Bug 64713

Summary: bugs.kde.org not protecting email address
Product: [Websites] bugs.kde.org Reporter: TarquinWJ <konq_bugzilla>
Component: generalAssignee: Matt Rogers <mattr>
Status: RESOLVED NOT A BUG    
Severity: wishlist CC: bugs-kde, kde-2011.08
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: RedHat Enterprise Linux   
OS: Linux   
Latest Commit: Version Fixed In:

Description TarquinWJ 2003-09-22 09:57:51 UTC
Version:            (using KDE KDE 3.1)
Installed from:    RedHat RPMs0

bugs.kde.org writes email addresses in plain text;
mailto:email@address.com
This makes it far too easy for spammers to crawl your site and harvest them. Problem is that I only realised this AFTER I put in my email address and commented on a bug, so now my email address will be added to their lists.

I want to be able to change my email address to validUser@REMOVE_THISvalidDomain.com as this stops address harvesting, but your system requires me to confirm that it is a valid email address. The whole point is that I want to enter an INVALID email address. Either that or even better, please try and encode the email address in a way that spammers cannot understand. using JavaScript is a good start (some people use HTML entities, but spammers can decode these easily).

For an example, see my email address on this page. Fortunately, I have created an email address specially for your site, so I will just have to block all emails to that address.
Comment 1 Stephan Kulow 2003-09-22 10:55:53 UTC
log out of the system and notice the difference 
Comment 2 TarquinWJ 2003-09-22 12:10:10 UTC
Aah, sorry. I had tried that, but Opera had cached the page, even when I hit 
reload. 'Resolution: INVALID' is quite right.
Comment 3 J 2007-11-08 19:58:43 UTC
Hello,

How do you prevent spamers from loging in and thus get email adresses ?
Comment 4 Dotan Cohen 2008-10-09 14:43:41 UTC
I am reopening this bug as spammers are becoming more creative and simply logging in to scrap email addresses is trivial. I am receiving much spam to the address which I use exclusively on BKO.

I propose that until a user reaches a special threshold (has a bug verified, commits a patch, or some other trivial check) then he does not see other user's email addresses.
Comment 5 Pino Toscano 2008-10-09 14:56:10 UTC
(In reply to comment #4)
> I am reopening this bug as spammers are becoming more creative and simply
> logging in to scrap email addresses is trivial. I am receiving much spam to the
> address which I use exclusively on BKO.

Bugzilla's email changes are addressed to a public mailing list (kde-bugs-dist).

> I propose that until a user reaches a special threshold (has a bug verified,
> commits a patch, or some other trivial check) then he does not see other user's
> email addresses.

That is too unfair for simple reporters. People complain that "it is too hard to report bugs in KDE", putting more thresholds will not help.

Resolution stays INVALID, as bugzilla itself *do* have spam protections.
Comment 6 Dotan Cohen 2008-10-09 17:25:02 UTC
> That is too unfair for simple reporters. People complain that "it
> is too hard to report bugs in KDE", putting more thresholds will
> not help.

This does not make it any harder to report bugs. In fact, I am only a reporter (I do not know to program). That is why I suggested that even having a bug confirmed would be enough to allow access to the email addresses.

This would not add a threshold to the reporting of bugs in BKO. Only to the access of the email addresses of other users.
Comment 7 Anselm 2009-02-17 20:03:28 UTC
I completely agree with the initial poster.
I'm only a simple reporter, too (in fact I only posted one bug so far), and I fear my address gets crawled as I get spam to almost all addresses I posted publicly on the net so far.

If there are measures to prevent address crawling I didn't notice any and would like to know more about them.

I actually was reluctant to even register because I saw no measures in that regard.
Comment 8 Dotan Cohen 2009-06-23 11:30:07 UTC
See related bug 197592:
Captcha or other verification to receive email addresses