[aur-general] Fighting spam on the AUR

Maxime Gauduin alucryd at gmail.com
Wed Mar 13 06:48:50 EDT 2013 

On Wed, 2013-03-13 at 11:33 +0100, Lukas Fleischer wrote:
> Status quo:
> 
>     06:54 < gtmanfred> ok, it really is time for something else
>     06:54 < gtmanfred> the spammer is now creating a new account for
>     every comment and flag out of date
> 
> The account suspension feature does not help here.
> 
> Options:
> 
> * Allow package maintainers to block the "Flag package out-of-date"
>   feature for a certain amount of time. Note that this might eventually
>   cripple the "out-of-date" function. Also, this does not work for
>   comments.
> 
> * Use CAPTCHAs during account registration. We could either use MAPTCHAs
>   ("What is 1 + 1?") or something like reCAPTCHA [1].
> 
> * Moderate new accounts. Might be a lot of work. We need some TUs that
>   review and unlock accounts. Also, it might be hard to distinguish a
>   spam bot from a regular user. If we require a short application text,
>   this might result in less users joining the AUR.
> 
> * Block IP addresses. Bye-bye, Tor users!
> 
> Comments and suggestions welcome! We need to find a proper solution as
> soon as possible!
> 
> [1] http://www.google.com/recaptcha

Blocking IP addresses would be the most effective and require the less
work imho. Here's how I'd do it:

Add a 'TOR user' checkbox on the 'My account' page to state whether the
user uses TOR or not, and ask the same question during the creation of
new accounts.

All new and existing accounts not using TOR are automatically
whitelisted.

All new or existing accounts using TOR are automatically blacklisted,
and have to send a request to aur-general so they can be granted a
special status which bypasses the IP verification.

Give TUs more super powers so they can blacklist or whitelist users/IPs.

What do you think?

Cheers.

-- 
Maxime
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20130313/3e28e170/attachment.asc>

More information about the aur-general mailing list