[aur-dev] Fighting spam on the AUR

Kwpolska kwpolska at gmail.com
Wed Mar 13 10:36:50 EDT 2013

On Wed, Mar 13, 2013 at 11:33 AM, Lukas Fleischer
<archlinux at cryptocrack.de> wrote:
> Status quo:
>     06:54 < gtmanfred> ok, it really is time for something else
>     06:54 < gtmanfred> the spammer is now creating a new account for
>     every comment and flag out of date
> The account suspension feature does not help here.
> Options:
> * Allow package maintainers to block the "Flag package out-of-date"
>   feature for a certain amount of time. Note that this might eventually
>   cripple the "out-of-date" function. Also, this does not work for
>   comments.

I suggest a flag 24–hour immunity for added/updated packages and a
60–minute immunity after a package gets unflagged.

> * Use CAPTCHAs during account registration. We could either use MAPTCHAs
>   ("What is 1 + 1?") or something like reCAPTCHA [1].

MAPTCHAs can be solved easily by bots, reCAPTCHA itself is evil, and
image CAPTCHAs can be solved by Indians for a dollar or two per
thousand images.

> * Moderate new accounts. Might be a lot of work. We need some TUs that
>   review and unlock accounts. Also, it might be hard to distinguish a
>   spam bot from a regular user. If we require a short application text,
>   this might result in less users joining the AUR.

Maybe block the ability of commenting and flagging in the first 24
hours of an user account’s existence?

> * Block IP addresses. Bye-bye, Tor users!

Don’t worry, http://proxy.org is here to help our lovely spammers.

Also, is email verification necessary?  If yes, block 10minutemail.com
and other services of this kind.  If not, make it so and see “if yes”.

Kwpolska <http://kwpolska.tk> | GPG KEY: 5EAAEA16
stop html mail                | always bottom-post
http://asciiribbon.org        | http://caliburn.nl/topposting.html

More information about the aur-dev mailing list