On Fri, 2013-03-15 at 11:17 +0100, oliver wrote:
On Fri, Mar 15, 2013 at 11:04:38AM +0100, Timothy Redaelli wrote:
On Wednesday, March 13, 2013 11:33:18 AM Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Hi, I suggest to use http://www.flameeyes.eu/projects/modsec instead (and in wiki too, so we can remove the horrible captcha). It's an Apache mod_security backlist that reduce the spam (using DNSBL and User-Agent validation).
But blacklisting is bad too. We already had discussed this issue: if the spammer is coming from a provider who gives IPs dynamically to their users, then one spammer will be blocked and changes the IP... the next user of the blocked IP then will not have access to AUR.
Ciao, Oliver
That depends on how the blacklisting is done. You can have an IP blacklist for new account creations only. Or just implement a filtering: if someone tries to create an account with a blaklisted IP, warn him that his registration will need to be moderated before he can do anything (and explain why we do this). Same if user is behind a proxy. It's true that this won't work with dynamic IPs though, and I don't believe filtering an entire ISP range is reasonable. Also requiring a non disposable mail address should be the default, it's more time consuming to create a fake non disposable address, and there are only 3 reasons to use a disposable address imho: - you're up to no good, - you're a privacy freak, - you're registering to post one comment and never access your account again. Although the second point is arguable, we hardly need these kind of users in the AUR. -- Maxime