Fwd: Jira Spam - And changes made as a result.

[David Smiley <da...@gmail.com>]

Wow!  My reading of this is that the general public (i.e. not committers)
won't be able to really do anything other than view JIRA issues unless we
expressly add individuals to a specific project group?  :-(  Clearly that
sucks big time.  Is anyone reading this differently?  Assuming this is
true... at this point maybe there is nothing to do but wait until the
inevitable requests come in for people to create/comment.  Maybe send a
message to the user lists?

~ David

---------- Forwarded message ---------
From: Gav <gm...@apache.org>
Date: Fri, Apr 22, 2016 at 12:14 AM
Subject: Jira Spam - And changes made as a result.
To: infrastructure@apache.org Infrastructure <in...@apache.org>


Hi All,

Apologies for notifying you after the fact.

Earlier today (slowing down to a halt about 1/2 hr ago due to our changes)
we had a
big Spam attack directed at the ASF Jira instance.

Many project were affected, including :-

TM, ARROW ACCUMULO, ABDERA, JSPWIKI, QPIDIT, LOGCXX, HAWQ, AMQ, ATLAS,
AIRFLOW, ACE, APEXCORE, RANGER and KYLIN .

During the process we ended up banning 27 IP addresses , deleted well over
200 tickets, and about 2 dozen user accounts.

The spammers were creating accounts using the normal system and going
through the required captchas.

In addition to the ban hammer and deletions and to prevent more spam coming
in, we changed the 'Default Permissions Scheme' so that anyone in the
'jira-users' group are no longer allowed to 'Create' tickets and are no
longer allowed to 'Comment' on any tickets.

Obviously that affects genuine users as well as the spammers, we know that.

Replacement auth instead of jira-users group now includes allowing those in
the 'Administrator, PMC, Committer, Contributor and Developer' ROLES in
jira.

Projects would you please assist in making this work - anyone that is not
in any of those roles for your project; and needs access to be able to
create issues and comment, please do add their jira id to one of the
available roles. (Let us know if you need assistance in this area)

This is a short term solution. For the medium to long term we are working
on providing LDAP authentication for Jira and Confluence through Atlassian
Crowd (likley).

If any projects are still being affected, please notify us as you may be
using another permissions scheme to the one altered. Notify us via INFRA
jira ticket or reply to this mail to infrastructure@apache.org or join us
on hipchat (https://www.hipchat.com/gIjVtYcNy)

Any project seriously adversely impacted by our changes please do come talk
to us and we'll see what we can work out.

Thanks all for your patience and understanding.

Gav... (ASF Infra)
-- 
Lucene/Solr Search Committer, Consultant, Developer, Author, Speaker
LinkedIn: http://linkedin.com/in/davidwsmiley | Book:
http://www.solrenterprisesearchserver.com

Re: Jira Spam - And changes made as a result.

[Steve Rowe <sa...@gmail.com>]

Ishan, I’ve added you as a contributor on LUCENE and SOLR.

The “whitelist all past contributors” thing makes sense, except that a) we don’t have direct access to that list, so some form of crawl/scrape would be required; b) in another message on this thread on infrastructure@a.o, the HBASE project’s list grew so large that it crashed browsers; and c) Infra said they would lift the temporary ban (like yesterday? hmm…) so hopefully soon it’ll be a non-issue.

