[aur-dev] Fighting spam on the AUR

Florian Dejonckheere florian at floriandejonckheere.be
Wed Mar 13 10:57:53 EDT 2013


I don't want the AUR to become a closed system where everything has to be
approved by TU's or moderators. What if two users were required to mark a
package out of date (next to other security measures).
Maybe an alternate way (not really a solution) is implementing (better)
spam detection algorithms?

For reference, how many packages are usually marked out of date per day,
and how many are genuine?


*Florian Dejonckheere*

 florian at floriandejonckheere.be
 http://www.floriandejonckheere.be
 floriandejonckheere
sip:florian at floriandejonckheere.be


On 13 March 2013 15:36, Kwpolska <kwpolska at gmail.com> wrote:

> On Wed, Mar 13, 2013 at 11:33 AM, Lukas Fleischer
> <archlinux at cryptocrack.de> wrote:
> > Status quo:
> >
> >     06:54 < gtmanfred> ok, it really is time for something else
> >     06:54 < gtmanfred> the spammer is now creating a new account for
> >     every comment and flag out of date
> >
> > The account suspension feature does not help here.
> >
> > Options:
> >
> > * Allow package maintainers to block the "Flag package out-of-date"
> >   feature for a certain amount of time. Note that this might eventually
> >   cripple the "out-of-date" function. Also, this does not work for
> >   comments.
>
> I suggest a flag 24–hour immunity for added/updated packages and a
> 60–minute immunity after a package gets unflagged.
>
> > * Use CAPTCHAs during account registration. We could either use MAPTCHAs
> >   ("What is 1 + 1?") or something like reCAPTCHA [1].
>
> MAPTCHAs can be solved easily by bots, reCAPTCHA itself is evil, and
> image CAPTCHAs can be solved by Indians for a dollar or two per
> thousand images.
>
> > * Moderate new accounts. Might be a lot of work. We need some TUs that
> >   review and unlock accounts. Also, it might be hard to distinguish a
> >   spam bot from a regular user. If we require a short application text,
> >   this might result in less users joining the AUR.
> >
>
> Maybe block the ability of commenting and flagging in the first 24
> hours of an user account’s existence?
>
> > * Block IP addresses. Bye-bye, Tor users!
>
> Don’t worry, http://proxy.org is here to help our lovely spammers.
>
> Also, is email verification necessary?  If yes, block 10minutemail.com
> and other services of this kind.  If not, make it so and see “if yes”.
>
> --
> Kwpolska <http://kwpolska.tk> | GPG KEY: 5EAAEA16
> stop html mail                | always bottom-post
> http://asciiribbon.org        | http://caliburn.nl/topposting.html
>


More information about the aur-dev mailing list