grass.itc.it/mailman/listinfo/grass-dev

On Thursday 28 September 2006 23:36, Jan-Oliver Wagner wrote:

On Thursday 28 September 2006 15:32, Markus Neteler wrote:
> Maciej Sieczka wrote on 09/28/2006 02:52 PM:
> > I fully second Hamish that we should keep bug reporting possible for
> > anonymous users. I prefer to have to deal with spam from time to time
> > (yuck!) than to miss a usefull message.

True. But wiht current spam level and robot, you will need to have a
human queue before it really goes into the tracker.

> > But I hope that the new bugtracker that Grass some-day will have, will
> > provide a possibility to delete or modify single past records in the
> > given ticket, not only to kill the whole bogus ticket.

The administrator can do this in request-tracker already
and manipulate the database.

> > Anybody knows if
> > Trac has such thing?
>
> I think that this is the key - being able to delete individual posts to
> a bug
> report. Given that, we could keep it open as before.

I do not think this is feasabl; humans cannot beat robots that fill out
webforms.

the tracker of GForge does not offer to remove comments.
Only attachments can be deleted.

Our main reason to move to Gforge software (not the propietary software of
gforge group) is that we will have a larger user community that has the same
needs, so additions and changes will be easier to make and will be useful to
more people as well.
I suggest adding a feature request to www.gforge.org.

I know that RoundUp allows to remove comments, but this tracker
is not integrated (yet) in GForge.

If somebody would want to work on this, it would be cool. :slight_smile:

Bernhard

Bernhard Reiter wrote:

> > > Anybody knows if
> > > Trac has such thing?
> >
> > I think that this is the key - being able to delete individual posts to
> > a bug
> > report. Given that, we could keep it open as before.

I do not think this is feasabl; humans cannot beat robots that fill out
webforms.

Can we add a captcha to the form? This would only be required for
guest users.

--
Glynn Clements <glynn@gclements.plus.com>

Glynn Clements wrote:

Bernhard Reiter wrote:
> > > > Anybody knows if
> > > > Trac has such thing?
> > >
> > > I think that this is the key - being able to delete individual
> > > posts to a bug
> > > report. Given that, we could keep it open as before.
>
> I do not think this is feasabl; humans cannot beat robots that fill
> out webforms.

Can we add a captcha to the form? This would only be required for
guest users.

An easy implementation I've seen was a simple auto-generated web page
that asked a randomly generated simple math question in english. e.g.
"What's [nine] [minus] [four]?" _________ [Submit]

We're not Hotmail or Yahoo! Mail, so I doubt we have to bother with
"spot the word in the noise" tricks. Beating a custom app from
relatively small projects like ours just isn't worth the spammer's
time (by definition they're trying to take the lazy route to success).

Hamish

Hamish wrote:

Glynn Clements wrote:

Bernhard Reiter wrote:

Anybody knows if
Trac has such thing?

I think that this is the key - being able to delete individual
posts to a bug
report. Given that, we could keep it open as before.

I do not think this is feasabl; humans cannot beat robots that fill
out webforms.

For the time being we've been able to remove all the spam BT tickets
manually.

Also considering that the spam is currently being added manually to the
existing tickets in our BT, I think we could also remove that manually,
if it was technically possible. Only that the person in charge should
be informed about each new BT modification by email (that's currently
impossible in our BT as I was told; would Gforge tracker provide such
option?). I woulnd't mind to be that person.

Only if there is nobody willing to take care of spam in BT (eg. I quit
in future) or if the amount of spam making through is beyond a few
minutes work a day, the anonymous access should be limited. Otherwise
we should keep the BT system open for anyone if possible.

Maciek

On Fri, Sep 29, 2006 at 12:23:47PM +0200, Bernhard Reiter wrote:

On Thursday 28 September 2006 23:36, Jan-Oliver Wagner wrote:
> On Thursday 28 September 2006 15:32, Markus Neteler wrote:
> > Maciej Sieczka wrote on 09/28/2006 02:52 PM:
> > > But I hope that the new bugtracker that Grass some-day will have, will
> > > provide a possibility to delete or modify single past records in the
> > > given ticket, not only to kill the whole bogus ticket.