--
Steve
www.lucidworks.com

> On Apr 22, 2016, at 8:44 PM, Ishan Chattopadhyaya <ic...@gmail.com> wrote:
> 
> Btw, how about whitelisting everyone who has commented (a non-spam comment) at a Lucene/Solr issue before?
> 
> On Sat, Apr 23, 2016 at 6:13 AM, Ishan Chattopadhyaya <ic...@gmail.com> wrote:
> Anshum, please add me as well. Thanks.
> 
> 
> On Sat, Apr 23, 2016 at 6:01 AM, Anshum Gupta <an...@anshumgupta.net> wrote:
> Hi Ryan,
> 
> I've added you to the contributors group. You should be able to comment on JIRAs now.
> 
> On Thu, Apr 21, 2016 at 8:51 PM, Ryan Josal <ry...@josal.com> wrote:
> Woah, yeah, I have filed a few bugs as well as posted patches and comments.  Indeed I don't seem to be able to comment anymore.  Anyone want to add me (rjosal) to a role that can comment or create?
> 
> Ryan
> 
> 
> On Thursday, April 21, 2016, David Smiley <da...@gmail.com> wrote:
> Wow!  My reading of this is that the general public (i.e. not committers) won't be able to really do anything other than view JIRA issues unless we expressly add individuals to a specific project group?  :-(  Clearly that sucks big time.  Is anyone reading this differently?  Assuming this is true... at this point maybe there is nothing to do but wait until the inevitable requests come in for people to create/comment.  Maybe send a message to the user lists?
> 
> ~ David
> 
> ---------- Forwarded message ---------
> From: Gav <gm...@apache.org>
> Date: Fri, Apr 22, 2016 at 12:14 AM
> Subject: Jira Spam - And changes made as a result.
> To: infrastructure@apache.org Infrastructure <in...@apache.org>
> 
> 
> Hi All,
> 
> Apologies for notifying you after the fact.
> 
> Earlier today (slowing down to a halt about 1/2 hr ago due to our changes) we had a
> big Spam attack directed at the ASF Jira instance.
> 
> Many project were affected, including :-
> 
> TM, ARROW ACCUMULO, ABDERA, JSPWIKI, QPIDIT, LOGCXX, HAWQ, AMQ, ATLAS, AIRFLOW, ACE, APEXCORE, RANGER and KYLIN .
> 
> During the process we ended up banning 27 IP addresses , deleted well over 200 tickets, and about 2 dozen user accounts.
> 
> The spammers were creating accounts using the normal system and going through the required captchas.
> 
> In addition to the ban hammer and deletions and to prevent more spam coming in, we changed the 'Default Permissions Scheme' so that anyone in the 'jira-users' group are no longer allowed to 'Create' tickets and are no longer allowed to 'Comment' on any tickets.
> 
> Obviously that affects genuine users as well as the spammers, we know that. 
> 
> Replacement auth instead of jira-users group now includes allowing those in the 'Administrator, PMC, Committer, Contributor and Developer' ROLES in jira.
> 
> Projects would you please assist in making this work - anyone that is not in any of those roles for your project; and needs access to be able to create issues and comment, please do add their jira id to one of the available roles. (Let us know if you need assistance in this area)
> 
> This is a short term solution. For the medium to long term we are working on providing LDAP authentication for Jira and Confluence through Atlassian Crowd (likley).
> 
> If any projects are still being affected, please notify us as you may be using another permissions scheme to the one altered. Notify us via INFRA jira ticket or reply to this mail to infrastructure@apache.org or join us on hipchat (https://www.hipchat.com/gIjVtYcNy)
> 
> Any project seriously adversely impacted by our changes please do come talk to us and we'll see what we can work out.
> 
> Thanks all for your patience and understanding.
> 
> Gav... (ASF Infra)
> -- 
> Lucene/Solr Search Committer, Consultant, Developer, Author, Speaker
> LinkedIn: http://linkedin.com/in/davidwsmiley | Book: http://www.solrenterprisesearchserver.com
> 
> 
> 
> -- 
> Anshum Gupta
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org

Re: Jira Spam - And changes made as a result.

[Ryan Josal <ry...@josal.com>]

Thanks Anshum!  And yeah, a whitelist like that makes sense to me too.

On Friday, April 22, 2016, Ishan Chattopadhyaya <ic...@gmail.com>
wrote:

> Btw, how about whitelisting everyone who has commented (a non-spam
> comment) at a Lucene/Solr issue before?
>
> On Sat, Apr 23, 2016 at 6:13 AM, Ishan Chattopadhyaya <
> ichattopadhyaya@gmail.com
> <javascript:_e(%7B%7D,'cvml','ichattopadhyaya@gmail.com');>> wrote:
>
>> Anshum, please add me as well. Thanks.
>>
>>
>> On Sat, Apr 23, 2016 at 6:01 AM, Anshum Gupta <anshum@anshumgupta.net
>> <javascript:_e(%7B%7D,'cvml','anshum@anshumgupta.net');>> wrote:
>>
>>> Hi Ryan,
>>>
>>> I've added you to the contributors group. You should be able to comment
>>> on JIRAs now.
>>>
>>> On Thu, Apr 21, 2016 at 8:51 PM, Ryan Josal <ryan@josal.com
>>> <javascript:_e(%7B%7D,'cvml','ryan@josal.com');>> wrote:
>>>
>>>> Woah, yeah, I have filed a few bugs as well as posted patches and
>>>> comments.  Indeed I don't seem to be able to comment anymore.  Anyone
>>>> want to add me (rjosal) to a role that can comment or create?
>>>>
>>>> Ryan
>>>>
>>>>
>>>> On Thursday, April 21, 2016, David Smiley <david.w.smiley@gmail.com
>>>> <javascript:_e(%7B%7D,'cvml','david.w.smiley@gmail.com');>> wrote:
>>>>
>>>>> Wow!  My reading of this is that the general public (i.e. not
>>>>> committers) won't be able to really do anything other than view JIRA issues
>>>>> unless we expressly add individuals to a specific project group?  :-(
>>>>>  Clearly that sucks big time.  Is anyone reading this differently?
>>>>> Assuming this is true... at this point maybe there is nothing to do but
>>>>> wait until the inevitable requests come in for people to create/comment.
>>>>> Maybe send a message to the user lists?
>>>>>
>>>>> ~ David
>>>>>
>>>>> ---------- Forwarded message ---------
>>>>> From: Gav <gm...@apache.org>
>>>>> Date: Fri, Apr 22, 2016 at 12:14 AM
>>>>> Subject: Jira Spam - And changes made as a result.
>>>>> To: infrastructure@apache.org Infrastructure <
>>>>> infrastructure@apache.org>
>>>>>
>>>>>
>>>>> Hi All,
>>>>>
>>>>> Apologies for notifying you after the fact.
>>>>>
>>>>> Earlier today (slowing down to a halt about 1/2 hr ago due to our
>>>>> changes) we had a
>>>>> big Spam attack directed at the ASF Jira instance.
>>>>>
>>>>> Many project were affected, including :-
>>>>>
>>>>> TM, ARROW ACCUMULO, ABDERA, JSPWIKI, QPIDIT, LOGCXX, HAWQ, AMQ, ATLAS,
>>>>> AIRFLOW, ACE, APEXCORE, RANGER and KYLIN .
>>>>>
>>>>> During the process we ended up banning 27 IP addresses , deleted well
>>>>> over 200 tickets, and about 2 dozen user accounts.
>>>>>
>>>>> The spammers were creating accounts using the normal system and going
>>>>> through the required captchas.
>>>>>
>>>>> In addition to the ban hammer and deletions and to prevent more spam
>>>>> coming in, we changed the 'Default Permissions Scheme' so that anyone in
>>>>> the 'jira-users' group are no longer allowed to 'Create' tickets and are no
>>>>> longer allowed to 'Comment' on any tickets.
>>>>>
>>>>> Obviously that affects genuine users as well as the spammers, we know
>>>>> that.
>>>>>
>>>>> Replacement auth instead of jira-users group now includes allowing
>>>>> those in the 'Administrator, PMC, Committer, Contributor and Developer'
>>>>> ROLES in jira.
>>>>>
>>>>> Projects would you please assist in making this work - anyone that is
>>>>> not in any of those roles for your project; and needs access to be able to
>>>>> create issues and comment, please do add their jira id to one of the
>>>>> available roles. (Let us know if you need assistance in this area)
>>>>>
>>>>> This is a short term solution. For the medium to long term we are
>>>>> working on providing LDAP authentication for Jira and Confluence through
>>>>> Atlassian Crowd (likley).
>>>>>
>>>>> If any projects are still being affected, please notify us as you may
>>>>> be using another permissions scheme to the one altered. Notify us via INFRA
>>>>> jira ticket or reply to this mail to infrastructure@apache.org or
>>>>> join us on hipchat (https://www.hipchat.com/gIjVtYcNy)
>>>>>
>>>>> Any project seriously adversely impacted by our changes please do come
>>>>> talk to us and we'll see what we can work out.
>>>>>
>>>>> Thanks all for your patience and understanding.
>>>>>
>>>>> Gav... (ASF Infra)
>>>>> --
>>>>> Lucene/Solr Search Committer, Consultant, Developer, Author, Speaker
>>>>> LinkedIn: http://linkedin.com/in/davidwsmiley | Book:
>>>>> http://www.solrenterprisesearchserver.com
>>>>>
>>>>
>>>
>>>
>>> --
>>> Anshum Gupta
>>>
>>
>>
>

Re: Jira Spam - And changes made as a result.

