Using Bugzilla to hide spam sites
Damien Miller
djm at mindrot.org
Mon May 14 22:39:26 UTC 2007
On Mon, 14 May 2007, Gervase Markham wrote:
> Developers,
>
> I just had the below spam comment posted to my blog. It struck my eye because
> the URL is a Bugzilla attachment URL.
> Viewing it in "edit" mode:
> http://bugzilla.lyx.org/attachment.cgi?id=1638&action=edit
> shows that the spammer has attached a copy of their pills sale page. It turns
> out that it contains embedded obfuscated JS code which redirects you to the
> real thing if you visit the attachment. So they are using Bugzilla to avoid
> any domain blacklists in my blogging software.
>
> I'm not sure there's much we can do about this. The spammer obviously took
> time to create an account - perhaps automatically, perhaps not. Short of
> implementing Captchas for account signup, or refusing to display HTML
> attachments as HTML, I can't see a counter.
>
> Thoughts?
I got a bunch of these in the OpenSSH bugzilla, so I added a hack to
simply ban all attachments that look like HTML from non-administrators.
This works for us, because we don't really deal with HTML but obviously
isn't a solution for everyone.
-d
More information about the developers
mailing list