[aur-general] We've got a spam issue in our AUR
Hi, The user instmania[1] has posted spam links in the comments section of almost every recently updated package. For example [2] [1] https://aur4.archlinux.org/account/instmania/ [2] https://aur4.archlinux.org/packages/warthunder/ -- Andrejs Mivreņiks PGP Key Fingerprint: 3872 5DEB BCA5 9460 09B2 E867 F34B C7DA D782 DAB8
Hi Il 12/07/2015 17:24, Andrejs Mivreņiks ha scritto:
Hi,
The user instmania[1] has posted spam links in the comments section of almost every recently updated package. For example [2]
[1] https://aur4.archlinux.org/account/instmania/ [2] https://aur4.archlinux.org/packages/warthunder/
I've suspended the instmania account. I received his spam for one package of mine too. Bye -- Fabio Castelli aka Muflone
Hi, Suspending the account is good, though what about messages? Are they going to be removed? Also there is totally no spam protection that I know of at this moment in AUR, at some point it might turn out to be a bigger problem than that today. Regards, Andrejs -- Andrejs Mivreņiks PGP Key Fingerprint: 3872 5DEB BCA5 9460 09B2 E867 F34B C7DA D782 DAB8 On Sun, 12 Jul 2015, at 18:47, Muflone wrote:
Hi
Il 12/07/2015 17:24, Andrejs Mivreņiks ha scritto:
Hi,
The user instmania[1] has posted spam links in the comments section of almost every recently updated package. For example [2]
[1] https://aur4.archlinux.org/account/instmania/ [2] https://aur4.archlinux.org/packages/warthunder/
I've suspended the instmania account. I received his spam for one package of mine too.
Bye
-- Fabio Castelli aka Muflone
On Sun, 12 Jul 2015 at 18:25:47, Andrejs Mivreņiks wrote:
Hi,
Suspending the account is good, though what about messages? Are they going to be removed? Also there is totally no spam protection that I know of at this moment in AUR, at some point it might turn out to be a bigger problem than that today. [...]
I deleted all 15 comments the user posted. Given that only a very low number of packages were affected, I suspect that he copy-pasted the message manually. There is really nothing we can do about that (apart from disabling comments)...
On Sun, Jul 12, 2015 at 2:24 PM, Lukas Fleischer <lfleischer@archlinux.org> wrote:
On Sun, 12 Jul 2015 at 18:25:47, Andrejs Mivreņiks wrote:
Hi,
Suspending the account is good, though what about messages? Are they going to be removed? Also there is totally no spam protection that I know of at this moment in AUR, at some point it might turn out to be a bigger problem than that today. [...]
I deleted all 15 comments the user posted. Given that only a very low number of packages were affected, I suspect that he copy-pasted the message manually. There is really nothing we can do about that (apart from disabling comments)...
I'm not sure if this is worthwhile, but: http://bogofilter.sourceforge.net/ https://pypi.python.org/pypi/django-bogofilter/0.1 (example of integrating bogofilter to forum comments in Django/Python) We could add this email-style spam filtering (using bogofilter or any similar package), and make comments that fail it have to use a CAPTCHA? Or just make all comments require a CAPTCHA. Or a "report spam" link for comments. Another thought for improving comments might be to implement reddit-style upvoting/downvoting.
On 12/07, Ido Rosen wrote:
On Sun, Jul 12, 2015 at 2:24 PM, Lukas Fleischer <lfleischer@archlinux.org> wrote:
On Sun, 12 Jul 2015 at 18:25:47, Andrejs Mivreņiks wrote:
Hi,
Suspending the account is good, though what about messages? Are they going to be removed? Also there is totally no spam protection that I know of at this moment in AUR, at some point it might turn out to be a bigger problem than that today. [...]
I deleted all 15 comments the user posted. Given that only a very low number of packages were affected, I suspect that he copy-pasted the message manually. There is really nothing we can do about that (apart from disabling comments)...
I'm not sure if this is worthwhile, but:
http://bogofilter.sourceforge.net/ https://pypi.python.org/pypi/django-bogofilter/0.1 (example of integrating bogofilter to forum comments in Django/Python)
We could add this email-style spam filtering (using bogofilter or any similar package), and make comments that fail it have to use a CAPTCHA? Or just make all comments require a CAPTCHA. Or a "report spam" link for comments.
Another thought for improving comments might be to implement reddit-style upvoting/downvoting.
