[aur-general] Fighting spam on the AUR
Status quo: 06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date The account suspension feature does not help here. Options: * Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments. * Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1]. * Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR. * Block IP addresses. Bye-bye, Tor users! Comments and suggestions welcome! We need to find a proper solution as soon as possible! [1] http://www.google.com/recaptcha
On Wed, 2013-03-13 at 11:33 +0100, Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Blocking IP addresses would be the most effective and require the less work imho. Here's how I'd do it: Add a 'TOR user' checkbox on the 'My account' page to state whether the user uses TOR or not, and ask the same question during the creation of new accounts. All new and existing accounts not using TOR are automatically whitelisted. All new or existing accounts using TOR are automatically blacklisted, and have to send a request to aur-general so they can be granted a special status which bypasses the IP verification. Give TUs more super powers so they can blacklist or whitelist users/IPs. What do you think? Cheers. -- Maxime
On Wednesday, March 13, 2013 11:48:50 Maxime Gauduin wrote:
On Wed, 2013-03-13 at 11:33 +0100, Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Blocking IP addresses would be the most effective and require the less work imho. Here's how I'd do it:
Add a 'TOR user' checkbox on the 'My account' page to state whether the user uses TOR or not, and ask the same question during the creation of new accounts.
All new and existing accounts not using TOR are automatically whitelisted.
All new or existing accounts using TOR are automatically blacklisted, and have to send a request to aur-general so they can be granted a special status which bypasses the IP verification.
Give TUs more super powers so they can blacklist or whitelist users/IPs.
What do you think?
Cheers.
And there're thousands of free proxy lists with millions of available candidate IPs, I don't really think this could stop the spammers. So IMHO I'd +1 for captchas (though hate it a lot). And maybe some more captchas than just in registering: (just examples) * 5th or more out-of-date flags in a day * 5th or more comments (in different packages) in a day * 5th or more same comment sentence This should not bother existing users too much. But nothing could really stop him if he still hate us so much and register & post manually, just as suggested before. Felix Yan Twitter: @felixonmars Wiki: http://felixc.at
On Wed, Mar 13, 2013 at 06:59:59PM +0800, Felix Yan wrote:
On Wednesday, March 13, 2013 11:48:50 Maxime Gauduin wrote:
On Wed, 2013-03-13 at 11:33 +0100, Lukas Fleischer wrote:
Status quo:
[...]
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
[...]
All new or existing accounts using TOR are automatically blacklisted, and have to send a request to aur-general so they can be granted a special status which bypasses the IP verification.
Give TUs more super powers so they can blacklist or whitelist users/IPs.
What do you think?
Cheers.
And there're thousands of free proxy lists with millions of available candidate IPs, I don't really think this could stop the spammers.
We could IP ban every spammer as soon as he is noticed. I assume that we will not be attacked by dozens of spammers or a botnet.
So IMHO I'd +1 for captchas (though hate it a lot).
And maybe some more captchas than just in registering: (just examples)
* 5th or more out-of-date flags in a day * 5th or more comments (in different packages) in a day * 5th or more same comment sentence
I do not think this is needed. We can suspend every spam account. If we find a way to stop automated account creation, I do not think there will be lots of spammers any time soon.
This should not bother existing users too much.
But nothing could really stop him if he still hate us so much and register & post manually, just as suggested before.
Felix Yan Twitter: @felixonmars Wiki: http://felixc.at
On Wed, Mar 13, 2013 at 12:23:53PM +0100, Lukas Fleischer wrote:
On Wed, Mar 13, 2013 at 06:59:59PM +0800, Felix Yan wrote:
On Wednesday, March 13, 2013 11:48:50 Maxime Gauduin wrote:
On Wed, 2013-03-13 at 11:33 +0100, Lukas Fleischer wrote:
Status quo:
[...]
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
[...]
All new or existing accounts using TOR are automatically blacklisted, and have to send a request to aur-general so they can be granted a special status which bypasses the IP verification.
Give TUs more super powers so they can blacklist or whitelist users/IPs.
