Spammers have started attaching copies of their pills ‘n’ porn ‘n’ pump ‘n’ dump pages to Bugzillas, and using the resulting attachment URLs in spam, to get around domain blacklists. The versions attached have an obfuscated JS redirect in them which takes the user to the main spammer site. Example.
How do we combat this while giving the least inconvenience to legitimate users?
We can distinguish genuine users from “unknowns” by saying that anyone with any sort of permission bit (e.g. canconfirm, editbugs) is a genuine user. But that doesn’t help the first-time bug filer. A ban on uploading attachments for them is very intrusive – they may have a screenshot or logfile or something they want to include.
The obvious fix is to say “OK, if you upload an attachment with any MIME type rendered by the browser which can contain script, we’ll switch the type to text/plain; then a triager can come and put it back if they agree the upload is genuine.” Neat and simple.
However, that founders because of IE’s words-fail-me content sniffing, which will happily render HTML served as text/plain, because it thinks it knows better than you. Grr. Snarl.
Not-as-good plan B is to invent our own MIME types, application/x-bugzilla-upload-text and
application/x-bugzilla-upload-binary, which was set on all uploads from non-permissioned people by default. When actually serving the content, we’d detect IE and serve Content-Disposition: attachment (to force download), and for anyone else we’d use text/plain or application/octet-stream, as appropriate.
Anyone got any better ideas?