The administrator can do this in request-tracker already
and manipulate the database.

... but: we don't have an admin outside of Intevation AFAIK...
(who could also change Harmish to Hamish in RT).

I feel that GRASS folks would love to switch the BT now,
what does Intevation think? Besides the spam problem, we
basically have the missing patch management problem in RT.

Markus

Markus Neteler wrote:

On Fri, Sep 29, 2006 at 12:23:47PM +0200, Bernhard Reiter wrote:

On Thursday 28 September 2006 23:36, Jan-Oliver Wagner wrote:

On Thursday 28 September 2006 15:32, Markus Neteler wrote:

Maciej Sieczka wrote on 09/28/2006 02:52 PM:

But I hope that the new bugtracker that Grass some-day will have, will
provide a possibility to delete or modify single past records in the
given ticket, not only to kill the whole bogus ticket.

The administrator can do this in request-tracker already
and manipulate the database.

.. but: we don't have an admin outside of Intevation AFAIK...
(who could also change Harmish to Hamish in RT).

Markus,

Aren't you an admin?

https://intevation.de/rt/admin-webrt?display=Modify+the+User+called&user_id=mneteler

Maciek

But I hope that the new bugtracker that Grass some-day will
have, will provide a possibility to delete or modify single past
records in the given ticket, not only to kill the whole bogus
ticket.

The administrator can do this in request-tracker already
and manipulate the database.

MN:

.. but: we don't have an admin outside of Intevation AFAIK...
(who could also change Harmish to Hamish in RT).

I dunno, I always get a chuckle out of that. It reflects on how bad a C
programmer I am.

MS:

Markus,

Aren't you an admin?

https://intevation.de/rt/admin-webrt?display=Modify+the+User+called&user_id=mneteler

Hey, I hadn't seen that before. After logging in as myself, I have now
changed my own name to the more common spelling.

fyi, for me it says-

Access Control

grass: Manipulate
thuban: Display
etc.

MN:

Besides the spam problem, we basically have the missing patch
management problem in RT.

Indeed.

Hamish

On Sunday 01 October 2006 06:47, Hamish wrote:

Glynn Clements wrote:
> Bernhard Reiter wrote:

> > I do not think this is feasable; humans cannot beat robots that fill
> > out webforms.
>
> Can we add a captcha to the form? This would only be required for
> guest users.

Sure, we can. This would need to be our own implementation
as you already found out. Do not underestimate this as it is a source
for new problems.

An easy implementation I've seen was a simple auto-generated web page
that asked a randomly generated simple math question in english. e.g.
"What's [nine] [minus] [four]?" _________ [Submit]

We're not Hotmail or Yahoo! Mail, so I doubt we have to bother with
"spot the word in the noise" tricks. Beating a custom app from
relatively small projects like ours just isn't worth the spammer's
time (by definition they're trying to take the lazy route to success).

I agree.
If you want to start coding this one,
I suggest to take the current gforge code and add it (www.gforge.org).

Bernhard

--
Managing Director - Owner, www.intevation.net (Free Software Company)
Germany Coordinator, fsfeurope.org (Non-Profit Org for Free Software)
www.kolab-konsortium.com (Email/Groupware Solution, Professional Service)

On Sunday 01 October 2006 13:12, Maciej Sieczka wrote:

>>> I do not think this is feasabl; humans cannot beat robots that fill
>>> out webforms.

For the time being we've been able to remove all the spam BT tickets
manually.

Also considering that the spam is currently being added manually to the
existing tickets in our BT,

This has changed. Last week we had a scripted attack on our current tracker.
We are still doing some last cleanups.
When we got more spam emails, we needed to close the ability to comment on
some issue, now we just closed the ability for a guest to add comments over
the web. :frowning:

I think we could also remove that manually,
if it was technically possible. Only that the person in charge should
be informed about each new BT modification by email (that's currently
impossible in our BT as I was told;

It is possible to get a notification for each transaction for the current
tracker. I did not consider it a good compromisse so far and advised against
it. Currently you cannot remove single entries.

would Gforge tracker provide such option?).