What do you think?
Cheers.
And there're thousands of free proxy lists with millions of available candidate IPs, I don't really think this could stop the spammers.
We could IP ban every spammer as soon as he is noticed. I assume that we will not be attacked by dozens of spammers or a botnet. [...]
Blocking dynamic IPs and users will be blocked, who are not spammers. So, IP blocking should be time limited. And captchas are really annoying. Maybe they should be activated only for too extreme activity.
So IMHO I'd +1 for captchas (though hate it a lot).
And maybe some more captchas than just in registering: (just examples)
* 5th or more out-of-date flags in a day * 5th or more comments (in different packages) in a day * 5th or more same comment sentence
[...] Captchas should be used beginning with > 5 or 10 packages an hour maybe. When google started annoying me with Captchas (possibly because I had more than one system using the same IP... two Linux systems and one iPAD) I switched away partially to different search engines. Which other service should I switch to, when AUR annoys me with captchas?
I do not think this is needed. We can suspend every spam account. If we find a way to stop automated account creation, I do not think there will be lots of spammers any time soon.
Maybe captcha could make sense in account creation. But please, not for every possible task... Maybe displaying a captcha for every keystroke ... Ciao, Oliver
Hi, i would like to suggest a captcha only on user registering. And some time/quantity limit for some actions, like said before: 10 "out of date" within an hour (a real user takes a time verify that a package is really out of date; and this rate does not block real people to help verifying packages). And maybe an history of the ip's and usernames associated with them will help to analyze how he is working... --- Eduardo M. Machado 2013/3/13 Felix Yan <felixonmars@gmail.com>
On Wednesday, March 13, 2013 11:48:50 Maxime Gauduin wrote:
On Wed, 2013-03-13 at 11:33 +0100, Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Blocking IP addresses would be the most effective and require the less work imho. Here's how I'd do it:
Add a 'TOR user' checkbox on the 'My account' page to state whether the user uses TOR or not, and ask the same question during the creation of new accounts.
All new and existing accounts not using TOR are automatically whitelisted.
All new or existing accounts using TOR are automatically blacklisted, and have to send a request to aur-general so they can be granted a special status which bypasses the IP verification.
Give TUs more super powers so they can blacklist or whitelist users/IPs.
What do you think?
Cheers.
And there're thousands of free proxy lists with millions of available candidate IPs, I don't really think this could stop the spammers.
So IMHO I'd +1 for captchas (though hate it a lot).
And maybe some more captchas than just in registering: (just examples)
* 5th or more out-of-date flags in a day * 5th or more comments (in different packages) in a day * 5th or more same comment sentence
This should not bother existing users too much.
But nothing could really stop him if he still hate us so much and register & post manually, just as suggested before.
Felix Yan Twitter: @felixonmars Wiki: http://felixc.at
On Wed, Mar 13, 2013 at 11:48:50AM +0100, Maxime Gauduin wrote:
On Wed, 2013-03-13 at 11:33 +0100, Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Blocking IP addresses would be the most effective and require the less work imho. Here's how I'd do it:
Add a 'TOR user' checkbox on the 'My account' page to state whether the user uses TOR or not, and ask the same question during the creation of new accounts.
All new and existing accounts not using TOR are automatically whitelisted.
All new or existing accounts using TOR are automatically blacklisted, and have to send a request to aur-general so they can be granted a special status which bypasses the IP verification.
Give TUs more super powers so they can blacklist or whitelist users/IPs.
What do you think?
Sounds like a reasonable suggestion to me. I don't think we need a "TOR user" check box, though. IP bans and account-based whitelists should suffice.
Cheers.
-- Maxime
Lukas Fleischer <archlinux@cryptocrack.de> wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Other options: * Deny the repeating of a specific action... e.g. you may not flag more than ten packages within ten minutes. Also block comments with same content. * ability to report users (dunno if already possible), autoban if enough reports * "Buffering actions" aka shadowban when a user gets reported, until a moderator reviews the report. * Do whatever Reddit does, they seem to deal very well with spam. -- Markus (from phone)
On Wed, Mar 13, 2013 at 11:55:26AM +0100, Markus Unterwaditzer wrote:
Lukas Fleischer <archlinux@cryptocrack.de> wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Other options:
* Deny the repeating of a specific action... e.g. you may not flag more than ten packages within ten minutes. Also block comments with same content.
