Emails on JOSM's Trac have been extracted and used to SPAM

[santiago-josm.openstreetmap.de-5195b@…]

I use a different email address for each service.

6 years ago, I used the email santiago-josm.openstreetmap.de-5195b at flanera.net to create a ticket here. Today, I've received a SPAM on that address. Checked my SPAM archive and found another one to this address on Apr 26.

Not sure what actions you should take, but I would assume that the Trac have been compromised. Is it updated?

[anonymous]

The subjects of the 3 emails I've received in this address are all related (found another one received on the 8th of Sept)

• "Promotional Gifts with Your Brand Logo.No MOQ! [2022/4/26 8:08:39]"
• "$0.39 get your brand 6in1 Multi-functional Tool Tech Ballpoint Pen. [2022/9/8 23:50:20]"
• "Smart Thermos with your logo is a warm and practical gift [2022/9/29 4:41:25]"

[stoecker]

If you're using e-mail addresses in the wiki instead of registering then these are visible to registered users. Also spammers are able to register and thus e-mail addresses aren't 100% secure. There are also some cases where other actions expose addresses.

We thus suggest to use accounts instead of direct e-mails, as in this case only the server backed knows the address. Everybody else only sees the account name.

See this text on the start page of JOSM:
But logging in has advantages: Mail is sent for changes in your bug tracker tickets. This is possible by entering an e-mail as a username in the tickets too, but then be aware that the address is openly visible and you are unable to change that later.

From time to time a manual process is started to convert e-mail addresses to account names with identical addresses to reduce the effect of previous provided mail addresses.

[santiago-josm.openstreetmap.de-5195b@…]

Got it. I missed that text (or already forgot about it!) 🙈

Thank you!

[taylor.smock]

We should probably synchronize that text to the newticket page then.

In any case, don't be shy :) Please let us a way to contact you if needed (either by creating an account or entering your e-mail address below (it won't be publicly visible but will allow us to reach you, and you will be notified about ticket progress).

[stoecker]

Sounds sensible. Please propose a text. Should be added to the standard translation efforts BTW.

[taylor.smock]

Replying to stoecker:

Sounds sensible. Please propose a text. Should be added to the standard translation efforts BTW.

Do we have a standard way to do that for stuff like that? I'd guess adding a marktr somewhere in the source code would work, but probably isn't the right solution.

Possible alternatives (replacing only it won't be publicly visible but will allow us to reach you:

• it will only be visible to those with accounts in order to allow us to reach you
• it will not be available to non-logged in users, but will allow us to reach you
• anonymous users will not be able to see it, but will allow us to reach you

I'll reach out to my coworkers and see if they have ideas.

[taylor.smock]

Nevermind. I think this might just something that happens when a ticket can be set to needinfo. I just checked with a bot account, and I didn't see @santiago-josm.openstreetmap.de-5195b email in this ticket, but I did see it in his ticket when I was modifying it.

[stoecker]

I'd tend to "it will not be available to non-logged in users, but will allow us to reach you".

[anonymous]

I think that there are a couple of typos in that text. Not sure about the first one, as English is not my first language.

• Please let us a way to contact you if needed -> Please let us contact you if needed
• There are 2 opening parentheses but only one closing the nested parentheses :) We could use brackets.

• [if you enter your email without creating an account you will be notified about ticket progress, but note that it will be visible to logged users]

I think that there is no need to repeat that "we may contact you".

[taylor.smock]

Replying to stoecker:

I'd tend to "it will not be available to non-logged in users, but will allow us to reach you".

Fair enough. I just checked without logging in (as anonymous), and it looks like the need info option is still showing the email. Did we self code that?

[stoecker]

Replying to taylor.smock:

Replying to stoecker:

I'd tend to "it will not be available to non-logged in users, but will allow us to reach you".

Fair enough. I just checked without logging in (as anonymous), and it looks like the need info option is still showing the email. Did we self code that?

No. But there is a technical reason for that which is not so easy to solve. You'd need virtual entries and a mapping and it is more logical and simpler to use an account.

[stoecker]

Changed it now to:
In any case, don't be shy :) Please let us contact you if needed (either by <a href="register">creating an account</a> or entering your e-mail address below which is normally not visible, but can be extracted in specific situations), and you will be notified about ticket progress.

[Adrian]

I would love to be able to register.

My attempts to register have been rejected as spam.

Some of the tickets I have submitted: #20840, #20712, #20178, #20160, #19695, #19362, #16575, #15605, #15040, #15039, #14894, #14893, #14579.

I would be grateful if you could apply the process referred to in comment:2, to create an account for me please.

[stoecker]

Replying to ar2988-os@…:

I would love to be able to register.

My attempts to register have been rejected as spam.

I don't see any attempts from you in the logs, only this text. Retry so I see what goes wrong.

[Adrian]

Replying to stoecker:

I don't see any attempts from you in the logs, only this text. Retry so I see what goes wrong.

Done (with IP address 109.249.184.183). After clicking on the submit button I get this:

And after successfully completing the Captcha and clicking on submit again, I get this:

[stoecker]

Ah. That's interesting. Your submission is so bad, that you don't even reach the logs ;-)

I created an account for you. Please change the password.

[Adrian]

Thank you.