Not all spam is automated , so just requiring a CAPTCHA wouldn't be very useful. I think a slightly better approach would be to add the comment to a queue if it fails the spam filter, and require a TU to approve it. -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/
On Tue, Jul 14, 2015 at 3:43 AM, Johannes Löthberg <johannes@kyriasis.com> wrote:
Not all spam is automated , so just requiring a CAPTCHA wouldn't be very useful. I think a slightly better approach would be to add the comment to a queue if it fails the spam filter, and require a TU to approve it.
Seems like a lot of unnecessary work for TUs though. Maybe it would be better for maintainers approval to be required for posts that fail a spam filter (they could just ignore it). Even if its not really spam, its probably aimed at the maintainer anyway.
I have seen some spam filters that have layers. The first layer is captcha, which blocks most bots. Google recaptcha is very useful in this case. I don't think this will block any human user. In addition, users don't have to enter captcha every time once it determines that a person is not a bot. For reference: https://www.google.com/recaptcha/intro/index.html The second layer is letting users to report spams, or having some kind of rating system (reddit). This blocks diligent human spammers. In particular reddit's rating system is smart because it requires no moderator; users actively downvote bad comments and upvote useful ones. I generally don't like keyword-based spam filters because they take time to maintain a good keyword list and are easy to block legit users. On Tue, Jul 14, 2015 at 9:09 AM, Oon-Ee Ng <ngoonee.talk@gmail.com> wrote:
On Tue, Jul 14, 2015 at 3:43 AM, Johannes Löthberg <johannes@kyriasis.com> wrote:
Not all spam is automated , so just requiring a CAPTCHA wouldn't be very useful. I think a slightly better approach would be to add the comment to a queue if it fails the spam filter, and require a TU to approve it.
Seems like a lot of unnecessary work for TUs though. Maybe it would be better for maintainers approval to be required for posts that fail a spam filter (they could just ignore it). Even if its not really spam, its probably aimed at the maintainer anyway.
You can also limit the number messages a person can post. And +1 for moderation. Apart from spam, people start discussions, chats, etc in comments. There is no way to stop that. And +1 for layered filters. For example, if two people tag each other repeatedly you can flag it as a chat, and so on. Regards Prakhar Singh IIT Roorkee On Tue, Jul 14, 2015 at 12:28 PM, Tai-Lin Chu <tailinchu@gmail.com> wrote:
I have seen some spam filters that have layers.
The first layer is captcha, which blocks most bots. Google recaptcha is very useful in this case. I don't think this will block any human user. In addition, users don't have to enter captcha every time once it determines that a person is not a bot. For reference: https://www.google.com/recaptcha/intro/index.html
The second layer is letting users to report spams, or having some kind of rating system (reddit). This blocks diligent human spammers. In particular reddit's rating system is smart because it requires no moderator; users actively downvote bad comments and upvote useful ones.
I generally don't like keyword-based spam filters because they take time to maintain a good keyword list and are easy to block legit users.
On Tue, Jul 14, 2015 at 9:09 AM, Oon-Ee Ng <ngoonee.talk@gmail.com> wrote:
On Tue, Jul 14, 2015 at 3:43 AM, Johannes Löthberg <johannes@kyriasis.com> wrote:
Not all spam is automated , so just requiring a CAPTCHA wouldn't be very useful. I think a slightly better approach would be to add the comment to a queue if it fails the spam filter, and require a TU to approve it.
Seems like a lot of unnecessary work for TUs though. Maybe it would be better for maintainers approval to be required for posts that fail a spam filter (they could just ignore it). Even if its not really spam, its probably aimed at the maintainer anyway.
Em 14-07-2015 07:01, Prakhar Singh escreveu:
You can also limit the number messages a person can post. And +1 for moderation. Apart from spam, people start discussions, chats, etc in comments. There is no way to stop that. And +1 for layered filters. For example, if two people tag each other repeatedly you can flag it as a chat, and so on. The complexity is increasing more and more as suggestions keep coming. I don't want to call this a bike shed yet, but it surely seems to be going to be one.