* ability to report users (dunno if already possible), autoban if enough reports
* "Buffering actions" aka shadowban when a user gets reported, until a moderator reviews the report.
All of these do not address our current issue. We do have an account suspension feature already but that does not help if a new account is created upon every request.
* Do whatever Reddit does, they seem to deal very well with spam.
I think they use a Bayesian filter and reports. Not sure if it is worthwhile adding that to the AUR. Also, Bayes classifiers will not prevent spammers from flagging packages out-of-date. Please correct me if I am wrong in my assumptions.
-- Markus (from phone)
On Wed, Mar 13, 2013 at 11:55:26AM +0100, Markus Unterwaditzer wrote:
Other options:
* Deny the repeating of a specific action... e.g. you may not flag more than ten packages within ten minutes. Also block comments with same content.
* ability to report users (dunno if already possible), autoban if enough reports
* "Buffering actions" aka shadowban when a user gets reported, until a moderator reviews the report.
* Do whatever Reddit does, they seem to deal very well with spam.
-- Markus (from phone)
Absolutely not the autoban, then spammers could *REALLY* do some damage. I am personally for a simple registration captcha. I doubt any spammers targeting the AUR are really invested; it's not really a high-profile target, most likely some pranksters, so a simple captcha could really help weed them out. How about implementing a registration captcha and seeing how it works before considering more complex options? Limiting repeated actions also sounds good (if someone really needs to, e.g., flag a lot of packages, they can just drop a request here and let a TU handle it), but it doesn't really stop spammers. They'll just make more accounts. Allen
On Wed, Mar 13, 2013 at 09:31:47PM -0400, Allen Li wrote:
On Wed, Mar 13, 2013 at 11:55:26AM +0100, Markus Unterwaditzer wrote:
Other options:
* Deny the repeating of a specific action... e.g. you may not flag more than ten packages within ten minutes. Also block comments with same content.
* ability to report users (dunno if already possible), autoban if enough reports
* "Buffering actions" aka shadowban when a user gets reported, until a moderator reviews the report.
* Do whatever Reddit does, they seem to deal very well with spam.
-- Markus (from phone)
Absolutely not the autoban, then spammers could *REALLY* do some damage.
I am personally for a simple registration captcha. I doubt any spammers targeting the AUR are really invested; it's not really a high-profile target, most likely some pranksters, so a simple captcha could really help weed them out. How about implementing a registration captcha and seeing how it works before considering more complex options? [...]
Captchas only for account creation, but not for other actions, I think thats good.
Limiting repeated actions also sounds good (if someone really needs to, e.g., flag a lot of packages, they can just drop a request here and let a TU handle it),
I find it annoying, if it's necessary to have one web-account, one mailing list account and some other accounts also, just to perform an action. A lot of bugfixes of programs were not written, just because it's too annoying to have two or three more accounts for e.g. just reporting one bug, which someone may have found "by accident", looking at some code he/she never work with normally. If it needs too jump above buerocratic roadblocks to do some positive actions, it does not matter, if it also blocks negative actions. People will be annoyed, and to block just 1 ppm of idiots will annoy maybe 10% of interested/dedicated people, which then will not come back again. The Arch way? http://www.toonpool.com/user/43/files/buerokratie_182735.jpg Ciao, Oliver
On Wed, Mar 13, 2013 at 09:31:47PM -0400, Allen Li wrote: [...]
Limiting repeated actions also sounds good (if someone really needs to, e.g., flag a lot of packages, they can just drop a request here and let a TU handle it), but it doesn't really stop spammers. They'll just make more accounts. [...]