[Ishan Chattopadhyaya <ic...@gmail.com>]

Btw, how about whitelisting everyone who has commented (a non-spam comment)
at a Lucene/Solr issue before?

On Sat, Apr 23, 2016 at 6:13 AM, Ishan Chattopadhyaya <
ichattopadhyaya@gmail.com> wrote:

> Anshum, please add me as well. Thanks.
>
>
> On Sat, Apr 23, 2016 at 6:01 AM, Anshum Gupta <an...@anshumgupta.net>
> wrote:
>
>> Hi Ryan,
>>
>> I've added you to the contributors group. You should be able to comment
>> on JIRAs now.
>>
>> On Thu, Apr 21, 2016 at 8:51 PM, Ryan Josal <ry...@josal.com> wrote:
>>
>>> Woah, yeah, I have filed a few bugs as well as posted patches and
>>> comments.  Indeed I don't seem to be able to comment anymore.  Anyone
>>> want to add me (rjosal) to a role that can comment or create?
>>>
>>> Ryan
>>>
>>>
>>> On Thursday, April 21, 2016, David Smiley <da...@gmail.com>
>>> wrote:
>>>
>>>> Wow!  My reading of this is that the general public (i.e. not
>>>> committers) won't be able to really do anything other than view JIRA issues
>>>> unless we expressly add individuals to a specific project group?  :-(
>>>>  Clearly that sucks big time.  Is anyone reading this differently?
>>>> Assuming this is true... at this point maybe there is nothing to do but
>>>> wait until the inevitable requests come in for people to create/comment.
>>>> Maybe send a message to the user lists?
>>>>
>>>> ~ David
>>>>
>>>> ---------- Forwarded message ---------
>>>> From: Gav <gm...@apache.org>
>>>> Date: Fri, Apr 22, 2016 at 12:14 AM
>>>> Subject: Jira Spam - And changes made as a result.
>>>> To: infrastructure@apache.org Infrastructure <infrastructure@apache.org
>>>> >
>>>>
>>>>
>>>> Hi All,
>>>>
>>>> Apologies for notifying you after the fact.
>>>>
>>>> Earlier today (slowing down to a halt about 1/2 hr ago due to our
>>>> changes) we had a
>>>> big Spam attack directed at the ASF Jira instance.
>>>>
>>>> Many project were affected, including :-
>>>>
>>>> TM, ARROW ACCUMULO, ABDERA, JSPWIKI, QPIDIT, LOGCXX, HAWQ, AMQ, ATLAS,
>>>> AIRFLOW, ACE, APEXCORE, RANGER and KYLIN .
>>>>
>>>> During the process we ended up banning 27 IP addresses , deleted well
>>>> over 200 tickets, and about 2 dozen user accounts.
>>>>
>>>> The spammers were creating accounts using the normal system and going
>>>> through the required captchas.
>>>>
>>>> In addition to the ban hammer and deletions and to prevent more spam
>>>> coming in, we changed the 'Default Permissions Scheme' so that anyone in
>>>> the 'jira-users' group are no longer allowed to 'Create' tickets and are no
>>>> longer allowed to 'Comment' on any tickets.
>>>>
>>>> Obviously that affects genuine users as well as the spammers, we know
>>>> that.
>>>>
>>>> Replacement auth instead of jira-users group now includes allowing
>>>> those in the 'Administrator, PMC, Committer, Contributor and Developer'
>>>> ROLES in jira.
>>>>
>>>> Projects would you please assist in making this work - anyone that is
>>>> not in any of those roles for your project; and needs access to be able to
>>>> create issues and comment, please do add their jira id to one of the
>>>> available roles. (Let us know if you need assistance in this area)
>>>>
>>>> This is a short term solution. For the medium to long term we are
>>>> working on providing LDAP authentication for Jira and Confluence through
>>>> Atlassian Crowd (likley).
>>>>
>>>> If any projects are still being affected, please notify us as you may
>>>> be using another permissions scheme to the one altered. Notify us via INFRA
>>>> jira ticket or reply to this mail to infrastructure@apache.org or join
>>>> us on hipchat (https://www.hipchat.com/gIjVtYcNy)
>>>>
>>>> Any project seriously adversely impacted by our changes please do come
>>>> talk to us and we'll see what we can work out.
>>>>
>>>> Thanks all for your patience and understanding.
>>>>
>>>> Gav... (ASF Infra)
>>>> --
>>>> Lucene/Solr Search Committer, Consultant, Developer, Author, Speaker
>>>> LinkedIn: http://linkedin.com/in/davidwsmiley | Book:
>>>> http://www.solrenterprisesearchserver.com
>>>>
>>>
>>
>>
>> --
>> Anshum Gupta
>>
>
>

