Version: (using KDE 3.5.9) Installed from: Compiled From Sources As mentioned in Bug 139018, I keep getting re-spidered by spammers whenever I switch KDE Bugzilla to a new spamgourmet.com alias. (Japanese spammers, mostly) Since it wasn't possible to figure out how the e-mails are leaking, I consider the inability to apply supplemental protections a bug. Here are some potential solutions based on how I avoid spam on other sites: 1. Provide a "Send all mail from a single address" checkbox so that, as with every other Bugzilla install I have an account on, I can use e-mail address whitelisting. Even without an SPF record, this usually works extremely well. 2. Don't expose e-mails at all. Only allow people to make initial contact with other users via mail forms. (Works quite well for some sites, but you run the risk of not plugging the leak) 4. Dump the e-mail requirement altogether and allow people to watch for updates via RSS. (Unorthodox, but could work)
What about filtering on X-Bugzilla-URL (or another X-Bugzilla-* header instead)? X-Bugzilla-URL is specific to bugs.kde.org but there are others that are not specific. Our non-use of a single from to send bugzilla emails from is a feature IMO.
GMail and all other webmail systems I'm familiar with don't support filtering on arbitrary headers.
Dear Bug Submitter, This bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? I am setting the status to NEEDSINFO pending your response, please change the Status back to REPORTED when you respond. Thank you for helping us make KDE software even better for everyone!
You now seem to be using a single address (bugzilla_noreply@kde.org) for sending notifications, which technically does satisfy the standards I had in 2008. However, a lot has happened in the decade since then and, even in 2008, Bugzilla's decision to put e-mail addresses in the HTML source of bug pages without even attempting to obfuscate them gave the impression that Bugzilla had been built in the 90s and received nothing more significant than reskins since. (ie. It helps to make Bugzilla feel like a massively featureful mailing list package in a world of Gitlab and Discourse instances.) Given that I actually *did* have to change the alias exclusively assigned to this account because some spambot scraped it and started sending me spam, I think this should stay open until a proper fix is implemented.
Unfortunately I think your impression is largely correct. Regardless, since the original request has been implemented, I think it would make sense to request further improvements upstream. Not that there's a likelier chance of it being done there, but there isn't much we can do here due to our "no code changes to Bugzilla" policy.