[aur-dev] [aur-general] Fighting spam on the AUR

Florian Dejonckheere florian at floriandejonckheere.be
Sat Mar 16 12:07:32 EDT 2013


The bot could easily be adjusted to execute the command and pass the form.
There seems to be only one command (on the wiki). If multiple commands were
to be used (maybe including interactive ones), I think the probability of
automation would be greatly decreased.


*Florian Dejonckheere*

 florian at floriandejonckheere.be
 http://www.floriandejonckheere.be
 floriandejonckheere
sip:florian at floriandejonckheere.be


On 15 March 2013 17:33, Lukas Fleischer <archlinux at cryptocrack.de> wrote:

> On Fri, Mar 15, 2013 at 05:13:43PM +0100, Pierre Schmitz wrote:
> > Am 13.03.2013 11:33, schrieb Lukas Fleischer:
> > > Status quo:
> > >
> > >     06:54 < gtmanfred> ok, it really is time for something else
> > >     06:54 < gtmanfred> the spammer is now creating a new account for
> > >     every comment and flag out of date
> > >
> > > The account suspension feature does not help here.
> > >
> > > Options:
> > >
> > > * Allow package maintainers to block the "Flag package out-of-date"
> > >   feature for a certain amount of time. Note that this might eventually
> > >   cripple the "out-of-date" function. Also, this does not work for
> > >   comments.
> > >
> > > * Use CAPTCHAs during account registration. We could either use
> MAPTCHAs
> > >   ("What is 1 + 1?") or something like reCAPTCHA [1].
> > >
> > > * Moderate new accounts. Might be a lot of work. We need some TUs that
> > >   review and unlock accounts. Also, it might be hard to distinguish a
> > >   spam bot from a regular user. If we require a short application text,
> > >   this might result in less users joining the AUR.
> > >
> > > * Block IP addresses. Bye-bye, Tor users!
> > >
> > > Comments and suggestions welcome! We need to find a proper solution as
> > > soon as possible!
> > >
> > > [1] http://www.google.com/recaptcha
> >
> > We already tested all this years ago with the Wiki and Forums. Why
> > reinvent the wheel instead of just using an existing solution? I could
> > point you to the code if wanted; it's pretty simple and should be easy
> > to integrate into the aur registration.
>
> Because we suspect that the bots spamming the AUR were specifically
> designed for this specific setup of this specific platform and might
> react to such a simple change. Given the effort required to implement
> this, I agree that it is worth trying out, though.
>
> I will look into this on Monday/Tuesday. If the captcha will not prove
> itself in practice I will implement a blacklist/whitelist based
> solution.
>
> Thank you for all the replies.
>
> >
> > Greetings,
> >
> > Pierre
> >
> > --
> > Pierre Schmitz, https://pierre-schmitz.com
>


More information about the aur-dev mailing list