= phenomenon = I recently filed [https://fedorahosted.org/fedora-infrastructure/ticket/5093 https://fedorahosted.org/pki/ NEEDS_TRIAGE is being SPAMMED] as our TRAC instance has recently come under siege from SPAM.
I received the following reply: {{{
We are actually looking at an upgrade to trac 1.0 before too long. We want to move to a rhel7 based fedorahosted. We don't have a specific timeline for this yet, just as soon as we can get everything in place.
We may want to look at our captcha on fedora account system accounts, as it seems like all these people got past that to spam, perhaps something is failing there. ;(
There's nothing else I know of that people are using for spam prevention, it's just not been a problem until recently. ;( }}}
= reason =
I was asked by my colleagues to file a top-level Fedora Infrastructure Ticket as the SPAM has not improved, and if anything, has become even more prevalent.
= recommendation =
We would like to know if you are any closer to a solution, or if we should take action on our own website by limiting who can address our PKI TRAC Instance?
Please provide feedback on what the best coarse of action is --- thanks!
https://fedorahosted.org/389 is also getting a lot of ticket spam
Filing another ticket on the same ongoing issue seems pointless to me, but ok.
If the issue is getting worse/ongoing, PLEASE let us know, we can't try and do anything if we don't know the problem is persisting.
Very short term: Can you restrict the TICKET_CREATE and TICKET_EDIT permissions to some group? Or do you need the tracs to be fully available to any authenticated user?
Very short term: We can disable accounts that are spamming if we get a list of them and we can delete spam tickets if we get a list of them. Thats long any kind of long term solution however. Can you perhaps mail those as you see them to admin@fedoraproject.org? or I guess update the ticket here...
Medium term: perhaps we can come up with a automated scanner that looks for spam stuff and deletes the tickets often. Or everytime it sees a change. ;(
Longer term: we can try and work on moving to newer trac, but the problem here seems to be that there's a group of humans (loosly speaking) doing this so I am not convinced captcha will help too much. They have also been attacking our wiki.
If you can give me a few example spam ticket URLs, I will update my spam checker to also check for trac messages and delete those when it sees them.
Replying to [comment:4 puiterwijk]:
They appear to contain random generated ramblings which come from randomized users who seem to be breaching the primary FAS.
All PKI tickets that have been marked as SPAM have been redirected to the N/A Milestone.
This can be seen by running PKI Report 36 - PKI SPAM Tickets: * https://fedorahosted.org/pki/query?milestone=N/A&status=assigned&status=new&status=reopened&col=id&col=summary&col=status&col=component&col=reporter&col=owner&col=reviewer&col=rhbz&col=blockedby&col=blocking&order=priority&group=priority&report=36
here are recent 389 tickets marked as spam: https://fedorahosted.org/389/query?keywords=~spam&col=id&col=summary&col=status&col=type&col=priority&col=milestone&col=component&order=priority
As far as I can see, both 389 and pki have been cleared at this moment. If anyone sees any other tracs that have spam, or more spam on either of those, let me know and I'll run my automated cleanup script.
We have now:
Sorry for this incident, but hopefully we have it fixed up now.
Please re-open if there's anything else we can do for you or you notice something we missed. Thanks.
Login to comment on this ticket.