[aur-general] Fighting spam on the AUR

Wed Mar 13 06:59:59 EDT 2013

On Wednesday, March 13, 2013 11:48:50 Maxime Gauduin wrote:
> On Wed, 2013-03-13 at 11:33 +0100, Lukas Fleischer wrote:
> > Status quo:
> > 
> >     06:54 < gtmanfred> ok, it really is time for something else
> >     06:54 < gtmanfred> the spammer is now creating a new account for
> >     every comment and flag out of date
> > 
> > The account suspension feature does not help here.
> > 
> > Options:
> > 
> > * Allow package maintainers to block the "Flag package out-of-date"
> >   feature for a certain amount of time. Note that this might eventually
> >   cripple the "out-of-date" function. Also, this does not work for
> >   comments.
> > 
> > * Use CAPTCHAs during account registration. We could either use MAPTCHAs
> >   ("What is 1 + 1?") or something like reCAPTCHA [1].
> > 
> > * Moderate new accounts. Might be a lot of work. We need some TUs that
> >   review and unlock accounts. Also, it might be hard to distinguish a
> >   spam bot from a regular user. If we require a short application text,
> >   this might result in less users joining the AUR.
> > 
> > * Block IP addresses. Bye-bye, Tor users!
> > 
> > Comments and suggestions welcome! We need to find a proper solution as
> > soon as possible!
> > 
> > [1] http://www.google.com/recaptcha
> 
> Blocking IP addresses would be the most effective and require the less
> work imho. Here's how I'd do it:
> 
> Add a 'TOR user' checkbox on the 'My account' page to state whether the
> user uses TOR or not, and ask the same question during the creation of
> new accounts.
> 
> All new and existing accounts not using TOR are automatically
> whitelisted.
> 
> All new or existing accounts using TOR are automatically blacklisted,
> and have to send a request to aur-general so they can be granted a
> special status which bypasses the IP verification.
> 
> Give TUs more super powers so they can blacklist or whitelist users/IPs.
> 
> What do you think?
> 
> Cheers.

And there're thousands of free proxy lists with millions of available candidate IPs, I don't really think this could stop the spammers.

So IMHO I'd +1 for captchas (though hate it a lot).

And maybe some more captchas than just in registering: (just examples)

* 5th or more out-of-date flags in a day
* 5th or more comments (in different packages) in a day
* 5th or more same comment sentence

This should not bother existing users too much.

But nothing could really stop him if he still hate us so much and register & post manually, just as suggested before.

Felix Yan
Twitter: @felixonmars
Wiki: http://felixc.at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20130313/fc27f1c7/attachment-0001.asc>