Fighting Trac Spam

For MapBuzz, we use a popular open source project called Trac for managing our bugs, feature requests, release schedules, etc.  As long as you don’t have complex requirements, Trac is pretty good – its a lot more pleasant to use then expensive commercial products such as Rational ClearQuest.

Unlike ClearQuest, Trac is designed to live on the Web.  But living on the Web can be dangerous – in recent months our database was getting overwhelmed by spam.  Cleaning it out was becoming a tedious, daily chore.

After trying a variety of counter  measures over a period of a few months, I finally gave up and handed it over to Anders (and do take a look at the very cool URI he has).  It took him about one minute to diagnose the problem – spammers weren’t coming in through the front door, they were coming in through the back door.  I had assumed that spammers were using Trac’s web interface to futher their nefarious causes, but instead they were using our automated email ticket submission system.  The way that works is when an error is generated, either on a MapBuzz client or server, an email with all the relevant information is sent to trac@mapbuzz.com.  Bugs submitted that way are easy to spot – we use the imaginative names “MapBuzz Client Error” or “MapBuzz Server Error” for them.

The solution was obvious – only let computers from within the mapbuzz domain email tickets.  But figuring out how to do it was another thing.  The problem with not having a full-time admin is that there is always a huge startup cost in fixing IT problems as you rack your brain trying to remember how some complex piece of sofware works.  In this case it was Postfix, and after an hour of rummaging through the manuals, we finally discovered the right incantation.  Undoubtedly there are other ways to do this, and probably better ways, but we added the following line to the file roleaccount_exceptions:

# Only allow sending to trac from local domain
trac@mapbuzz.com permit_mynetworks,reject

Or in English, only machines in the MapBuzz domain can send tickets to Trac. And Voila – no more spam!

  1. Anders
    January 29, 2008

    The reason I knew that the web forms weren’t the source of the spam is that I added a “User-agent: * Disallow: /” blanket [robots.txt](http://trac.mapbuzz.com/robots.txt), and since the entire point of the web form spam is to get a bunch of links that point at spam sites crawled by Google, if Google isn’t going to crawl the site, the spam posters can stop bothering us. I assume that the bots that spam web forms follow robots.txt in the same way that Google does to make sure that time is spent on sites that are crawled by Google. Since we don’t even want Google to be on our Trac installation, it was an easy thing to fix in a very final way.

    Reply

Leave a Reply

Your email address will not be published.

Top