[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Lots of (easily recognisible) spam sent to the BTS today

On Wed November 1 2006 16:20, Javier Fernández-Sanguino Peña wrote:
> When I have suggested that (sending signed messages to the BTS to be
> accepted for processing) it was
> a) for mails to -close  or to control@b.d.o to prevent a
> spammer/malicious person from closing all the bugs or mangling with
> the BTS in such a way that would take us some effort to recover
> b) restricted to providing a signed mail, not necessarily with a
> signature in the DD keyring. (this could be added later on to prevent
> abuse, if needed be and could still have a 'whitelist' of valid keys
> which could include non-DDs)
> If there's a non-DD playing with the BTS (closing bugs or using
> control@) I guess it's not really too much to ask for them to use
> signed e-mails when fiddling with it. Is it?

I don't think so. Although, it is weaker than a pseudoheader since it 
would be easier for spammers to sign their messages than look up the 
package name associated with a particular bug number, and less effort 
than keeping a whitelist. Furthermore, it would be clear that a spammer 
was targeting Debian if they did the name<->number look up... which 
would make it easier to make a case that they are intentionally 
interfering with Debian's systems.

Keep in mind that my original response was to your post which stated:
"...implemented so as to only consider GPG/PGP signed mail from DDs..."

- Bruce

Reply to: