Bugzilla appears to allow email harvesting by spammers

[storm]

Please can you change the settings in bugzilla as our email addresses appear to be displayed in cleartext; leaving us wide open for all spiders to harvest and spam.

Worst, your bugzilla accounts request we enter our real names on our accounts, thus giving the spiders the benefit of our realnames and email addresses.

Please sort this urgently; or, if I'm mistaken please explain what measures are in place to protect against this.

Many thanks,
stõrm

[phoenix]

What leads you to believe that's a problem? I've entered my details (work and private) and don't notice any increase in spam because of it.

[storm]

I appreciate it may not be a problem on every site; however, there's plenty of evidence that email addresses, from across the web, which are not effectively obfuscated are routinely 'harvested' by spiders.

To give an anecdotal example, I have myself created email addresses for specific purposes where I know they'll be viewable (and harvestable) online, and sure enough I have received spam on them.

Prevention is better than cure, and I can't see a sound reason why full email addresses should appear, unobfuscated, on the zimbra bugzilla system. I would urge zimbra to consider applying the 'precautionary principle' to this issue.

Thanks,
störm

[jholder]

Take it up with the guys at Mozilla. Bugzilla is the industry standard, and it's what we use.

They do the same thing:
https://bugzilla.mozilla.org/show_bug.cgi?id=340318

Look at the addresses. Any company who uses bugzilla faces this issue. We do have certain prevention measures in place that many do not.

[phoenix]

Quote:

Originally Posted by storm

To give an anecdotal example, I have myself created email addresses for specific purposes where I know they'll be viewable (and harvestable) online, and sure enough I have received spam on them.

That's just an example of the normal techniques spammers use, they generate millions of email addresses that they then try to deliver.

As another anecdotal example, I've just created an email address on my own server and within 10 minutes there were connection attempts trying to deliver spam to that address - that address has never been out in the wild.

If you think this is a problem then improve the current anti-spam in Zimbra, you can modify the tag/kill percentages and there are plenty of threads in the forums and wiki articles on what you can do to improve your success rate.

[storm]

Thanks for the suggestions Bill/JHolder.

As regards spamming of email addresses that have never been 'out in the wild', I appreciate that spamming technique is utilised; however, my own email addresses have often been fairly unusually constructed - and its often only after their presence on the web that I start receiving drifts of spam.

I can see it may not be as big a problem as I anticipated; however I still am not convinced that it's a good practice.

In any case, as suggested I'll take the matter up with makers of this software, though I don't know what chance I'll have!

Cheers,
Störm

[storm]

Redhat's bugzilla service at: https://bugzilla.redhat.com
does NOT allow email addresses to become visible to users not logged-in.

I have looked up the issue at Mozilla's own bugzilla, and there are quite a number of related bugs, and concern, but not much happening by way of changes- resolution of this issue is retargetted consistently from one release to another (since 2003 indeed).

This is not only a spam issue, but a privacy issue.

People have made a big fuss about the privacy of personal details, and if facebook for example, allowed easy public access to email addresses and associated full names there would be an outcry.

Furthermore, the current bugzilla system doesn't even allow a user to change their email address.

I would suggest zimbra takes a look at the Redhat bugzilla system.

I any case, in the meantime, I would quite like my email address either obfuscated, removed or altered.

Can you do this for me please?

Regards
störm