Trac is horribly suceptible to spambots

[anonymous]

Trac's e-mail address protection is so bad that I've never run across an installation that DIDN'T expose my e-mail to spammers. (Thankfully, I habitually use spamgourmet.com, so no permanent harm was done before I caught on)

On Trac installations where an e-mail address is required, I generally use a disposable e-mail provider or just decide not to report the bug after all. (Never a good thing for a tool that's supposed to make it easy for users to contribute constructively)

On a related but different note, I'm also starting to see Trac installations where spam is appearing in the bug list. (for example, on the GTK-Qt Theme Engine bug tracker, I had to use the change history to undo instances of legitimate bug reports being rewritten as spam) It's not directly your fault, but it does hint that maybe the defaults and/or documentation aren't trying hard enough to discourage such un-restricted operation.

[osimons]

Well, it used to be. As of current 0.11.x, a Trac installation configured to obfuscate e-mail addresses (setting/permissions) should not reveal the e-mail address anywhere. Like here on the Trac site e-mails should never be revealed through anonymous browsing.

Problem is, many sites are still running 0.10.x (or even older) that has no obfuscation at all. We cannot really force users to upgrade, but please notify such projects about the new version and suggest they install the latest version.

If you do find examples of missing obfuscation logic on up-to-date Trac installations, then please open a new ticket for that specific issue.

As far as we know, it is currently working fine.

[anonymous]

Thanks. I'll build a list of people to contact and start doing so as soon as I can make time. (Could be a while. I'm a big coursework procrastinator.)