Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

JIRA Service Desk Signup misused by spammers

Daniel Himler
Daniel Himler
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
March 10, 2018

Hi!

We are running JIRA Service Desk with public sign-up enabled. This is not what I want but if we disable it, mails by customers without an account are discarded without any notice (I really would like to understand the background of this behavior, because discarding anything but confirmed spam is a no-go and will definitely not raise customer satisfaction).

A few days ago a spammer misused the sign-up function on the customer portal by putting the message content into the name field and the message recipient into the mail address field. This way the welcome mail turned into a spam mail, containing "Hello <spam content>...".

So I disabled the public sign-up and started to search for a solution to the problem like one of the following:

  • Disabling public sign-up with the possibility to send a notification to unregistered customers sending a support request via mail instead of discarding the mail silently (requesting them to sign-up before sending a mail would definitely be my preferred solution).
  • Disabling public sign-up on the portal (not the whole portal), but still be able to automatically create customer accounts when they send a mail to the support address.
  • Enabling the captcha feature until noticing that it is not available for the customer portal. I don't know what the honeypot function that's being used instead is, but it does not seem to work properly.
  • Disabling the welcome mail when users sign up via the customer portal.

But NOTHING seems to be a possible solution. I upgraded to version 3.11 when I read about the possibility to disable the "Account verification emails" just to figure out that this option seems to only work for accounts created by requests via mail.

So I enabled public sign-up again and really hope someone can shed some light on the situation for me before it is getting abused again. Maybe I am understanding something wrong, maybe I made a configuration mistake. But to decide between discarding mails from my customers or sending out spam is just unacceptable.

Thanks in advance and kind regards,
Daniel

Answer
Watch
Like Be the first to like this
1651 views

2 answers

1 accepted

1 vote
Answer accepted
Craig Castle-Mead
Craig Castle-Mead
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 10, 2018

Sounds like we got a similar action around the same time. 

To help minimize this, we implemented a simple nginx rule that seems to be stopping what we don't want to happen, but not impacting anything else

NB: please test in a non-prod environment as this may not be exactly what you need, or, your environment may not be the same as ours

  location "/servicedesk/customer/user/login" {
     rewrite ^ https://$server_name/login.jsp?os_destination=%2Fdefault.jsp permanent;
  }

 

Should be similar for Apache too

Let us know how you go

 

CCM

View More Comments
Daniel Himler
Daniel Himler
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
March 10, 2018

Craig, thank you very much for pointing me in the right direction! I am now redirecting the generic portal login page as suggested as well as the login page of the specific portal and it looks like a viable workaround.

But I am still hoping that someone can explain to me the why mails are discarded instead of rejected (because the only situation in which I can imagine such a practice would be closed system with internal authentication, and even then it should be configurable) and tell me if it's possible somehow to send notifications instead (using a plugin would be fine with me).

Thank you once again and kind regards,
Daniel

Like
Craig Castle-Mead
Craig Castle-Mead
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 10, 2018

Glad it helped - even as an interim solution. We threw the redirect in as a basic blocking mechanism while we continue to search for a better method as well.

 

CCM

Like
Reply
0 votes
Marc-Allen Johnson
Marc-Allen Johnson March 11, 2018

We experienced a similar misuse of the sign-up page four days ago.  From what I can gather on Google, Atlassian claims to have implemented a "honeypot technique" instead of CAPTCHA.  But I can not find more information about this? We might have to try your solution Craig...

https://jira.atlassian.com/browse/JSDSERVER-4856?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel

This is obviously not working then.

View More Comments
Rene C_ _Atlassian Support_
Rene C_ _Atlassian Support_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 27, 2018

Hello! Now that the Honeypot technique is no longer effective, as of Jira SD 3.12 (also backported to 3.9.6) if the CAPTCHA is enabled for Signup in the General settings, it will also appear in the Signup page for Service Desk. This should be enough to stop spambots from creating accounts when you have the public signup enabled.

For more information check the bugticket JSDSERVER-5706.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
TAGS
AUG Leaders

Atlassian Community Events

    See all events