TU under pressure ( "... some more actions in the queue..." ): http://www.dentinic.de/images/buerokratie.jpg Ciao, Oliver
On Thu, Mar 14, 2013 at 02:56:35AM +0100, oliver wrote:
On Wed, Mar 13, 2013 at 09:31:47PM -0400, Allen Li wrote: [...]
Limiting repeated actions also sounds good (if someone really needs to, e.g., flag a lot of packages, they can just drop a request here and let a TU handle it), but it doesn't really stop spammers. They'll just make more accounts. [...]
TU under pressure ( "... some more actions in the queue..." ): http://www.dentinic.de/images/buerokratie.jpg [...]
http://www.dsi-immobilien.com/uploads/pics/Buerokratie.jpg oh oh
On 13/03/13 06:57 PM, oliver wrote:
On Thu, Mar 14, 2013 at 02:56:35AM +0100, oliver wrote:
On Wed, Mar 13, 2013 at 09:31:47PM -0400, Allen Li wrote: [...]
Limiting repeated actions also sounds good (if someone really needs to, e.g., flag a lot of packages, they can just drop a request here and let a TU handle it), but it doesn't really stop spammers. They'll just make more accounts. [...]
TU under pressure ( "... some more actions in the queue..." ): http://www.dentinic.de/images/buerokratie.jpg [...]
http://www.dsi-immobilien.com/uploads/pics/Buerokratie.jpg
oh oh
Now you have become a source of spam.
On Wed, Mar 13, 2013 at 07:15:29PM -0700, Connor Behan wrote:
On 13/03/13 06:57 PM, oliver wrote:
On Thu, Mar 14, 2013 at 02:56:35AM +0100, oliver wrote:
On Wed, Mar 13, 2013 at 09:31:47PM -0400, Allen Li wrote: [...]
Limiting repeated actions also sounds good (if someone really needs to, e.g., flag a lot of packages, they can just drop a request here and let a TU handle it), but it doesn't really stop spammers. They'll just make more accounts. [...]
TU under pressure ( "... some more actions in the queue..." ): http://www.dentinic.de/images/buerokratie.jpg [...]
http://www.dsi-immobilien.com/uploads/pics/Buerokratie.jpg
oh oh
Now you have become a source of spam.
oh oh ;-) But I can stop myself... and it does not need Captchas. I know it myself, and you encouraged me to look at this, just by giving a feedback. Sorry for the traffic!
On Wed, Mar 13, 2013 at 11:33 AM, Lukas Fleischer <archlinux@cryptocrack.de> wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
I suggest a flag 24–hour immunity for added/updated packages and a 60–minute immunity after a package gets unflagged.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
MAPTCHAs can be solved easily by bots, reCAPTCHA itself is evil, and image CAPTCHAs can be solved by Indians for a dollar or two per thousand images.
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
Maybe block the ability of commenting and flagging in the first 24 hours of an user account’s existence?
* Block IP addresses. Bye-bye, Tor users!
Don’t worry, http://proxy.org is here to help our lovely spammers. Also, is email verification necessary? If yes, block 10minutemail.com and other services of this kind. If not, make it so and see “if yes”. -- Kwpolska <http://kwpolska.tk> | GPG KEY: 5EAAEA16 stop html mail | always bottom-post http://asciiribbon.org | http://caliburn.nl/topposting.html
There have been exactly zero spammers on the ArchWiki since the captcha was added for registration, the last time a user had to be blocked was 2011.
Den 13-03-2013 16:31, Daniel Micay skrev:
There have been exactly zero spammers on the ArchWiki since the captcha was added for registration, the last time a user had to be blocked was 2011.
I definitely think just trying out captchas for a while and see what happens, is the way to go. If it's all bollocks, then y'all can think up your algorithms etc. for how to prevent spammers. Captchas can be implemented rather quickly these days, so it could be done before the weekend. A lot of your other ideas probably need more coding than this, as well as probably some fine-tuning. -- Namasté, Frederik "Freso" S. Olesen <http://freso.dk/>
Den 13-03-2013 15:36, Kwpolska skrev:
Maybe block the ability of commenting and flagging in the first 24 hours of an user account’s existence?
