user sign up/registration process is being used to spam people

Bug #341935 reported by James Troup on 2009-03-12
14
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Undecided
Unassigned
Launchpad itself
High
Brad Crittenden

Bug Description

The sign up/registration process will send email to any address entered
into it. From monitoring feedback loops with the larger mail hosts, I
can confirm this is actively being abused(; some of the reports will be
confused user, based on the other reports, but certainly not all of them
are). This is causing our MTAs/IPs to get a bad 'reputation' and
causing problems with sending mail to larger mail providers who actively
track feedback from users about spam.

I'm afraid I don't know of a reliable solution for this other than
Captchas.

Related branches

Francis J. Lacoste (flacoste) wrote :

How is this really a problem?

I mean this can't be really consider spam, really. And blacking out a SMTP server on that basis is kind of bullyish. It's like forcing down "captcha" in user registrations all over the world.

Changed in launchpad-foundations:
status: New → Incomplete

"Francis J. Lacoste" <email address hidden> writes:

> How is this really a problem?
>
> I mean this can't be really consider spam, really.

... sorry what? Launchpad is being (ab)used to send unsolicited emails
in bulk[1]. That's pretty much the dictionary definition of spam, no?

> And blacking out a SMTP server on that basis is kind of bullyish.

I didn't say we'd been 'blacked out' or even 'black listed' and
certainly not on that basis alone. I said it's contributing to us to
getting a bad reputation, i.e. that and other things (like #341927) is
causing us to have problems delivering mail to the larger providers.

> It's like forcing down "captcha" in user registrations all over the
> world.

I'm not trying to force captchas on anyone. All I'm suggesting is that
having a web form that sends email to any given address with no checking
that the person using the web form is a human, a) probably isn't the
best plan and b) is actively causing us problems right now.

I'm honestly stunned that this is at all controversial.

--
James

[1] From a single Feedback Loop (aol.com), I've seen at least 10 reports
    in a day of people reporting the registration email as spam.

James Troup (elmo) on 2009-03-13
Changed in launchpad-foundations:
status: Incomplete → New
Francis J. Lacoste (flacoste) wrote :

By a concidence?, I received 20 bogus 'Launchpad: complete your registration.' yesterday night.

So I see what you mean. I see two things we could do to hinder the use of bots on that page:

1) Check the referer on the POST to be the actual form. I bots don't fake sane referer by default, that would stop a few of them.

2) Use a nonce on the form, so that the bots would need to fetch the form and support cookies to register.

I think 2 is probably more robust than 1, but the former is a lot cheaper.

What do you think?

Changed in launchpad-foundations:
importance: Undecided → High
status: New → Triaged
Matthew Paul Thomas (mpt) wrote :

3) In combination with #1 and/or #2, limit the number of "Complete your registration" messages sent to any e-mail address to ~2 per day and ~4 per month. (For bonus points, count <email address hidden> and <email address hidden> as a single e-mail address.)

4) Use a text-only (e.g. math) captcha. This would be no problem for Launchpad's target user base, i.e. software developers, but would make it (even more) important for shop.canonical.com to stop requiring every customer to have a Launchpad account.

Stuart Bishop (stub) wrote :

I don't think we are being targetted. I think the bulk of this is the bots that crawl around submitting any form they can trying to get comments containing their spam links posted somewhere/anywhere. Low hit rate, but if you have a horde of zombies that doesn't matter...

Neither of Francis' suggestions defend against these. All but the dumbest will handle cookies and referer headers.

Matthew's suggestions work. Number 4 would be easy to implement. This will also stop the bots from registering in the first place and creating bogus bug comments for an extra win. It would be trivially deflatable by a bot author, but that will only be a problem if someone actively targets us (which is rather pointless given our user base and use of nofollow etc.).

Stuart Bishop (stub) wrote :

btw. For our purposes as a provider, spam is whatever users report as spam. It has nothing to do with the content or if they actually requested it or not. We have similar issues whenever users start getting email they didn't think they signed up for.

Matthew Paul Thomas (mpt) wrote :

Since this bug report is public, I've made public bug 78039, which is where I made suggestion #3 a couple of years ago.

Francis J. Lacoste (flacoste) wrote :

I think the math captcha is a good solution.

Let's do it!

Francis J. Lacoste (flacoste) wrote :

Would probably make sense to fix bug 88827 at the same time.

Gary Poster (gary) on 2009-08-21
Changed in launchpad-foundations:
milestone: none → 3.1.10
Gary Poster (gary) wrote :

Curtis has agreed to do this. Thank you!

affects: launchpad-foundations → launchpad-registry
Changed in launchpad-registry:
milestone: 3.1.10 → none
Curtis Hovey (sinzui) on 2009-10-02
Changed in launchpad-registry:
milestone: none → 3.1.10
Barry Warsaw (barry) wrote :

mpt's suggestion #3 is excellent and we should do that. His #4 suggestion can be easily defeated, but will the bots go through that effort? We should also rate limit the number of requested registrations allowed per IP or domain.

http://recaptcha.net/ is a nice idea.

Brad Crittenden (bac) on 2009-10-05
Changed in launchpad-registry:
assignee: nobody → Brad Crittenden (bac)
Curtis Hovey (sinzui) on 2009-10-05
Changed in launchpad-registry:
status: Triaged → In Progress
Barry Warsaw (barry) wrote :

@Francis: well, for one thing, if your email address is already registered and validated with Launchpad, why are we ever sending them a "complete your registration" email? If we can eliminate that, maybe we can solve a big part of the problem without resorting to ineffective usability nightmares like captcha?

Brad Crittenden (bac) wrote :

Any captcha we use will need to have an audio work-around for accessibility. A simple math-based captcha would need the corresponding audio prompts, which means it's not as simple any more.

Why math-based captcha needs audio prompt? Is something like "Enter result of 2 plus 7 into following entry box" something which visual impaired cannot do?

Barry Warsaw (barry) wrote :

So login will happily send you as many confirmations as you request, each with a different token. If you're trying to log in more than once it's probably because you haven't gotten the confirmation message. We really need to rate limit that. A simple approach would be if we already see you in the pending set, we would direct you to answers or feedback for more help. (And perhaps not send you another confirmation, or rate limit it.)

Brad Crittenden (bac) wrote :

@Łukasz Czyżykowski You are correct as long as we verify the text is recognizable by a screen reader. I was confusing myself. Thanks for the reminder.

An error was encountered:
Traceback (most recent call last):
  File "pqm/bin/pqm", line 81, in do_read_mode
    sender, msg, sig, 1, logger, options.keyring)
  File "/home/pqm/pqm/pqm/__init__.py", line 75, in verify_sig
    raise PQMException(sender, "Failed to verify signature: %s" % e._value)
PQMException: 'Failed to verify signature: gpgv exited with error code 2'

Brad Crittenden (bac) wrote :

r 9666

Changed in launchpad-registry:
status: In Progress → Fix Committed
Francis J. Lacoste (flacoste) wrote :

Bug 452491 tracks the similar problem on the forgotten password form.

Brad Crittenden (bac) on 2009-11-09
Changed in launchpad-registry:
status: Fix Committed → Fix Released

This was addressed in c-i-p by using recaptcha.

Changed in canonical-identity-provider:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers