Discussion:
Reopening bug closed due to SPAM
(too old to reply)
Javier Fernández-Sanguino Peña
2005-07-20 22:31:48 UTC
Permalink
reopen 209891
thanks

If spam e-mail is going to start closing our Bugs in the BTS then we
should
start thinking about implementing authentication checks in the BTS...
like
for example: do not allow control messages or -close messages with no
attached (valid) GPG/PGP signatures (from a valid developer?)"


Regards

Javier
Josh Metzler
2005-07-20 23:57:45 UTC
Permalink
Post by Javier Fernández-Sanguino Peña
reopen 209891
thanks
If spam e-mail is going to start closing our Bugs in the BTS then we
should
start thinking about implementing authentication checks in the BTS...
like
for example: do not allow control messages or -close messages with no
attached (valid) GPG/PGP signatures (from a valid developer?)"
I request that you not require the signature to belong to a DD. I have done
a fair amount of bug triage, including merging, retitling, and even closing
for both Qt and KDE with the permission of the respective maintainers, and
would not have been able to help out in those ways if I needed to be a DD
to do so.

I think we should also make sure the submitter can close a bug if he
realizes it is invalid.

It seems the only way a spam is likely to close a bug is by going to
nnnnnn-***@bugs.debian.org. I doubt that ***@bdo is very vulnerable
to spam.

Josh
Goswin von Brederlow
2005-07-21 08:43:37 UTC
Permalink
Post by Javier Fernández-Sanguino Peña
reopen 209891
thanks
If spam e-mail is going to start closing our Bugs in the BTS then we
should
start thinking about implementing authentication checks in the BTS...
like
for example: do not allow control messages or -close messages with no
attached (valid) GPG/PGP signatures (from a valid developer?)"
Regards
Javier
NMs and most submitters aren't in the keyring so they would have a
hard time managing bugs if a DD signature is required.

And don't forget the DAK closing bugs on uploads. The archive key
would have to be allowed to sign too.

MfG
Goswin
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Javier Fernandez-Sanguino Pen~a
2005-07-21 22:03:54 UTC
Permalink
Post by Goswin von Brederlow
Post by Javier Fernández-Sanguino Peña
If spam e-mail is going to start closing our Bugs in the BTS then we
should
start thinking about implementing authentication checks in the BTS...
like
for example: do not allow control messages or -close messages with no
attached (valid) GPG/PGP signatures (from a valid developer?)"
NMs and most submitters aren't in the keyring so they would have a
hard time managing bugs if a DD signature is required.
The requirement for a valid signature might not be 'valid signature = DD
signature' but something more liberal like 'valid signature = signature
in the web of trust' (i.e. either a DD or signed by a DD) or even more
liberal like 'valid signature = signature in known keyservers'. In the
later, spammers could get keys generated and submitted there but they
are not really targetting our BTS, it's backscatter from their spam tricks.
Post by Goswin von Brederlow
And don't forget the DAK closing bugs on uploads. The archive key
would have to be allowed to sign too.
Or the BTS mail interface could approve messages coming in directly from
the ftp-master system, in any case, adding the archive key would not be
an issue, probably.

I don't know if the BTS admins are going to go forward with any of these
but IMHO it doesn't make any sense to allow administrative access
(managing, retitling, tagging, etc.) to the BTS without any kind of
authentication attempts (even if "simple") of the end user when in most
situations it's somebody the project knows about, not Random Joe.

Maybe the BTS admins are tracking abuse somehow, I haven't digged into
the BTS code at all but I do remember some abuse in the past and people
being shunted off. However, with the current state of affairs, is there
anything that prevents somebody from sending fake e-mails (maybe using
relay proxies) to the BTS using random mail To's to (1-close to
319400-close _AT_ bugs.debian.org ? Just wondering...

Regards

Javier
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Margarita Manterola
2005-07-21 09:23:30 UTC
Permalink
Post by Javier Fernández-Sanguino Peña
If spam e-mail is going to start closing our Bugs in the BTS then we
should
start thinking about implementing authentication checks in the BTS...
like
for example: do not allow control messages or -close messages with no
attached (valid) GPG/PGP signatures (from a valid developer?)"
As it was already requested, please don't make this a DD specific
thing. GPG signing is not that bad, but making it DD specific is
really a BAD thing.

(keep in mind, there are non-DD maintainers, who wouldn't be able to
close their own bugs!!)
--
Besos,
Marga
Adeodato Simó
2005-07-21 09:36:15 UTC
Permalink
Post by Javier Fernández-Sanguino Peña
If spam e-mail is going to start closing our Bugs in the BTS then we
should start thinking about implementing authentication checks in the
BTS... like for example: do not allow control messages or -close
messages with no attached (valid) GPG/PGP signatures (from a valid
developer?)"
I see much more feasible to require a pseudo-header: less cumbersome,
higher probability of getting implemented, and more in accordance with
the philosophy of our BTS.

And such header is now needed to make a versioned closes, so it
doesn't sound too disruptive to require it for every mail to -done (at
least the Source: one, Source-Version could be optional).

Cheers,
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

Hanlon's Razor: Never attribute to malice that which is adequately
explained by stupidity.
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Colin Watson
2005-07-21 10:04:05 UTC
Permalink
Post by Adeodato Simó
And such header is now needed to make a versioned closes, so it
doesn't sound too disruptive to require it for every mail to -done (at
least the Source: one, Source-Version could be optional).
It's possible this may happen in the future, but I don't want to do it
immediately; such changes are better made gradually so that people don't
have to get used to too many new things at once.
--
Colin Watson [***@debian.org]
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Nigel Jones
2005-07-21 11:16:45 UTC
Permalink
Post by Adeodato Simó
Post by Javier Fernández-Sanguino Peña
If spam e-mail is going to start closing our Bugs in the BTS then we
should start thinking about implementing authentication checks in the
BTS... like for example: do not allow control messages or -close
messages with no attached (valid) GPG/PGP signatures (from a valid
developer?)"
I see much more feasible to require a pseudo-header: less cumbersome,
higher probability of getting implemented, and more in accordance with
the philosophy of our BTS.
And such header is now needed to make a versioned closes, so it
doesn't sound too disruptive to require it for every mail to -done (at
least the Source: one, Source-Version could be optional).
And how about a nice header for -done which is something to the effect
of 'mark as spam & archive now & prevent replies etc unless reopened',
or let us tag bugs as 'spam' (which would also be an alias for close)
and on the bug summary pages instead of all the spam bugs on package
pages (mainly 'general' i'd say) it'd appear in it's own little
section, and can autoarchive in 28 days without mixing with other
bugs...

My two cents
Post by Adeodato Simó
Cheers,
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Hanlon's Razor: Never attribute to malice that which is adequately
explained by stupidity.
--
--
N Jones
Blogging @ http://nigelj.blogspot.com
Proud Debian & FOSS User
Debian Maintainer of: html2ps & ipkungfu
Colin Watson
2005-07-21 11:25:55 UTC
Permalink
Post by Nigel Jones
And how about a nice header for -done which is something to the effect
of 'mark as spam & archive now & prevent replies etc unless reopened',
I think that's far more prone to abuse than spams closing bugs.
Archiving is deliberately irreversible except by ***@bugs, so it
should not be so easy to cause immediate archiving.
--
Colin Watson [***@debian.org]
Colin Watson
2005-07-21 09:50:58 UTC
Permalink
Post by Javier Fernández-Sanguino Peña
If spam e-mail is going to start closing our Bugs in the BTS then we
Start? It used to happen a lot; it's much less common nowadays.
--
Colin Watson [***@debian.org]
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Yaroslav Halchenko
2005-07-21 13:22:10 UTC
Permalink
Post by Javier Fernández-Sanguino Peña
attached (valid) GPG/PGP signatures (from a valid developer?)"
-- valid GPG signature present on public servers, not necessarily from a
valid DD seems to be a valid scheme. I haven't seen any spam GPG signed
yet

-- another idea would be to use the same authentication as used by most
of the mailing list servers -- verification of intent: confirmation
email sent to the originating email address and reply to it keeping
subject with a key code intact would verify that it was a valid request.
Otherwise original request expires in a day or two if it doesn't get
confirmed.
Then anyone who wants automate this process writes a 2 liner procmail
rule ;-)

My 2 kopeyki (ie cents)
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
Pierre Habouzit
2005-07-21 13:34:43 UTC
Permalink
Post by Yaroslav Halchenko
Post by Javier Fernández-Sanguino Peña
attached (valid) GPG/PGP signatures (from a valid developer?)"
-- valid GPG signature present on public servers, not necessarily
from a valid DD seems to be a valid scheme. I haven't seen any spam
GPG signed yet
that sucks, I want to be able to close bugs, even if I'm using a M$
computer with no gpg plugin on it (on from an unsecure machine where I
don't want to unlock my gpg key).
Post by Yaroslav Halchenko
-- another idea would be to use the same authentication as used by
confirmation email sent to the originating email address and reply to
it keeping subject with a key code intact would verify that it was a
valid request. Otherwise original request expires in a day or two if
it doesn't get confirmed.
Then anyone who wants automate this process writes a 2 liner procmail
rule ;-)
that's way better.
--
·O· Pierre Habouzit
··O ***@debian.org
OOO http://www.madism.org
Yaroslav Halchenko
2005-07-21 14:13:38 UTC
Permalink
Post by Pierre Habouzit
that sucks, I want to be able to close bugs, even if I'm using a M$
computer with no gpg plugin on it (on from an unsecure machine where I
don't want to unlock my gpg key).
Well - we need to give up something so it becomes 1 click harder for the
spammers ;-) indeed it would make it tricky to close bugs while
working from cell phones, some pdas, wrist watchers and kitchen sinks.
As for M$ Windows, for any kinds of emails really a nice solution is
Thunderbird+Enigmamail+keys on a USB flash drive (ie it can be your ipod
or iriver) so you have all your privates with you at any moment ;-)

not that I'm forcing you to accept it in any way -- I'm just giving an
alternative solution ;-)
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
Yaroslav Halchenko
2005-07-21 14:16:35 UTC
Permalink
Post by Yaroslav Halchenko
Thunderbird+Enigmamail+keys on a USB flash drive (ie it can be your ipod
just a link FYI
http://dev.weavervsworld.com/projects/ptbirdeniggpg/
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
Santiago Vila
2005-07-21 14:30:55 UTC
Permalink
Post by Yaroslav Halchenko
Post by Pierre Habouzit
that sucks, I want to be able to close bugs, even if I'm using a M$
computer with no gpg plugin on it (on from an unsecure machine where I
don't want to unlock my gpg key).
Well - we need to give up something so it becomes 1 click harder for the
spammers ;-) [...]
The only reason it is easy for spammers to close a bug is that the bug
has been already closed before (and reopened again) and the spammers
have harvested the -done address for that bug from the web pages.

So if the BTS people decided to make it "more difficult" to close a bug,
it would be more than enough to make it just minimally more difficult,
for example, require that the address is -done-***@bugs.debian.org
or -done2 for the second time a bug is closed (instead of the usual -done),
and so on.
Yaroslav Halchenko
2005-07-21 15:25:09 UTC
Permalink
Post by Santiago Vila
The only reason it is easy for spammers to close a bug is that the bug
has been already closed before (and reopened again) and the spammers
have harvested the -done address for that bug from the web pages.
A very valid point... I took the task more general - to infiltrate bug
reports (and may be give ideas for even mailing lists) from SPAM.
crawlers get all ***@bugs emails and then bug reports get spammed as
well as the relevant dudes.

BTW - why it has to be "iff" scheme - why it can't be a pipeline

if signed with a valid GPG signature -- permit
else
if spamassassin gives negative score -- permit
else
send a verification letter

Indeed - it is more load on the server but 1st step doesn't require much
of load, mostly waiting time for the transaction. We would get to
spamassassin quite rarely if most of people (and DD) start signing their
submissions, and 3rd one will hit with probably 1% false positives...
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
Pascal Hakim
2005-07-22 02:00:25 UTC
Permalink
Post by Yaroslav Halchenko
Post by Santiago Vila
The only reason it is easy for spammers to close a bug is that the bug
has been already closed before (and reopened again) and the spammers
have harvested the -done address for that bug from the web pages.
A very valid point... I took the task more general - to infiltrate bug
reports (and may be give ideas for even mailing lists) from SPAM.
well as the relevant dudes.
BTW - why it has to be "iff" scheme - why it can't be a pipeline
if signed with a valid GPG signature -- permit
else
if spamassassin gives negative score -- permit
else
send a verification letter
Indeed - it is more load on the server but 1st step doesn't require much
of load, mostly waiting time for the transaction. We would get to
spamassassin quite rarely if most of people (and DD) start signing their
submissions, and 3rd one will hit with probably 1% false positives...
Sending verification letters like that is a rather bad idea. We're
talking in the 10,000 to 100,000 verification emails a day here.

Pasc
--
Pascal Hakim 0403 411 672
Do Not Bend
Yaroslav Halchenko
2005-07-21 15:19:41 UTC
Permalink
Post by Yaroslav Halchenko
-- another idea would be to use the same authentication as used by most
of the mailing list servers -- verification of intent: confirmation
email sent to the originating email address and reply to it keeping
A slightly better modification of this scheme I think would be taken
from some FIDONet newsgroups -- to verify sender's email address.

so algorithm is

check sender in DB and get his Keyword from DB if it is there
if sender is not in DB
then
add email to DB, generate Keyword
fi
if email includes Keyword anywhere (X-Keyword field in the header or
just a line in the body)
then
strip the lines containing keyword and post email
else
send a verification email to the sender where provide his
Keywords for future postings
fi

this way it is one time job for anyone to adjust their .muttrc or
whatever to include X-Keyword header in their emails to *debian.org
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
Javier Fernandez-Sanguino Pen~a
2005-07-21 22:20:50 UTC
Permalink
Post by Colin Watson
Post by Javier Fernández-Sanguino Peña
If spam e-mail is going to start closing our Bugs in the BTS then we
Start? It used to happen a lot; it's much less common nowadays.
Well, it's the first time I've seen spam closing one bug reported by me.
I often see spam to ***@bugs.debian.org addresses, however [1].

<irony mode one>
I wonder if we can get spammers to add "*debian*" to the blacklist of
keywords _not_ to spam, just like they currently do with "*postmaster*",
"*abuse*", "*spam*" and, even, "*linux*" (ever seen a spammer bot? scary
stuff)
</irony mode off>

Regards

Javier


[1] Too much, in fact, for me to dedicate enough time to report it,
counting 409 distinct mails since I implemented the filter a year ago.
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Brian May
2005-07-22 06:53:48 UTC
Permalink
Javier> If spam e-mail is going to start closing our Bugs in the
Javier> BTS then we should start thinking about implementing
Javier> authentication checks in the BTS... like for example: do
Javier> not allow control messages or -close messages with no
Javier> attached (valid) GPG/PGP signatures (from a valid
Javier> developer?)"

Would a GPG signature help in the long run?

The BTS closes bugs based on the address in the SMTP recipient field.

This is not GPG protected.

So a Spammer could copy an existing email from an existing developer
from mailing list archives, forge his email address, and resend
it. The signature remains valid, and the bug will still be closed.

GPG signatures don't protect data that isn't protected (such as mail
headers or SMTP session), and it doesn't protect against replay
attacks (unless you add some other mechanism, e.g. include the date
and time in the protected part of the message).
--
Brian May <***@debian.org>
Anthony DeRobertis
2005-07-23 00:40:35 UTC
Permalink
Post by Javier Fernández-Sanguino Peña
If spam e-mail is going to start closing our Bugs in the BTS then we
should
start thinking about implementing authentication checks in the BTS...
like
for example: do not allow control messages or -close messages with no
attached (valid) GPG/PGP signatures (from a valid developer?)"
Spammers aren't targeting the BTS on purpose; they're doing it by mistake.

We could just use something simple, like a phrase that must occur in the
message for the BTS to act on the message sent to
XXXX-***@bugs.debian.org. This is also probably far more trivial to
implement than GPG. And compatible with any mailer, unlike additional
headers.
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Continue reading on narkive:
Loading...