Bug tickets, spammers and captcha
Spam stinks
Spam drives me nuts. It should be obvious since I wrote a spam filter to scratch my personal itch against spammers, but they are getting more and more agressive. Apparently they are now targeting FogBugz (the bug tracking system we use) now as well.
Why Fogbugz?
The obvious question is why bother targeting it at all? Well, it is because Fogbugz does nothing to prevent it, and in fact has always prided itself on the fact that ANYONE can open a bug ticket. So, spammers are pounding it now. We have seen a little over 6,000 bug tickets in the past 5 days opened as posts on the site for FogBugz.
I have tracked these down to the point where I know the exact pattern of the bot they use to see if Fogbugz is present, but I can't do anything about it. So we implemented a Captcha system to sit in front of Fogbugz for the time being. It is probably not a permanent solution, and I fully expect that spammers will figure it out at some point, but maybe the software will get it's act together by then and implement a reasonable anti spam measure.
Recaptcha?
So why did we use Recaptcha? Basically because it is free, but also because I like the fact that everyone who uses it is actually helping to read books while they use it. How's that? From their site:
About 60 million CAPTCHAs are solved by humans around the world every day. In each case, roughly ten seconds of human time are being spent. Individually, that's not a lot of time, but in aggregate these little puzzles consume more than 150,000 hours of work each day. What if we could make positive use of this human effort? reCAPTCHA does exactly that by channeling the effort spent solving CAPTCHAs online into "reading" books.
To archive human knowledge and to make information more accessible to the world, multiple projects are currently digitizing physical books that were written before the computer age. The book pages are being photographically scanned, and then, to make them searchable, transformed into text using "Optical Character Recognition" (OCR). The transformation into text is useful because scanning a book produces images, which are difficult to store on small devices, expensive to download, and cannot be searched. The problem is that OCR is not perfect.
It is a pretty good use of this technology from my perspective. It helps sites prevent spam, and it gives something back in the form of decent human OCR for old books. Take a look yourself for what they did. I am using the Dot Net API from their Google code site.
Older tickets
If you have an existing email ticket with the URL imbedded you can copy it and replace bugs with bugs2 and it should work just fine. Or you can just visit the bug tracking site and fill out the form directly using the information from the email.
This is a pain, but it is necessary for a while. I take bug tickets seriously. Every single ticket is summarized and sent to my cell phone as an SMS message when it is created. Yes, this means I have been flooded with spam to my cell phone over the past few days! This is a good example of spammers costing people money, time, energy, effort, etc. I better stop right there before I start on my rant about spammers and bots needing to be hunted down like rabid dogs (oops, did it anyway).
Similar Posts
- Set any 2008 Resolutions or goals?
- Looking ahead to 2008, and back at 2007
- The GC does not solve all memory leaks
Comments
Joel Spolsky on on 4.02.2008 at 6:41 PM
Hey Jason!
Sorry you're having so much trouble!
There are spambots these days that just surf around the web looking for forms they can fill out. They're hoping that some percentage of those forms are comment pages that will republish whatever they spew. Presumably they have hyperlinks in the spam which point back to their site. The real goal is to raise the Google PageRank of their clients by creating inbound links from unrelated sites.
Anyway, the best way to avoid this with FogBugz is to get public bugs submitted using email or the discussion group feature. Both of those are spam filtered using bayesian filtering so in no time at all you'd have it trained on this particular spammer. I get tons of this particular form of spam on the Joel on Software discussion group but nobody ever sees it because the bayesian filter works so well. Thanks, Paul Graham.
Jason Short on on 4.02.2008 at 10:52 PM
Hey Joel!
Spammers in this case are targeting your Fogbugz :(. I created a dummy form with all the same fields sitting on default.asp without any Fogbugz tags and the same bots came and went without posts. I was hoping they would post because I setup a trap to keep holding them with HTTP delay tactics.
You guys should work with Recaptcha and implement their system into Fogbugz. It is clean, free, stable and works (good combo).
Joel Spolsky on on 4.03.2008 at 11:29 AM
We'll look into that... But the trouble with captchas is that spammers run porn sites that show people porn in exchange for solving the captcha. (And thus at zero cost they recruit an army of captcha solvers).
So eventually the spam still gets through... it's just an escalation. The nice thing about Bayesian filtering (which FogBugz does in discussions and with email) is that it adapts to new spam techniques pretty well.... after several years using it, I still get zero spam in my inbox (despite having an email address that's been all over the Internet since 1993 or so), and you can see from the public FogBugz discussion groups like support.fogcreek.com that spam is never a problem.
I think what would really solve your problem was if the public bug submission page went through the same bayesian filtering as incoming email does.