[aur-general] Fighting spam on the AUR

oliver oliver at first.in-berlin.de
Wed Mar 13 10:20:30 EDT 2013 

On Wed, Mar 13, 2013 at 12:23:53PM +0100, Lukas Fleischer wrote:
> On Wed, Mar 13, 2013 at 06:59:59PM +0800, Felix Yan wrote:
> > On Wednesday, March 13, 2013 11:48:50 Maxime Gauduin wrote:
> > > On Wed, 2013-03-13 at 11:33 +0100, Lukas Fleischer wrote:
> > > > Status quo:
> > > > 
> > [...]
> > > > 
> > > > * Use CAPTCHAs during account registration. We could either use MAPTCHAs
> > > >   ("What is 1 + 1?") or something like reCAPTCHA [1].
> > > > 
> > > > * Moderate new accounts. Might be a lot of work. We need some TUs that
> > > >   review and unlock accounts. Also, it might be hard to distinguish a
> > > >   spam bot from a regular user. If we require a short application text,
> > > >   this might result in less users joining the AUR.
> > > > 
> > > > * Block IP addresses. Bye-bye, Tor users!
> > > > 
> > > > Comments and suggestions welcome! We need to find a proper solution as
> > > > soon as possible!
> > > > 
> > [...]
> > > 
> > > All new or existing accounts using TOR are automatically blacklisted,
> > > and have to send a request to aur-general so they can be granted a
> > > special status which bypasses the IP verification.
> > > 
> > > Give TUs more super powers so they can blacklist or whitelist users/IPs.
> > > 
> > > What do you think?
> > > 
> > > Cheers.
> > 
> > And there're thousands of free proxy lists with millions of available candidate IPs, I don't really think this could stop the spammers.
> 
> We could IP ban every spammer as soon as he is noticed. I assume that we
> will not be attacked by dozens of spammers or a botnet.
[...]

Blocking dynamic IPs and users will be blocked, who are not spammers.
So, IP blocking should be time limited.

And captchas are really annoying. Maybe they should be activated only for
too extreme activity.


> 
> > 
> > So IMHO I'd +1 for captchas (though hate it a lot).
> > 
> > And maybe some more captchas than just in registering: (just examples)
> > 
> > * 5th or more out-of-date flags in a day
> > * 5th or more comments (in different packages) in a day
> > * 5th or more same comment sentence
[...]

Captchas should be used beginning with > 5 or 10 packages an hour maybe.

When google started annoying me with Captchas (possibly because I had more
than one system using the same IP... two Linux systems and one iPAD)
I switched away partially to different search engines.
Which other service should I switch to, when AUR annoys me with captchas?


> 
> I do not think this is needed. We can suspend every spam account. If we
> find a way to stop automated account creation, I do not think there will
> be lots of spammers any time soon.

Maybe captcha could make sense in account creation.
But please, not for every possible task...

Maybe displaying a captcha for every keystroke ...

Ciao,
   Oliver

More information about the aur-general mailing list