[aur-general] Fighting spam on the AUR

Eduardo Machado eduardo.machado at gmail.com
Wed Mar 13 07:50:44 EDT 2013 

Hi,

i would like to suggest a captcha only on user registering. And some
time/quantity limit for some actions, like said before: 10 "out of date"
within an hour (a real user takes a time verify that a package is really
out of date; and this rate does not block real people to help verifying
packages).

And maybe an history of the ip's and usernames associated with them will
help to analyze how he is working...


---
   Eduardo M. Machado


2013/3/13 Felix Yan <felixonmars at gmail.com>

> On Wednesday, March 13, 2013 11:48:50 Maxime Gauduin wrote:
> > On Wed, 2013-03-13 at 11:33 +0100, Lukas Fleischer wrote:
> > > Status quo:
> > >
> > >     06:54 < gtmanfred> ok, it really is time for something else
> > >     06:54 < gtmanfred> the spammer is now creating a new account for
> > >     every comment and flag out of date
> > >
> > > The account suspension feature does not help here.
> > >
> > > Options:
> > >
> > > * Allow package maintainers to block the "Flag package out-of-date"
> > >   feature for a certain amount of time. Note that this might eventually
> > >   cripple the "out-of-date" function. Also, this does not work for
> > >   comments.
> > >
> > > * Use CAPTCHAs during account registration. We could either use
> MAPTCHAs
> > >   ("What is 1 + 1?") or something like reCAPTCHA [1].
> > >
> > > * Moderate new accounts. Might be a lot of work. We need some TUs that
> > >   review and unlock accounts. Also, it might be hard to distinguish a
> > >   spam bot from a regular user. If we require a short application text,
> > >   this might result in less users joining the AUR.
> > >
> > > * Block IP addresses. Bye-bye, Tor users!
> > >
> > > Comments and suggestions welcome! We need to find a proper solution as
> > > soon as possible!
> > >
> > > [1] http://www.google.com/recaptcha
> >
> > Blocking IP addresses would be the most effective and require the less
> > work imho. Here's how I'd do it:
> >
> > Add a 'TOR user' checkbox on the 'My account' page to state whether the
> > user uses TOR or not, and ask the same question during the creation of
> > new accounts.
> >
> > All new and existing accounts not using TOR are automatically
> > whitelisted.
> >
> > All new or existing accounts using TOR are automatically blacklisted,
> > and have to send a request to aur-general so they can be granted a
> > special status which bypasses the IP verification.
> >
> > Give TUs more super powers so they can blacklist or whitelist users/IPs.
> >
> > What do you think?
> >
> > Cheers.
>
> And there're thousands of free proxy lists with millions of available
> candidate IPs, I don't really think this could stop the spammers.
>
> So IMHO I'd +1 for captchas (though hate it a lot).
>
> And maybe some more captchas than just in registering: (just examples)
>
> * 5th or more out-of-date flags in a day
> * 5th or more comments (in different packages) in a day
> * 5th or more same comment sentence
>
> This should not bother existing users too much.
>
> But nothing could really stop him if he still hate us so much and register
> & post manually, just as suggested before.
>
> Felix Yan
> Twitter: @felixonmars
> Wiki: http://felixc.at

More information about the aur-general mailing list