[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Lots of (easily recognisible) spam sent to the BTS today

On Wed, Nov 01, 2006 at 03:43:06PM -0800, Don Armstrong wrote:
> On Thu, 02 Nov 2006, Javier Fernández-Sanguino Peña wrote:
> > a) for mails to -close or to control@b.d.o to prevent a
> >    spammer/malicious person from closing all the bugs or mangling
> >    with the BTS in such a way that would take us some effort to
> >    recover
> There's no reason to restrict control; spam sent there doesn't really
> do anything at all. Indeed, to this point, we have only occasionally
> had problems with control, generally of the BTS ping-pong variety
> which tends to be best dealt with with a bit of social engineering.

I was not only suggesting closing it to spammers, I was also suggesting
blocking it to non-legitimate users which might mangle with control in insane
ways (on purpose). True, I have not yet seen that before, but I'm afraid our
BTS would have little resilience if it was targeted by some Debian-hater due,
precisely, to it's openness.

> Messages to -close are slightly more annoying; we could increase the
> default score of messages to control, and rely on the negative scoring
> rules to keep legitimate messages.... but that would, again, result in
> more false positives. I (and AFAIK, the rest of the BTS admins) are
> rather wary of gratitously increasing the numbers of false positives.
> [And yes, messages sent by scripts or people who haven't learned to
> jump through the right hoops are clearly false positives.]

Still, there could be a "warning period" before starting to reject those
mails sent to -close that lacked whatever we decided on (be it a GPG
signature or a Pseudo-header). And even in aggresive mode I guess that it
would be possible to send bounces based on the scoring of messages (those
that 'look' like they are legitimate but fail the checks are bounced with a
warning, those that do not look like they are *and* fail the checks go to the
bit bucket).

Just my few cents.


Attachment: signature.asc
Description: Digital signature

Reply to: