Issue286

Title Spam issues created using forged email
Priority bug Status chatting
Superseder Nosy List admin, forsberg, izak, loewis, pefu512, stephen
Assigned To Topics

Created on 2009-05-27.21:06:40 by pefu512, last changed 2009-06-29.22:27:36 by pefu512.

Files
File name Uploaded Type Edit Remove
unnamed pefu512, 2009-05-27.21:06:39 text/plain
Messages
msg1409 (view) Author: pefu512 Date: 2009-05-28.08:42:17
This issue is obviously Spam and was not created by me but by
some spammer abusing my userid.  
Please could someone retire this issue?
This has happened before in issue281 and others.  I don't want 
to have my userid linked to spam issues.  If I can do anything 
about this, please tell me what.  

Many thanks in advance.
Regards, 
Peter Funk
msg1408 (view) Author: pefu512 Date: 2009-05-27.21:06:39

Message has been classified as spam.

msg1410 (view) Author: loewis Date: 2009-05-28.21:55:55
I think the only permanent solution would be for you to change the email address
that you use in the tracker.
msg1411 (view) Author: pefu Date: 2009-05-29.06:06:38
Hallo Martin,

Martin v. Löwis suggested 28.05.2009 to me:
> I think the only permanent solution would be for you to change the email address
> that you use in the tracker.

Thanks for the suggestion.  I've done so and exchanged the address with 
one of my other not so well known email addresses and put my original one 
into the field containing the list of alternative addresses.  

But I didn't understand how this is supposed to work and how it
would prevent spammers from creating new invalid issues like 
this one here or issue281 in the metatracker.  Please explain.

Thanks in advance.

Regards, Peter
-- 
Peter Funk, ✉Oldenburger Str.86, D-27777 Ganderkesee
office: ArtCom GmbH, ✉Haferwende 2, D-28357 Bremen, Germany 
tel:+49-421-20419-0 cell:+49-179-640-8878 <http://www.artcom-gmbh.de/>
msg1412 (view) Author: loewis Date: 2009-05-29.22:21:13
> But I didn't understand how this is supposed to work and how it
> would prevent spammers from creating new invalid issues like 
> this one here or issue281 in the metatracker.  Please explain.

The spammers send email with your registered email address to the
tracker. The tracker checks whether the From field is a registered
address of some user, and if so, it accepts the message. Now that
you have changed your email address, spammers would have to use the
new address in From. Since they don't know what the new address
is, the spam will be rejected.
msg1413 (view) Author: stephen Date: 2009-06-01.03:36:56
"Martin v. Löwis" writes:
 > > But I didn't understand how this is supposed to work and how it
 > > would prevent spammers from creating new invalid issues like 
 > > this one here or issue281 in the metatracker.  Please explain.
 > 
 > The spammers send email with your registered email address to the
 > tracker. The tracker checks whether the From field is a registered
 > address of some user, and if so, it accepts the message. Now that
 > you have changed your email address, spammers would have to use the
 > new address in From. Since they don't know what the new address
 > is, the spam will be rejected.

I don't think this actually works, because IIRC he added his *old*
address, which the spammers have been using, to the new user.  It will
continue to work as a valid address; that's the purpose of the
alternate email address field.  The primary field is what Roundup uses
to address mail to the user; the alternate addresses are other valid
sources for issue data.

I don't think there is any way to prevent this kind of spamming.
msg1414 (view) Author: loewis Date: 2009-06-01.05:09:24
> I don't think this actually works, because IIRC he added his *old*
> address, which the spammers have been using, to the new user.

"new user"? I didn't notice that he created a new user account.

Peter, can you please explain what accounts you hold, and which of
these accounts you don't plan to use anymore?

In any case: yes, if the address that the spammers had been using
is still associated with one of the accounts, it will not help at
all.

> I don't think there is any way to prevent this kind of spamming.

In general, no (except by requiring PGP signatures for posters).
In the specific case, it might help to either
a) remove/retire the pefu users completely, or
b) disable creation of new issues via email.
msg1428 (view) Author: pefu Date: 2009-06-08.07:01:32
Hello all,

please excuse my late answer.  I took a one week vacation.

Stephen Turnbull wrote:
> > I don't think this actually works, because IIRC he added his *old*
> > address, which the spammers have been using, to the new user.

In reply Martin v. Löwis asked Montag, 01.06.2009 05:09:
> "new user"? I didn't notice that he created a new user account.
> 
> Peter, can you please explain what accounts you hold, and which of
> these accounts you don't plan to use anymore?

My Account is http://psf.upfronthosting.co.za/roundup/meta/user5 with
the login nickname pefu512.
My primary email address which is still valid, is pf@artcom-gmbh.de 
I use this address as From: all the time.

The account user47 should be retired.  I don't know why it has been
created on 2007-09-26 09:23:55 .

Unfortunately my email address has been harvested by spammers
long ago.  This is no big deal for me personally, because we have
good spam filters in place here at ArtCom.  

What bothers me, is that spammers use my Name and address to inject
stuff on web pages like the metatracker here.

> In any case: yes, if the address that the spammers had been using
> is still associated with one of the accounts, it will not help at
> all.
> 
> > I don't think there is any way to prevent this kind of spamming.
> 
> In general, no (except by requiring PGP signatures for posters).
> In the specific case, it might help to either
> a) remove/retire the pefu users completely, or

I wouldn't like that.

> b) disable creation of new issues via email.

Hmmm... Is there no other way?  May be better spam filter in
front of Roundup?  In our company we have grey listing and 
some other filters in effect, which catches most of the spam.

Regards, Peter
-- 
Peter Funk, ✉Oldenburger Str.86, D-27777 Ganderkesee
office: ArtCom GmbH, ✉Haferwende 2, D-28357 Bremen, Germany 
tel:+49-421-20419-0 cell:+49-179-640-8878 <http://www.artcom-gmbh.de/>
msg1429 (view) Author: loewis Date: 2009-06-24.03:27:03
I have retired user47. As for email addresses for pefu512: as long as the one
that spammers user continues to stay on the list of alternative email addresses,
we have to expect getting spammed again.

We do have Spambayes for this roundup installation, but with the relatively
small frequency of spam, it won't learn much except that pefu512 is a frequent
spammer, and eventually classify your messages as spam by default.
msg1431 (view) Author: pefu512 Date: 2009-06-24.12:33:32
Hello Martin,

you wrote:
> I have retired user47. 

Thanks.

> As for email addresses for pefu512: as long as the 
> one that spammers user continues to stay on the list of alternative email 
> addresses, we have to expect getting spammed again.

So what I want to avoid is, that spammers abuse websites like
http://psf.upfronthosting.co.za to improve their Google ranking.  

To do this I must be able to "remove" (retire) such spam issues before the 
Google-Bot comes along and finds them.  I'm willing to do so, but I wasn't
able to:  I tried to use ?@action=retire on this issue on May 27th, but failed.

Retire is what we use in our company internal Roundup tracker whenever an
issue was created by mistake.

Peter.
msg1432 (view) Author: loewis Date: 2009-06-24.19:08:44
Unfortunately, the ?:action style of changing issues is insecure, as it enables
XSS attacks. So recent versions of roundup have disabled this API to retiring,
and require regular POSTs.

Instead of retiring the issue, one should use the "Mark as SPAM" button, anyway
(available to administrators only).
msg1433 (view) Author: stephen Date: 2009-06-24.23:12:14
Martin v. Löwis writes:
 > 
 > Martin v. Löwis <martin@v.loewis.de> added the comment:
 > 
 > Unfortunately, the ?:action style of changing issues is insecure,
 > as it enables XSS attacks. So recent versions of roundup have
 > disabled this API to retiring, and require regular POSTs.
 > 
 > Instead of retiring the issue, one should use the "Mark as SPAM"
 > button, anyway (available to administrators only).

Would it be reasonable to make Mark as SPAM available to non
adminstrators in one or both of the following ways:

(a) the user whose address is abused should be allowed to Mark as SPAM

(b) (complex and possibly vulnerable to DoS) any user could be allowed
    to Mark as SPAM
    - admins would need a Mark as HAM command, and explicitly marked
      HAM is not possible to mark as SPAM without admin privileges
    - create a report which looks for recently Marked as SPAM events
      so that admins and/or volunteers could check for abuse of the
      system
msg1434 (view) Author: loewis Date: 2009-06-25.06:11:12
> (a) the user whose address is abused should be allowed to Mark as SPAM

I don't know how to implement that.

> (b) (complex and possibly vulnerable to DoS) any user could be allowed
>     to Mark as SPAM
>     - admins would need a Mark as HAM command, and explicitly marked
>       HAM is not possible to mark as SPAM without admin privileges
>     - create a report which looks for recently Marked as SPAM events
>       so that admins and/or volunteers could check for abuse of the
>       system

Finding out what explicitly marked ham is: I don't know how to implement
that, either.
msg1435 (view) Author: izak Date: 2009-06-25.08:27:07
Martin v. Löwis wrote:
> We do have Spambayes for this roundup installation, but with the relatively
> small frequency of spam, it won't learn much except that pefu512 is a frequent
> spammer, and eventually classify your messages as spam by default.

I don't know if this will help, but we have a fairly well-trained 
spamassassin token database that we use on our mail server. We train it 
with all our spam, and occasionally we download the content of our gmail 
spam boxes and train it with that as well. It catches about 90% of our 
spam. Not sure how you'd use it with spambayes though, I don't know 
spambayes at all.

I could also make available the content of our spam mailboxes if you'd 
like to train your spam checker with that?

It all depends whether your spam is the same as ours I suppose. At the 
moment we get about 700 of these fake newsletter things per day.
msg1436 (view) Author: stephen Date: 2009-06-25.17:55:38
Martin v. Löwis writes:
 > 
 > Martin v. Löwis <martin@v.loewis.de> added the comment:
 > 
 > > (a) the user whose address is abused should be allowed to Mark as SPAM
 > 
 > I don't know how to implement that.

I don't know the details yet either, but I'm sure it's possible.  Is
it in principle acceptable as far as you know?  (I'm not asking for a
guarantee, but I'll probably work on this for my own roundup.  If
Python might like it, I might do the work sooner. :)

 > > (b) (complex and possibly vulnerable to DoS) any user could be allowed
 > >     to Mark as SPAM [and admins could mark HAM]

 > Finding out what explicitly marked ham is: I don't know how to implement
 > that, either.

Again, I don't have a patch and expect it will take some
experimentation to construct a usable one, but I'm sure it's
possible.  Would Python want to evaluate such a patch for inclusion in
your tracker?
msg1437 (view) Author: loewis Date: 2009-06-25.18:33:41
>  > > (a) the user whose address is abused should be allowed to Mark as SPAM
>  > 
>  > I don't know how to implement that.
> 
> I don't know the details yet either, but I'm sure it's possible.  Is
> it in principle acceptable as far as you know?  (I'm not asking for a
> guarantee, but I'll probably work on this for my own roundup.  If
> Python might like it, I might do the work sooner. :)

It would be fine with me. Notice that we talk about the meta tracker
here - we never had this problem with any other user, on any other tracker.

>  > > (b) (complex and possibly vulnerable to DoS) any user could be allowed
>  > >     to Mark as SPAM [and admins could mark HAM]
> 
>  > Finding out what explicitly marked ham is: I don't know how to implement
>  > that, either.
> 
> Again, I don't have a patch and expect it will take some
> experimentation to construct a usable one, but I'm sure it's
> possible.  Would Python want to evaluate such a patch for inclusion in
> your tracker?

Well, "Python" won't evaluate - and I might not have time to evaluate
many roundup patches for the coming months (i.e. I would focus on
important ones).
msg1441 (view) Author: pefu512 Date: 2009-06-29.22:27:35
It occured once again: Spammers created another spam issue six hours ago: 290
with msg 1438 and I am still unable to remove it myself. :-(

Please help.
Peter.
History
Date User Action Args
2009-06-29 22:27:36pefu512setmessages: + msg1441
title: Spam issue -> Spam issues created using forged email
2009-06-25 18:33:41loewissetmessages: + msg1437
2009-06-25 17:55:39stephensetmessages: + msg1436
2009-06-25 08:27:08izaksetnosy: + izak
messages: + msg1435
2009-06-25 06:11:13loewissetmessages: + msg1434
2009-06-24 23:12:15stephensetmessages: + msg1433
2009-06-24 19:08:44loewissetmessages: + msg1432
2009-06-24 12:33:33pefu512setmessages: + msg1431
2009-06-24 03:27:04loewissetnosy: - pefu
messages: + msg1429
2009-06-08 07:01:34pefusetmessages: + msg1428
2009-06-01 05:09:31loewissetmessages: + msg1414
2009-06-01 03:36:58stephensetnosy: + stephen
messages: + msg1413
2009-05-29 22:21:14loewissetmessages: + msg1412
2009-05-29 06:06:47pefusetstatus: resolved -> chatting
nosy: + pefu
messages: + msg1411
2009-05-28 21:55:55loewissetstatus: chatting -> resolved
messages: + msg1410
2009-05-28 08:42:19pefu512setpriority: bug
nosy: + admin, forsberg, loewis
status: unread -> chatting
messages: + msg1409
title: We will take a great care of your body and soul. -> Spam issue
2009-05-27 21:06:40pefu512create