Re: Jira Spam - And changes made as a result.

[Ishan Chattopadhyaya <ic...@gmail.com>]

Anshum, please add me as well. Thanks.

On Sat, Apr 23, 2016 at 6:01 AM, Anshum Gupta <an...@anshumgupta.net>
wrote:

> Hi Ryan,
>
> I've added you to the contributors group. You should be able to comment on
> JIRAs now.
>
> On Thu, Apr 21, 2016 at 8:51 PM, Ryan Josal <ry...@josal.com> wrote:
>
>> Woah, yeah, I have filed a few bugs as well as posted patches and
>> comments.  Indeed I don't seem to be able to comment anymore.  Anyone
>> want to add me (rjosal) to a role that can comment or create?
>>
>> Ryan
>>
>>
>> On Thursday, April 21, 2016, David Smiley <da...@gmail.com>
>> wrote:
>>
>>> Wow!  My reading of this is that the general public (i.e. not
>>> committers) won't be able to really do anything other than view JIRA issues
>>> unless we expressly add individuals to a specific project group?  :-(
>>>  Clearly that sucks big time.  Is anyone reading this differently?
>>> Assuming this is true... at this point maybe there is nothing to do but
>>> wait until the inevitable requests come in for people to create/comment.
>>> Maybe send a message to the user lists?
>>>
>>> ~ David
>>>
>>> ---------- Forwarded message ---------
>>> From: Gav <gm...@apache.org>
>>> Date: Fri, Apr 22, 2016 at 12:14 AM
>>> Subject: Jira Spam - And changes made as a result.
>>> To: infrastructure@apache.org Infrastructure <in...@apache.org>
>>>
>>>
>>> Hi All,
>>>
>>> Apologies for notifying you after the fact.
>>>
>>> Earlier today (slowing down to a halt about 1/2 hr ago due to our
>>> changes) we had a
>>> big Spam attack directed at the ASF Jira instance.
>>>
>>> Many project were affected, including :-
>>>
>>> TM, ARROW ACCUMULO, ABDERA, JSPWIKI, QPIDIT, LOGCXX, HAWQ, AMQ, ATLAS,
>>> AIRFLOW, ACE, APEXCORE, RANGER and KYLIN .
>>>
>>> During the process we ended up banning 27 IP addresses , deleted well
>>> over 200 tickets, and about 2 dozen user accounts.
>>>
>>> The spammers were creating accounts using the normal system and going
>>> through the required captchas.
>>>
>>> In addition to the ban hammer and deletions and to prevent more spam
>>> coming in, we changed the 'Default Permissions Scheme' so that anyone in
>>> the 'jira-users' group are no longer allowed to 'Create' tickets and are no
>>> longer allowed to 'Comment' on any tickets.
>>>
>>> Obviously that affects genuine users as well as the spammers, we know
>>> that.
>>>
>>> Replacement auth instead of jira-users group now includes allowing those
>>> in the 'Administrator, PMC, Committer, Contributor and Developer' ROLES in
>>> jira.
>>>
>>> Projects would you please assist in making this work - anyone that is
>>> not in any of those roles for your project; and needs access to be able to
>>> create issues and comment, please do add their jira id to one of the
>>> available roles. (Let us know if you need assistance in this area)
>>>
>>> This is a short term solution. For the medium to long term we are
>>> working on providing LDAP authentication for Jira and Confluence through
>>> Atlassian Crowd (likley).
>>>
>>> If any projects are still being affected, please notify us as you may be
>>> using another permissions scheme to the one altered. Notify us via INFRA
>>> jira ticket or reply to this mail to infrastructure@apache.org or join
>>> us on hipchat (https://www.hipchat.com/gIjVtYcNy)
>>>
>>> Any project seriously adversely impacted by our changes please do come
>>> talk to us and we'll see what we can work out.
>>>
>>> Thanks all for your patience and understanding.
>>>
>>> Gav... (ASF Infra)
>>> --
>>> Lucene/Solr Search Committer, Consultant, Developer, Author, Speaker
>>> LinkedIn: http://linkedin.com/in/davidwsmiley | Book:
>>> http://www.solrenterprisesearchserver.com
>>>
>>
>
>
> --
> Anshum Gupta
>

Re: Jira Spam - And changes made as a result.

[Anshum Gupta <an...@anshumgupta.net>]

Hi Ryan,

I've added you to the contributors group. You should be able to comment on
JIRAs now.

On Thu, Apr 21, 2016 at 8:51 PM, Ryan Josal <ry...@josal.com> wrote:

> Woah, yeah, I have filed a few bugs as well as posted patches and
> comments.  Indeed I don't seem to be able to comment anymore.  Anyone
> want to add me (rjosal) to a role that can comment or create?
>
> Ryan
>
>
> On Thursday, April 21, 2016, David Smiley <da...@gmail.com>
> wrote:
>
>> Wow!  My reading of this is that the general public (i.e. not committers)
>> won't be able to really do anything other than view JIRA issues unless we
>> expressly add individuals to a specific project group?  :-(  Clearly that
>> sucks big time.  Is anyone reading this differently?  Assuming this is
>> true... at this point maybe there is nothing to do but wait until the
>> inevitable requests come in for people to create/comment.  Maybe send a
>> message to the user lists?
>>
>> ~ David
>>
>> ---------- Forwarded message ---------
>> From: Gav <gm...@apache.org>
>> Date: Fri, Apr 22, 2016 at 12:14 AM
>> Subject: Jira Spam - And changes made as a result.
>> To: infrastructure@apache.org Infrastructure <in...@apache.org>
>>
>>
>> Hi All,
>>
>> Apologies for notifying you after the fact.
>>
>> Earlier today (slowing down to a halt about 1/2 hr ago due to our
>> changes) we had a
>> big Spam attack directed at the ASF Jira instance.
>>
>> Many project were affected, including :-
>>
>> TM, ARROW ACCUMULO, ABDERA, JSPWIKI, QPIDIT, LOGCXX, HAWQ, AMQ, ATLAS,
>> AIRFLOW, ACE, APEXCORE, RANGER and KYLIN .
>>
>> During the process we ended up banning 27 IP addresses , deleted well
>> over 200 tickets, and about 2 dozen user accounts.
>>
>> The spammers were creating accounts using the normal system and going
>> through the required captchas.
>>
>> In addition to the ban hammer and deletions and to prevent more spam
>> coming in, we changed the 'Default Permissions Scheme' so that anyone in
>> the 'jira-users' group are no longer allowed to 'Create' tickets and are no
>> longer allowed to 'Comment' on any tickets.
>>
>> Obviously that affects genuine users as well as the spammers, we know
>> that.
>>
>> Replacement auth instead of jira-users group now includes allowing those
>> in the 'Administrator, PMC, Committer, Contributor and Developer' ROLES in
>> jira.
>>
>> Projects would you please assist in making this work - anyone that is not
>> in any of those roles for your project; and needs access to be able to
>> create issues and comment, please do add their jira id to one of the
>> available roles. (Let us know if you need assistance in this area)
>>
>> This is a short term solution. For the medium to long term we are working
>> on providing LDAP authentication for Jira and Confluence through Atlassian
>> Crowd (likley).
>>
>> If any projects are still being affected, please notify us as you may be
>> using another permissions scheme to the one altered. Notify us via INFRA
>> jira ticket or reply to this mail to infrastructure@apache.org or join
>> us on hipchat (https://www.hipchat.com/gIjVtYcNy)
>>
>> Any project seriously adversely impacted by our changes please do come
>> talk to us and we'll see what we can work out.
>>
>> Thanks all for your patience and understanding.
>>
>> Gav... (ASF Infra)
>> --
>> Lucene/Solr Search Committer, Consultant, Developer, Author, Speaker
>> LinkedIn: http://linkedin.com/in/davidwsmiley | Book:
>> http://www.solrenterprisesearchserver.com
>>
>


-- 
Anshum Gupta

Re: Jira Spam - And changes made as a result.

