Hi, i would like to suggest a captcha only on user registering. And some time/quantity limit for some actions, like said before: 10 "out of date" within an hour (a real user takes a time verify that a package is really out of date; and this rate does not block real people to help verifying packages). And maybe an history of the ip's and usernames associated with them will help to analyze how he is working... --- Eduardo M. Machado 2013/3/13 Felix Yan <felixonmars@gmail.com>
On Wednesday, March 13, 2013 11:48:50 Maxime Gauduin wrote:
On Wed, 2013-03-13 at 11:33 +0100, Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Blocking IP addresses would be the most effective and require the less work imho. Here's how I'd do it:
Add a 'TOR user' checkbox on the 'My account' page to state whether the user uses TOR or not, and ask the same question during the creation of new accounts.
All new and existing accounts not using TOR are automatically whitelisted.
All new or existing accounts using TOR are automatically blacklisted, and have to send a request to aur-general so they can be granted a special status which bypasses the IP verification.
Give TUs more super powers so they can blacklist or whitelist users/IPs.
What do you think?
Cheers.
And there're thousands of free proxy lists with millions of available candidate IPs, I don't really think this could stop the spammers.
So IMHO I'd +1 for captchas (though hate it a lot).
And maybe some more captchas than just in registering: (just examples)
* 5th or more out-of-date flags in a day * 5th or more comments (in different packages) in a day * 5th or more same comment sentence
This should not bother existing users too much.
But nothing could really stop him if he still hate us so much and register & post manually, just as suggested before.
Felix Yan Twitter: @felixonmars Wiki: http://felixc.at