A few months ago we opened-up our JIRA instance for anonymous access so that our customers can comment on and create issues without having to log-in into JIRA (reason for that being that we only have a 25 users license and cannot afford an unlimited user license).
Unfortunately yesterday a spambot detected our page and created > 1.500 spam comments over night. The only solution I saw was to revoke the permission for anonymous comments again.
Isn't there another possibility to protect against spammers? Captcha system, moderated comments, spam-detection,...
Yes I did consider using JIRA Service Desk, but that's not quite what we would require, because
a) for more direct user support we have set-up a bulletin board which our users simply use to post their support requests. This has the advantage of user <-> user support
b) I'm convinced that JIRA Service Desk is a nice addition to JIRA, if you have a dedicated support team/process in the company for direct customer support. But this is not the case for our company.
Therefore we determined JIRA Service Desk is nothing we would require/use at the current time.
Since you mentioned customers - have you taken a look at JIRA Service Desk to see if that would help you? The licensing is different so you'd only have to pay for "agents"....
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As a temporary workaround I've updated our workflow blocking comments on issues which a spambot is creating spam for individually and found this useful post from @Henning Tietgens with a way to clean-up existing comments: https://answers.atlassian.com/questions/194260
In-case this is helpful for someone else, I've put-together a blog post to show the steps I did to clean-up the spam: http://www.luke1410.de/blog/?p=29
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Stefan Hett. Can you share the steps in how you updated your workflow in "blocking comments on issues which a spambot is creating spam for individually" and maybe elaborate a bit on how this affects all my JIRA tickets. Are you basically not allowing comments to be posted after a ticket is closed status (how)?
We are having an issue with just one of our closed tickets and a handful of spam comments that are ramping up as of two days ago. If the blocking keeps comments from being posted, then you would be providing a very valuable way to block spam so that ticket comments and reporter/watchers emails of a particular ticket or ticket status will not get spammed.
Thank you in advance!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hopefully I'll find the time to finish writing the blog post describing this in detail at some point.
In principle what we did was to add two more workflow steps: "Closed (blocked)" and "Open (blocked)".
These steps correspond to our normal main workflow steps (i.e. "Closed" and "Open").
The steps then set the jira.permission.comment.user property to denied.
That way you get a new workflow transition which you can use on individual issues which are attacked by a spam bot to disable the comment functionality on just these issues.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for the tips!
In waiting I reached out to support and their instructions were this:
"If you want to block the comment operation in an issue based on the status, you need to add the property jira.permission.comment.denied with the value denied to the workflow status."
So for those reading, Edit workflow and go to the Closed status and click View Properties (you must edit workflow first). Then click Add:
Property Key: jira.permission.comment.denied
Property Value: denied
After I added the property to my Closed workflow status that kept Anonymous email from entering back through that ticket (and any others that may follow that workflow). You'll know when this property is in affect when the Comment box at the bottome of a ticket profile no longer appears.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
 
 
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.