Bugzilla Spam Removal

Intro

The bugzilla_spammer.rb is a ruby script that helps you remove spam from your bugzilla instance. It is released under GPL v2. It is intended to be used with bugzilla-2.22.

Rationale

Around April 2007, people started having lots of problems (see References) with spammers adding spam as attachments to existing bugs in their bugzilla bug tracking databases. I didn't notice the problem until Solid started having problems in July 2007. I was used to cleaning out spam every day from Solid's forums, but dealing with spam in bugzilla is extremely annoying.

Bugzilla 2.22 and older has no way to do basic spam cleanup, such as deleting a user, deleting bugs, deleting attachments, and deleting comments. Spammers like to create attachments on existing bugs. Those attachments contain HTML spam in them and can be reached by direct URL, bypassing normal bugzilla use altogether. This allows the spammer to include those URLs in email spam that they send to people, thus using your bugzilla server as a spam file server.

Bugzilla 3.0 tries to add in some basic support for deleting attachments, but you need to remove them one at a time (multiple clicks per removal) and comments still can't be removed. Users can't really be removed properly because you get warnings about causing referential integrity problems in your database. While this is minimally better than the situation in 2.22, it's still completely inadequate and wasn't worth the effort for me to upgrade our production systems just for that feature.

What Bugzilla really needs is full application support for protecting against the increasingly sophisticated methods that spammers use to bypass applications. It would be much better to stop spam from getting into bugzilla in the first place. This program does not help with that at all. It does, however, provide a simple way for you to remove the junk created by spammers that gets entered into your bugzilla, once it is there.

How the program works

You run the script by specifying an email address which is a spammer. Make sure that you specify the correct email address! All bugzilla bugs, attachments, comments, and bug activities that were created/modified by the spammer will be removed, without causing any referential integrity problems in your database. The bugzilla_spammer.rb removes the data directly from your MySQL database instance and does not use bugzilla itself at all.

System Requirements

• Operating System: Tested on Linux (Fedora 7) but should work on any UNIX-like environment that has Ruby installed. It might even work on Windows, but that is untested.
• Language: Ruby; tested on version 1.8.6.36 but any version that includes optparse should be fine. If using Fedora, you can do: "yum install ruby ruby-libs".
• Ruby Dependencies: MySQL/Ruby. If using Fedora, you can do: "yum install ruby-mysql".
• Bugzilla version: Any bugzilla with recent 2.x should work; tested with Bugzilla 2.22.
• MySQL version: any MySQL 5.0.x should work; tested with version 5.0.22 on Linux.

Instructions

• BACKUP YOUR DATA BEFORE RUNNING SCRIPT! USE AT YOUR OWN RISK! This program deletes data, and user error can cause it to delete a lot of stuff that you don't want deleted.
• Download the file and place it on the machine which can connect to the MySQL instance that stores the data for your bugzilla instance.
• For a list of commands:
  

  $ ./bugzilla_spammer.rb --help

• Go to your bugzilla instance and login as the bugzilla administrator. Find the email address of the spammer who has created spam on your bugzilla instance.
• Run the program, passing the necessary mysql connection info and the email address of the spammer. Here is an example, which will remove bugs, attachments, and comments created by spammer natan@tfrmovies.com:
  

  $ ./bugzilla_spammer.rb -h localhost -u bugzilla -p PASSWORD_HERE -D bugzilla natan@tfrmovies.com

Download

• Current Version: 2007-08-03
• Download: bugzilla_spammer.rb

References

• Ethereal - October 2005
• Misc - April 2007
• Samba - April 2007
• Lyx - May 2007
• XFCE - June 2007
• Eclipse - June 2007

Feedback

I've put out the first version of this script. It's working pretty well for me, and I'm comfortable enough with it to run in on my production instance of Bugzilla. However, mileage may vary for you. I'd be interested to hear from you if you use the script, including what platforms you have run it on, what enhancements you would like, and if you notice any problems.

Update 2007-08-21: Jan Wielemaker used bugzilla_spammer.rb on the bugzilla for SWI-Prolog (a SuSE 10.2 system running Bugzilla 2.22) and said that it works fine.

Update 2007-08-22: Alexander König didn't have Ruby installed on the server running his bugzilla system, so he ported bugzilla_spammer.rb to bash.