I'm (wildly) guessing that most "regular" users sign up for the sake of making a comment. Requiring them to wait 24 hours before being able to do so does not seem like a brilliant idea... -- Namasté, Frederik "Freso" S. Olesen <http://freso.dk/>
Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
How hard would it be to create an action queue for comments and flagging? The idea would be to add a new field to the user accounts table (e.g. a boolean named "supervise"). The default value would be true for new accounts. The value could be changed by TUs and/or automatically changed after a fixed interval and/or certain actions (depending on how far you want to go with the logic). When flagged, comments and actions would be submitted to a queue that would be accessible to TUs via a webpage with accept/reject buttons for each action. This avoids the annoyance and data collection of captchas and it also avoids the risk of blacklisting legitimate users who share IP ranges (or some proxy) with trolls. Bonus: AUR automation tools will not be broken. It will introduce a variable delay before actions are executed but in most cases this will probably not be more than a couple of hours given the current number of TUs. Rejections should require a reason and the actions should be logged for a few days just to make sure no one abuses the reject button. The reason should also be sent back to the user in case of rejection so that it can be brought up here. (If that's done then logging might be unnecessary). The accept/reject page would need the following per action: * package ID -> page link * action * content of comment if applicable * user (+email? +IP?) Of course I have no idea of how difficult this would be technically.
On Thu, Mar 14, 2013 at 12:44:26AM +0000, Xyne wrote: [...]
How hard would it be to create an action queue for comments and flagging?
The idea would be to add a new field to the user accounts table (e.g. a boolean named "supervise"). The default value would be true for new accounts. The value could be changed by TUs and/or automatically changed after a fixed interval and/or certain actions (depending on how far you want to go with the logic).
When flagged, comments and actions would be submitted to a queue that would be accessible to TUs via a webpage with accept/reject buttons for each action.
This avoids the annoyance and data collection of captchas and it also avoids the risk of blacklisting legitimate users who share IP ranges (or some proxy) with trolls. Bonus: AUR automation tools will not be broken.
It will introduce a variable delay before actions are executed but in most cases this will probably not be more than a couple of hours given the current number of TUs. [...]
Delays in actions are worse than Captchas. If I do something, I want immediate feedback. Otherwise I assume the system is not working and I would try again... ...maybe 3 or 5 or 10 times until I think "AUR is shit!", "Fuck Arch". Even Captchas allow immediate feedback, even they insist me to have detour instead of a straight way. But at least I know whats going on. Waiting - especially if there is an unknown delay time - is the whorst case. Ciao, Oliver
oliver wrote:
Delays in actions are worse than Captchas.
If I do something, I want immediate feedback. Otherwise I assume the system is not working and I would try again... ...maybe 3 or 5 or 10 times until I think "AUR is shit!", "Fuck Arch".
Even Captchas allow immediate feedback, even they insist me to have detour instead of a straight way. But at least I know whats going on.
Waiting - especially if there is an unknown delay time - is the whorst case.
Ciao, Oliver
It wouldn't be a black box. A message would be displayed, perhaps along with some (hash-tag based) link that the user could follow to check the action's status. Slashdot comments do not appear immediately and yet people continue to post them. Besides, if the comment is clearly constructive then the account can be unflagged immediately by a TU to avoid all further delays. The delay really should not be an issue. It is common to wait days for a reply. If an action takes a couple of hours to show up then it will not make any difference in most cases. Keep in mind that most users will not be affected by this either. It will be a temporary condition for new accounts. All that said, I'm not even sure that I fully support this idea. I'm just exploring it.
