[Catalog-sig] The "Softpedia" spam

Tarek Ziadé ziade.tarek at gmail.com
Thu May 6 17:03:02 CEST 2010

On Thu, May 6, 2010 at 4:50 PM, M.-A. Lemburg <mal at egenix.com> wrote:
> Tarek Ziadé wrote:
>> Hello,
>> The Softpedia website sends an email to everyone that register or
>> uploads something at PyPI. This is clearly a spam and their website
>> don't care about our projects.
>> I am not sure if they use the PubSubHubbub thing, but I was wondering
>> how we could prevent these unsolicited mails.
>> If they use PubSubHubbub, maybe we could set up a black list of
>> subscribers people can manage at their level,
>> if they reconstruct the emails by reading the RSS feed, maybe we
>> should not publish this info (even with  the @ transformed into " at
>> ").
> Unfortunately, that's what you get when providing APIs to extract
> all the data from PyPI.
> Not even the terms on the PyPI service can be used to prevent
> that (something I'll try to change now that I'm on the PSF board
> again).
> We should really disallow redistribution of the PyPI meta data
> and uploads without prior written consent from the PSF.

Well the problem is not about the distribution of the metadata because
for OSS projects, you'll always have your email somewhere in the tarball.

I am not sure what you want to do at PSF level, but I wouldn't want the PSF to
restrict the usage of my own project info if I upload them at PyPI. PyPI
is just *one* recipient for projects and don't own people data.

The problem is about the usage of the APIs PyPI provides : Softpedia
has set up a
automatic process that gets triggered every time something is uploaded.

So It's all about spam, as usual. If we can control how the APIs are
used, we will defeat this bot.

What I propose is:

- set up authentication for the XML-RPC APIs, in order to control
this. If a user starts to use
  XML-RPC calls in his bots, it's easy to shut it down.

- set up a restricted list of subscribers for the PubSubHubbub
protocol (I am not sure if this protocol
supports authentication, but I guess we can set something up)

- avoid displaying any email or derived emails on anonymous page

> --
> Marc-Andre Lemburg
> eGenix.com
> Professional Python Services directly from the Source  (#1, May 06 2010)
>>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
> ________________________________________________________________________
> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>           Registered at Amtsgericht Duesseldorf: HRB 46611
>               http://www.egenix.com/company/contact/

Tarek Ziadé | http://ziade.org

More information about the Catalog-SIG mailing list