Yes, just as does RequestTracker.

I woulnd't mind to be that person.

Only if there is nobody willing to take care of spam in BT (eg. I quit
in future) or if the amount of spam making through is beyond a few
minutes work a day, the anonymous access should be limited. Otherwise
we should keep the BT system open for anyone if possible.

My fear is that it the situation "it takes a few minutes" will be changing
rapidly. If someone wants to make a contribution, it will not be asked too
much to have them register, though I would prefer the other solution.
Your few minutes could be spend on more worthwhile tasks in my opinion.

Bernhard

--
Managing Director - Owner, www.intevation.net (Free Software Company)
Germany Coordinator, fsfeurope.org (Non-Profit Org for Free Software)
www.kolab-konsortium.com (Email/Groupware Solution, Professional Service)

On Sunday 01 October 2006 16:16, Markus Neteler wrote:

... but: we don't have an admin outside of Intevation AFAIK...

True, I have meant superuser rights on the machine.

(who could also change Harmish to Hamish in RT).

You or Hamish can do that as far as I know.

I feel that GRASS folks would love to switch the BT now,
what does Intevation think? Besides the spam problem, we
basically have the missing patch management problem in RT.

It is fine to start using the Gforge Tracker of wald.intevation.org now
for GRASS. We need a migration policy of course.
And the decision how many project for GRASS we want to register on wald.
Should we seperate grass-windows or grass-doc or not?
My feeling is: We do not want to seperate, yet.

For phase a) we would only enter new issues in the gforge tracker
and keep the old tracker.
Also possible: If an issue is acted upon, transfer if to the tracker.

Next we need a script to transfer the 500 open issues to the new tracker.
Also there is the decision of where to archive the handled issues.
My suggestion would be to keep the request-tracker running for documentation
purposes.

Bernhard

--
Managing Director - Owner, www.intevation.net (Free Software Company)
Germany Coordinator, fsfeurope.org (Non-Profit Org for Free Software)
www.kolab-konsortium.com (Email/Groupware Solution, Professional Service)

On Thursday 28 September 2006 10:27, Hamish wrote:

I guess the sooner we migrate to the new bug tracker the better then.
After that we can start on CVS->SVN

As said before: Intevation offers the wald.intevation.org infrastructure
which is a gforge software and has SVN.
We just need to plan and execute the

and OSGeo migrations :wink:

I have not been following all of their decisions.
My suggestion for GRASS would be to stay on its own infrastructure
and own legal entities as GRASS is big enough to actually profit
from it.

Bernhard

On Mon, Oct 02, 2006 at 10:28:04AM +0200, Bernhard Reiter wrote:

On Sunday 01 October 2006 16:16, Markus Neteler wrote:
> ... but: we don't have an admin outside of Intevation AFAIK...

True, I have meant superuser rights on the machine.

> (who could also change Harmish to Hamish in RT).

You or Hamish can do that as far as I know.

I tried, I cannot...
While I am listed as admin, I don't seem to have admin
rights :slight_smile: (which is ok).

> I feel that GRASS folks would love to switch the BT now,
> what does Intevation think? Besides the spam problem, we
> basically have the missing patch management problem in RT.

It is fine to start using the Gforge Tracker of wald.intevation.org now
for GRASS. We need a migration policy of course.
And the decision how many project for GRASS we want to register on wald.
Should we seperate grass-windows or grass-doc or not?
My feeling is: We do not want to seperate, yet.

I agree.

For phase a) we would only enter new issues in the gforge tracker
and keep the old tracker.
Also possible: If an issue is acted upon, transfer if to the tracker.

This sounds very good to me.

Next we need a script to transfer the 500 open issues to the new tracker.
Also there is the decision of where to archive the handled issues.
My suggestion would be to keep the request-tracker running for documentation
purposes.

Also agreed.

Markus