I think that one captcha only, in the creation of an account, doesn't hurt. And i liked the idea posted by Xyne, but with a few improvements: instead of putting actions for TU's reviews, it should be an queue of actions by users, so it can be undone rapidly and with one shot! So, if a red light is fired by an user, only in this case the TU have to act, and mark all the user actions to be undone (checkboxes, a "mark all" button, and an undo button). In this case, all the damage made in hours by a bad user can be undone in a second by a TU. These two solutions together should discourage such actions. What do you think? --- Eduardo M. Machado Engenheiro de Computação Rio de Janeiro - RJ Brasil 2013/3/13 Xyne <xyne@archlinux.ca>
Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
How hard would it be to create an action queue for comments and flagging?
The idea would be to add a new field to the user accounts table (e.g. a boolean named "supervise"). The default value would be true for new accounts. The value could be changed by TUs and/or automatically changed after a fixed interval and/or certain actions (depending on how far you want to go with the logic).
When flagged, comments and actions would be submitted to a queue that would be accessible to TUs via a webpage with accept/reject buttons for each action.
This avoids the annoyance and data collection of captchas and it also avoids the risk of blacklisting legitimate users who share IP ranges (or some proxy) with trolls. Bonus: AUR automation tools will not be broken.
It will introduce a variable delay before actions are executed but in most cases this will probably not be more than a couple of hours given the current number of TUs.
Rejections should require a reason and the actions should be logged for a few days just to make sure no one abuses the reject button. The reason should also be sent back to the user in case of rejection so that it can be brought up here. (If that's done then logging might be unnecessary).
The accept/reject page would need the following per action: * package ID -> page link * action * content of comment if applicable * user (+email? +IP?)
Of course I have no idea of how difficult this would be technically.
On 14.03.2013 01:44, Xyne wrote:
When flagged, comments and actions would be submitted to a queue that would be accessible to TUs via a webpage with accept/reject buttons for each action.
You could let other users which have already been whitelisted approve actions. An action can require 3 approvals from normal users or one from a TU so a spammer would require more than one whitelisted account to work alone. Once a new users has a few whitelisted actions they will also be whitelisted. Just ideas, not saying this is the way to go.
On Wednesday, March 13, 2013 11:33:18 AM Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Hi, I suggest to use http://www.flameeyes.eu/projects/modsec instead (and in wiki too, so we can remove the horrible captcha). It's an Apache mod_security backlist that reduce the spam (using DNSBL and User-Agent validation).
On Fri, Mar 15, 2013 at 11:04:38AM +0100, Timothy Redaelli wrote:
On Wednesday, March 13, 2013 11:33:18 AM Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Hi, I suggest to use http://www.flameeyes.eu/projects/modsec instead (and in wiki too, so we can remove the horrible captcha). It's an Apache mod_security backlist that reduce the spam (using DNSBL and User-Agent validation).
But blacklisting is bad too. We already had discussed this issue: if the spammer is coming from a provider who gives IPs dynamically to their users, then one spammer will be blocked and changes the IP... the next user of the blocked IP then will not have access to AUR. Ciao, Oliver
On Fri, 2013-03-15 at 11:17 +0100, oliver wrote:
On Fri, Mar 15, 2013 at 11:04:38AM +0100, Timothy Redaelli wrote:
On Wednesday, March 13, 2013 11:33:18 AM Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Hi, I suggest to use http://www.flameeyes.eu/projects/modsec instead (and in wiki too, so we can remove the horrible captcha). It's an Apache mod_security backlist that reduce the spam (using DNSBL and User-Agent validation).
But blacklisting is bad too. We already had discussed this issue: if the spammer is coming from a provider who gives IPs dynamically to their users, then one spammer will be blocked and changes the IP... the next user of the blocked IP then will not have access to AUR.
Ciao, Oliver
That depends on how the blacklisting is done. You can have an IP blacklist for new account creations only. Or just implement a filtering: if someone tries to create an account with a blaklisted IP, warn him that his registration will need to be moderated before he can do anything (and explain why we do this). Same if user is behind a proxy. It's true that this won't work with dynamic IPs though, and I don't believe filtering an entire ISP range is reasonable. Also requiring a non disposable mail address should be the default, it's more time consuming to create a fake non disposable address, and there are only 3 reasons to use a disposable address imho: - you're up to no good, - you're a privacy freak, - you're registering to post one comment and never access your account again. Although the second point is arguable, we hardly need these kind of users in the AUR. -- Maxime
On Fri, Mar 15, 2013 at 12:09:16PM +0100, Maxime Gauduin wrote:
On Fri, 2013-03-15 at 11:17 +0100, oliver wrote:
On Fri, Mar 15, 2013 at 11:04:38AM +0100, Timothy Redaelli wrote:
On Wednesday, March 13, 2013 11:33:18 AM Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Hi, I suggest to use http://www.flameeyes.eu/projects/modsec instead (and in wiki too, so we can remove the horrible captcha). It's an Apache mod_security backlist that reduce the spam (using DNSBL and User-Agent validation).
But blacklisting is bad too. We already had discussed this issue: if the spammer is coming from a provider who gives IPs dynamically to their users, then one spammer will be blocked and changes the IP... the next user of the blocked IP then will not have access to AUR.
Ciao, Oliver
That depends on how the blacklisting is done. You can have an IP blacklist for new account creations only. Or just implement a filtering: if someone tries to create an account with a blaklisted IP, warn him that his registration will need to be moderated before he can do anything (and explain why we do this). Same if user is behind a proxy. It's true that this won't work with dynamic IPs though, and I don't believe filtering an entire ISP range is reasonable.
Also requiring a non disposable mail address should be the default, it's more time consuming to create a fake non disposable address, and there are only 3 reasons to use a disposable address imho: - you're up to no good, - you're a privacy freak, - you're registering to post one comment and never access your account again. Although the second point is arguable, we hardly need these kind of users in the AUR. [...]
If "privacy freak"'s are not used in AUR (why?) then blocking TOR falls into the same category, I think. Ciao, Oliver
On Fri, 2013-03-15 at 13:33 +0100, oliver wrote:
On Fri, Mar 15, 2013 at 12:09:16PM +0100, Maxime Gauduin wrote:
On Fri, 2013-03-15 at 11:17 +0100, oliver wrote:
On Fri, Mar 15, 2013 at 11:04:38AM +0100, Timothy Redaelli wrote:
On Wednesday, March 13, 2013 11:33:18 AM Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Hi, I suggest to use http://www.flameeyes.eu/projects/modsec instead (and in wiki too, so we can remove the horrible captcha). It's an Apache mod_security backlist that reduce the spam (using DNSBL and User-Agent validation).
But blacklisting is bad too. We already had discussed this issue: if the spammer is coming from a provider who gives IPs dynamically to their users, then one spammer will be blocked and changes the IP... the next user of the blocked IP then will not have access to AUR.
Ciao, Oliver
That depends on how the blacklisting is done. You can have an IP blacklist for new account creations only. Or just implement a filtering: if someone tries to create an account with a blaklisted IP, warn him that his registration will need to be moderated before he can do anything (and explain why we do this). Same if user is behind a proxy. It's true that this won't work with dynamic IPs though, and I don't believe filtering an entire ISP range is reasonable.
Also requiring a non disposable mail address should be the default, it's more time consuming to create a fake non disposable address, and there are only 3 reasons to use a disposable address imho: - you're up to no good, - you're a privacy freak, - you're registering to post one comment and never access your account again. Although the second point is arguable, we hardly need these kind of users in the AUR. [...]
If "privacy freak"'s are not used in AUR (why?) then blocking TOR falls into the same category, I think.
Ciao, Oliver
That's why I said it is arguable, and no TOR does not fall in the same category. There's nothing wrong in wanting some privacy, and I actually think TOR is a good thing, but using totally fake identities and emails to register an AUR account means you are not willing to take responsibility for your actions/comments, and that is not a good thing imho. The AUR is not someplace you can barge into and do as you please incognito, it is a constructive and collective effort to have a well-maintained package repository, and I believe that this can only be achieved if people take said responsibility for what they do. -- Maxime
On Fri, Mar 15, 2013 at 11:04:38AM +0100, Timothy Redaelli wrote:
On Wednesday, March 13, 2013 11:33:18 AM Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Hi, I suggest to use http://www.flameeyes.eu/projects/modsec instead (and in wiki too, so we can remove the horrible captcha). It's an Apache mod_security backlist that reduce the spam (using DNSBL and User-Agent validation).
