[aur-dev] Fighting spam on the AUR
Florian Dejonckheere
florian at floriandejonckheere.be
Wed Mar 13 10:57:53 EDT 2013
I don't want the AUR to become a closed system where everything has to be
approved by TU's or moderators. What if two users were required to mark a
package out of date (next to other security measures).
Maybe an alternate way (not really a solution) is implementing (better)
spam detection algorithms?
For reference, how many packages are usually marked out of date per day,
and how many are genuine?
*Florian Dejonckheere*
florian at floriandejonckheere.be
http://www.floriandejonckheere.be
floriandejonckheere
sip:florian at floriandejonckheere.be
On 13 March 2013 15:36, Kwpolska <kwpolska at gmail.com> wrote:
> On Wed, Mar 13, 2013 at 11:33 AM, Lukas Fleischer
> <archlinux at cryptocrack.de> wrote:
> > Status quo:
> >
> > 06:54 < gtmanfred> ok, it really is time for something else
> > 06:54 < gtmanfred> the spammer is now creating a new account for
> > every comment and flag out of date
> >
> > The account suspension feature does not help here.
> >
> > Options:
> >
> > * Allow package maintainers to block the "Flag package out-of-date"
> > feature for a certain amount of time. Note that this might eventually
> > cripple the "out-of-date" function. Also, this does not work for
> > comments.
>
> I suggest a flag 24–hour immunity for added/updated packages and a
> 60–minute immunity after a package gets unflagged.
>
> > * Use CAPTCHAs during account registration. We could either use MAPTCHAs
> > ("What is 1 + 1?") or something like reCAPTCHA [1].
>
> MAPTCHAs can be solved easily by bots, reCAPTCHA itself is evil, and
> image CAPTCHAs can be solved by Indians for a dollar or two per
> thousand images.
>
> > * Moderate new accounts. Might be a lot of work. We need some TUs that
> > review and unlock accounts. Also, it might be hard to distinguish a
> > spam bot from a regular user. If we require a short application text,
> > this might result in less users joining the AUR.
> >
>
> Maybe block the ability of commenting and flagging in the first 24
> hours of an user account’s existence?
>
> > * Block IP addresses. Bye-bye, Tor users!
>
> Don’t worry, http://proxy.org is here to help our lovely spammers.
>
> Also, is email verification necessary? If yes, block 10minutemail.com
> and other services of this kind. If not, make it so and see “if yes”.
>
> --
> Kwpolska <http://kwpolska.tk> | GPG KEY: 5EAAEA16
> stop html mail | always bottom-post
> http://asciiribbon.org | http://caliburn.nl/topposting.html
>
More information about the aur-dev
mailing list