This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: spammers mine emails from bugs.python.org
Type: Stage: resolved
Components: email Versions:
process
Status: closed Resolution: third party
Dependencies: Superseder:
Assigned To: Nosy List: SilentGhost, barry, brett.cannon, joern, r.david.murray
Priority: normal Keywords:

Created on 2017-11-30 08:00 by joern, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (4)
msg307280 - (view) Author: Jörn Hees (joern) * Date: 2017-11-30 08:00
On every platform that i create an account on, i use a new randomized email address. This allows me to track which platforms sell my account info to spammers.

The one i used for bugs.python.org now receives astonishing amounts of spam (mostly bitcoin spam atm).

I hope you don't sell the account information of your contributors to third parties, but instead believe in a design flaw of your bug tracking system and some way that spammers can currently harvest the email addresses of all of your contributors.

Please investigate how this is possible and ways to protect your user's data.
msg307283 - (view) Author: Jörn Hees (joern) * Date: 2017-11-30 09:45
oh, how convenient... as a logged in user i can just see every other user's email... but there's more, I can just go to https://bugs.python.org/user?@startwith=0&@pagesize=30000&@sort=username and see all "obfuscated" emails. A low hanging fruits approach very likely will return most of the real emails:
'.'.join(s.split()[:-1]) + '@' + s.split()[-1] + '.com'

Let me provide you with a preliminary free analysis of the 50 most frequent email domains of all 21803 users on bugs.python.org:

10554, "gmail"
3663, "sourceforge"
411, "yahoo"
179, "googlemail"
176, "co"  # low hanging fruits as i said
167, "gmx"
98, "hotmail"
92, "com"  # low hanging fruits as i said
81, "google"
69, "163"
62, "redhat"
57, "mail"
51, "ac"
51, "me"
50, "web"
43, "free"
41, "mit"
41, "qq"
40, "org"
33, "iki"
30, "yandex"
28, "python"
25, "comcast"
25, "edu"
25, "pobox"
23, "id"
22, "ibm"
21, "acm"
21, "fastmail"
20, "live"
19, "mac"
18, "mailinator"
18, "net"
17, "126"
17, "gentoo"
17, "seznam"
16, "protonmail"
15, "aol"
15, "intel"
14, "debian"
13, "canonical"
13, "email"
13, "laposte"
12, "inbox"
12, "ubuntu"
12, "verizon"
12, "xs4all"
11, "icloud"
11, "ieee"
11, "posteo"

Please make this a bit harder!
msg307412 - (view) Author: Brett Cannon (brett.cannon) * (Python committer) Date: 2017-12-01 20:56
We don't sell any information to anyone. If you would like to file a bug to have email addresses obfuscated more then the correct place to file that is http://psf.upfronthosting.co.za/roundup/meta .

Obviously any help in updating the code would be appreciated as the issue tracker predates e.g. bitcoin and this is entirely volunteer-run.
msg342475 - (view) Author: SilentGhost (SilentGhost) * (Python triager) Date: 2019-05-14 15:31
Meta tracker hasn't been available for a while but the issues can be reported at https://github.com/python/bugs.python.org/issues
History
Date User Action Args
2022-04-11 14:58:55adminsetgithub: 76358
2019-05-14 15:31:09SilentGhostsetstatus: open -> closed

type: security ->

nosy: + SilentGhost
messages: + msg342475
resolution: third party
stage: resolved
2017-12-01 20:56:44brett.cannonsetnosy: + brett.cannon
messages: + msg307412
2017-11-30 09:45:54joernsetmessages: + msg307283
2017-11-30 08:00:17joerncreate