$ curl -I https://aur.archlinux.org |& grep Server Server: nginx/1.2.6
On 15 Mar 2013 11:25, "Dave Reisner" <d@falconindy.com> wrote:
On Fri, Mar 15, 2013 at 11:04:38AM +0100, Timothy Redaelli wrote:
On Wednesday, March 13, 2013 11:33:18 AM Lukas Fleischer wrote:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might
eventually
cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
Hi, I suggest to use http://www.flameeyes.eu/projects/modsec instead (and in wiki too, so we can remove the horrible captcha). It's an Apache mod_security backlist that reduce the spam (using DNSBL and User-Agent validation).
$ curl -I https://aur.archlinux.org |& grep Server Server: nginx/1.2.6
I had quite a success with projecthoneypot.org as another suggestion.
Am 13.03.2013 11:33, schrieb Lukas Fleischer:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
We already tested all this years ago with the Wiki and Forums. Why reinvent the wheel instead of just using an existing solution? I could point you to the code if wanted; it's pretty simple and should be easy to integrate into the aur registration. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
On 15.03.2013 17:13, Pierre Schmitz wrote:
We already tested all this years ago with the Wiki and Forums. Why reinvent the wheel instead of just using an existing solution? I could point you to the code if wanted; it's pretty simple and should be easy to integrate into the aur registration.
Greetings,
Pierre
I second this as I do not recall the wiki captcha to be cumbersome. Copy, paste, execute, copy, paste. Done in like 10 seconds and nothing "common" bots would be doing. Using that captcha at account registration would be highly effective while only needing 5 small operations of the user :) Greetings, Christoph
On Fri, Mar 15, 2013 at 05:13:43PM +0100, Pierre Schmitz wrote:
Am 13.03.2013 11:33, schrieb Lukas Fleischer:
Status quo:
06:54 < gtmanfred> ok, it really is time for something else 06:54 < gtmanfred> the spammer is now creating a new account for every comment and flag out of date
The account suspension feature does not help here.
Options:
* Allow package maintainers to block the "Flag package out-of-date" feature for a certain amount of time. Note that this might eventually cripple the "out-of-date" function. Also, this does not work for comments.
* Use CAPTCHAs during account registration. We could either use MAPTCHAs ("What is 1 + 1?") or something like reCAPTCHA [1].
* Moderate new accounts. Might be a lot of work. We need some TUs that review and unlock accounts. Also, it might be hard to distinguish a spam bot from a regular user. If we require a short application text, this might result in less users joining the AUR.
* Block IP addresses. Bye-bye, Tor users!
Comments and suggestions welcome! We need to find a proper solution as soon as possible!
We already tested all this years ago with the Wiki and Forums. Why reinvent the wheel instead of just using an existing solution? I could point you to the code if wanted; it's pretty simple and should be easy to integrate into the aur registration.
Because we suspect that the bots spamming the AUR were specifically designed for this specific setup of this specific platform and might react to such a simple change. Given the effort required to implement this, I agree that it is worth trying out, though. I will look into this on Monday/Tuesday. If the captcha will not prove itself in practice I will implement a blacklist/whitelist based solution. Thank you for all the replies.
Greetings,
Pierre
-- Pierre Schmitz, https://pierre-schmitz.com
participants (18)
-
Allen Li
-
Christoph Vigano
-
Connor Behan
-
Daniel Micay
-
Dave Reisner
-
Eduardo Machado
-
Felix Yan
-
Florian Pritz
-
Frederik "Freso" S. Olesen
-
Kwpolska
-
Leonidas Spyropoulos
-
Lukas Fleischer
-
Markus Unterwaditzer
-
Maxime Gauduin
-
oliver
-
Pierre Schmitz
-
Timothy Redaelli
-
Xyne