First of all, this spam problem isn't (yet) a big issue. It might become an issue, and it might not. If it does, then we could start from the simplest solution, a simple spam filter and moderation by the maintainer. Limiting messages should be discussed as a last resort, when everything else didn't worked. Cheers, Giancarlo Razzolini
On 14 July 2015 18:54:11 GMT+05:30, Giancarlo Razzolini <grazzolini@gmail.com> wrote:
Em 14-07-2015 07:01, Prakhar Singh escreveu:
You can also limit the number messages a person can post. And +1 for moderation. Apart from spam, people start discussions, chats, etc in comments. There is no way to stop that. And +1 for layered filters. For example, if two people tag each other repeatedly you can flag it as a chat, and so on. The complexity is increasing more and more as suggestions keep coming. I don't want to call this a bike shed yet, but it surely seems to be going to be one.
Exactly.
First of all, this spam problem isn't (yet) a big issue. It might become an issue, and it might not. If it does, then we could start from the simplest solution, a simple spam filter and moderation by the maintainer. Limiting messages should be discussed as a last resort, when everything else didn't worked.
Cheers, Giancarlo Razzolini
Seriously, I fail to understand all these reddit like upvoting suggestions especially. People, AUR isn't reddit. Upvoting comments doesn't make sense as comments don't stay relevant/valid forever. Packages change over time and so do the comments around them.
I agree with gt. Not meaning to bike shed further, but if we had a 'not constructive' or 'destructive' flag, and have the comment appear grayed out and flagged for moderation after n flags, this would be a more sane implementation of 'voting' on comments.
I should add that I am not yet advocating such a solution. As others have said, the spam problem is not large enough to warrant it.
On 15.07.2015 00:53, David Phillips wrote:
I agree with gt. Not meaning to bike shed further, but if we had a 'not constructive' or 'destructive' flag, and have the comment appear grayed out and flagged for moderation after n flags, this would be a more sane implementation of 'voting' on comments.
Then we would have bots flagging posts as destructive. Any automatic system involving user interaction can be abused.
On 12/07/15 11:24 AM, Andrejs Mivreņiks wrote:
Hi,
The user instmania[1] has posted spam links in the comments section of almost every recently updated package. For example [2]
[1] https://aur4.archlinux.org/account/instmania/ [2] https://aur4.archlinux.org/packages/warthunder/
I submitted a patch to remove the incentive to do this: https://lists.archlinux.org/pipermail/aur-dev/2015-July/003608.html It would be nice to implement the registration question we have on the forums and wiki too.
On Sun, 12 Jul 2015 at 17:54:10, Daniel Micay wrote:
On 12/07/15 11:24 AM, Andrejs Mivreņiks wrote:
Hi,
The user instmania[1] has posted spam links in the comments section of almost every recently updated package. For example [2]
[1] https://aur4.archlinux.org/account/instmania/ [2] https://aur4.archlinux.org/packages/warthunder/
I submitted a patch to remove the incentive to do this:
https://lists.archlinux.org/pipermail/aur-dev/2015-July/003608.html
It would be nice to implement the registration question we have on the forums and wiki too.
We introduced a similar (even harder and quickly changing) question the last time we had issues with a spam bot. It didn't help, the spammer revamped his bot within a couple of minutes, see [1]. Our next countermeasure was to require email confirmations on registration (and preventing the same email address from being used twice) which worked fine. Obviously, all that doesn't help when a human registers himself. The only additional thing I can think of is some flood control mechanism which does not fix the problem itself but helps reducing the degree of damage... [1] https://lists.archlinux.org/pipermail/aur-dev/2013-March/002438.html
The only additional thing I can think of is some flood control mechanism which does not fix the problem itself but helps reducing the degree of damage... Requiring a captcha will prevent some people from posting. Implementing a flood control, might help, but might also be a hassle to maintainers who get a lot of comments and would probably reply to them sequentially. The only thing that would surely work would be moderation. I don't think
Em 12-07-2015 15:33, Lukas Fleischer escreveu: that disabling comments is the answer though. As for moderation, there is how to make a survey on how frequent are the comments? I maintain a few packages on AUR and I don't get that many comments. At least they tend to be sparse enough. I wouldn't bother to moderate them myself. Perhaps this could be configurable? Cheers, Giancarlo Razzolini
participants (13)
-
Andrejs Mivreņiks
-
Daniel Micay
-
David Phillips
-
Giancarlo Razzolini
-
gt
-
Ido Rosen
-
Johannes Löthberg
-
Lukas Fleischer
-
Muflone
-
Oon-Ee Ng
-
Prakhar Singh
-
Sascha Shaw
-
Tai-Lin Chu