Fighting Trac Spam

For MapBuzz, we use a popular open source project called Trac for managing our bugs, feature requests, release schedules, etc.  As long as you don’t have complex requirements, Trac is pretty good – its a lot more pleasant to use then expensive commercial products such as Rational ClearQuest.

Unlike ClearQuest, Trac is designed to live on the Web.  But living on the Web can be dangerous – in recent months our database was getting overwhelmed by spam.  Cleaning it out was becoming a tedious, daily chore.

After trying a variety of counter  measures over a period of a few months, I finally gave up and handed it over to Anders (and do take a look at the very cool URI he has).  It took him about one minute to diagnose the problem – spammers weren’t coming in through the front door, they were coming in through the back door.  I had assumed that spammers were using Trac’s web interface to futher their nefarious causes, but instead they were using our automated email ticket submission system.  The way that works is when an error is generated, either on a MapBuzz client or server, an email with all the relevant information is sent to  Bugs submitted that way are easy to spot – we use the imaginative names “MapBuzz Client Error” or “MapBuzz Server Error” for them.

The solution was obvious – only let computers from within the mapbuzz domain email tickets.  But figuring out how to do it was another thing.  The problem with not having a full-time admin is that there is always a huge startup cost in fixing IT problems as you rack your brain trying to remember how some complex piece of sofware works.  In this case it was Postfix, and after an hour of rummaging through the manuals, we finally discovered the right incantation.  Undoubtedly there are other ways to do this, and probably better ways, but we added the following line to the file roleaccount_exceptions:

# Only allow sending to trac from local domain permit_mynetworks,reject

Or in English, only machines in the MapBuzz domain can send tickets to Trac. And Voila – no more spam!