[Ryan Josal <ry...@josal.com>]

Woah, yeah, I have filed a few bugs as well as posted patches and
comments.  Indeed I don't seem to be able to comment anymore.  Anyone want
to add me (rjosal) to a role that can comment or create?

Ryan

On Thursday, April 21, 2016, David Smiley <da...@gmail.com> wrote:

> Wow!  My reading of this is that the general public (i.e. not committers)
> won't be able to really do anything other than view JIRA issues unless we
> expressly add individuals to a specific project group?  :-(  Clearly that
> sucks big time.  Is anyone reading this differently?  Assuming this is
> true... at this point maybe there is nothing to do but wait until the
> inevitable requests come in for people to create/comment.  Maybe send a
> message to the user lists?
>
> ~ David
>
> ---------- Forwarded message ---------
> From: Gav <gmcdonald@apache.org
> <javascript:_e(%7B%7D,'cvml','gmcdonald@apache.org');>>
> Date: Fri, Apr 22, 2016 at 12:14 AM
> Subject: Jira Spam - And changes made as a result.
> To: infrastructure@apache.org
> <javascript:_e(%7B%7D,'cvml','infrastructure@apache.org');>
> Infrastructure <infrastructure@apache.org
> <javascript:_e(%7B%7D,'cvml','infrastructure@apache.org');>>
>
>
> Hi All,
>
> Apologies for notifying you after the fact.
>
> Earlier today (slowing down to a halt about 1/2 hr ago due to our changes)
> we had a
> big Spam attack directed at the ASF Jira instance.
>
> Many project were affected, including :-
>
> TM, ARROW ACCUMULO, ABDERA, JSPWIKI, QPIDIT, LOGCXX, HAWQ, AMQ, ATLAS,
> AIRFLOW, ACE, APEXCORE, RANGER and KYLIN .
>
> During the process we ended up banning 27 IP addresses , deleted well over
> 200 tickets, and about 2 dozen user accounts.
>
> The spammers were creating accounts using the normal system and going
> through the required captchas.
>
> In addition to the ban hammer and deletions and to prevent more spam
> coming in, we changed the 'Default Permissions Scheme' so that anyone in
> the 'jira-users' group are no longer allowed to 'Create' tickets and are no
> longer allowed to 'Comment' on any tickets.
>
> Obviously that affects genuine users as well as the spammers, we know
> that.
>
> Replacement auth instead of jira-users group now includes allowing those
> in the 'Administrator, PMC, Committer, Contributor and Developer' ROLES in
> jira.
>
> Projects would you please assist in making this work - anyone that is not
> in any of those roles for your project; and needs access to be able to
> create issues and comment, please do add their jira id to one of the
> available roles. (Let us know if you need assistance in this area)
>
> This is a short term solution. For the medium to long term we are working
> on providing LDAP authentication for Jira and Confluence through Atlassian
> Crowd (likley).
>
> If any projects are still being affected, please notify us as you may be
> using another permissions scheme to the one altered. Notify us via INFRA
> jira ticket or reply to this mail to infrastructure@apache.org
> <javascript:_e(%7B%7D,'cvml','infrastructure@apache.org');> or join us on
> hipchat (https://www.hipchat.com/gIjVtYcNy)
>
> Any project seriously adversely impacted by our changes please do come
> talk to us and we'll see what we can work out.
>
> Thanks all for your patience and understanding.
>
> Gav... (ASF Infra)
> --
> Lucene/Solr Search Committer, Consultant, Developer, Author, Speaker
> LinkedIn: http://linkedin.com/in/davidwsmiley | Book:
> http://www.solrenterprisesearchserver.com
>