ccornell - OpenOffice.org wrote:
have been looking at the database layout underneath the wiki,
http://upload.wikimedia.org/wikipedia/commons/4/41/Mediawiki-database-schema.png
which shows that the user's validated email address is there, in some
form. We should access that, and complain to the ISP involved.
There is a real risk of privacy problems if we go this route. We would
be opening up the database and extracting email addresses... something
I'm not so keen on doing... assuming they are not encrypted.
Since this is about a three-minutes-per-month activity, I see no need to
extend the ability to do it beyond the existing Bureaucrats / root
access capable. This could easily be triggered by monitoring the block log.
The task involves:
1) Logging on as root;
2) Running a script;
3) filling in the user name
4) copying the email address
Then as below, with abuse.net, and a canned email to send.
Whose privacy are you concerned with, here? The banned user has surely
forfeited any privacy right. Other users could be looked up in the same
way, but that's true now, if we assume a malevolent Bureaucrat (or is
that redundant ;-) )
The schema-pic shows several email-related fields in the database. I
would presume that at least one is encrypted; maybe they all are.
However, the code has to use the address, for outgoing emails (unlike a
password, which can be kept in one-way encryption, and just matched).
Therefore, there is decryption code (or plain-text representation)
available, and it shouldn't be hard to find or use.
2) look up the complaint address on http://www.abuse.net/
One click takes you to the lookup page, where you supply the ISP, and
they supply the complaint address (usually, "ab...@whatever")
3) send them a note describing the user's undesirable actions. The
usual response from well-known ISPs is a return note saying that the
account has been cancelled.
Has this ever really worked? Especially in the case of most spams
coming via ISPs in countries that do not care to enforce any kind of
good internet behavior. I've tried this in the past... and only once
did I ever get a response. As well... IPs and emails are forged,
spammers often appear on a trackable point (eg a specific email account
or ISP) for one wave of spam, and then move on. or they use a
compromised Windows machine or email account to validate the accounts on
the Wiki.
Basically, I'm not convinced reporting them will actually work, or that
it's worth the effort and risk of opening up the database and extracting
account information.
Yes, it really works. I get little spam, and fire off complaints for
every single piece. I don't get responses from some of the ISP's, but I
(to date) never get another piece of spam from that address, either. If
I did encounter a continuing problem, I would do what abuse.net
recommends, and complain to the /ISP's/ ISP. (Recently, I've gotten two
spams--in Chinese! Their ISP's didn't answer, but I haven't gotten any
more.)
From a piece of email spam, extracting a valid address is something of
an art, involving expanding the headers. Fortunately, we don't have that
problem, since the address in the DB has to be usable, otherwise it
wouldn't have been validated.
If some machine or account has been compromised, it is important (IMHO)
to let the owner know about that. The spammers may move on, but who says
they won't be back?
And again, I don't see the risk, here. According to Sun's privacy
statement, we have the right to use the information for administrative
purposes--which this is. And we are talking about email addresses, most
of which are available on the ml's, if a user posts to them; these are
not Social Security numbers, or medical records, or tax stuff.
name associated with them. This should yield at least a few entries
for those of us with clones or bots. It may show whole strings of
spammer IDs, with the same email. Again, we should complain.
We're not getting all that many Spam getting through anymore. The
SpamBots are stopped by the various spam control methods that are in
place (most are anyway). There are groups of known spam Wiki IDs -
almost all of which were created a couple years ago.
C.
WRM: your efforts to purge the user DB got a lot of negative comments
(including mine), but the gist was not "Don't do it", but rather "Go
slow". IMHO, the users without validated email addresses can go
immediately. The ones with, need other criteria-checking, TBD.
One thing we might do is send "inactive" users a "Don't you love us any
more?" email; particularly if we have a good ml for them to reply to. My
bet is that we'd only get a few replies per hundred, but those are the
ones we want to hang on to :-)
--
/tj/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@website.openoffice.org
For additional commands, e-mail: dev-h...@website.openoffice.org
