[aur-general] Fighting spam on the AUR
oliver
oliver at first.in-berlin.de
Fri Mar 15 06:17:56 EDT 2013
On Fri, Mar 15, 2013 at 11:04:38AM +0100, Timothy Redaelli wrote:
> On Wednesday, March 13, 2013 11:33:18 AM Lukas Fleischer wrote:
> > Status quo:
> >
> > 06:54 < gtmanfred> ok, it really is time for something else
> > 06:54 < gtmanfred> the spammer is now creating a new account for
> > every comment and flag out of date
> >
> > The account suspension feature does not help here.
> >
> > Options:
> >
> > * Allow package maintainers to block the "Flag package out-of-date"
> > feature for a certain amount of time. Note that this might eventually
> > cripple the "out-of-date" function. Also, this does not work for
> > comments.
> >
> > * Use CAPTCHAs during account registration. We could either use MAPTCHAs
> > ("What is 1 + 1?") or something like reCAPTCHA [1].
> >
> > * Moderate new accounts. Might be a lot of work. We need some TUs that
> > review and unlock accounts. Also, it might be hard to distinguish a
> > spam bot from a regular user. If we require a short application text,
> > this might result in less users joining the AUR.
> >
> > * Block IP addresses. Bye-bye, Tor users!
> >
> > Comments and suggestions welcome! We need to find a proper solution as
> > soon as possible!
> >
> > [1] http://www.google.com/recaptcha
>
> Hi,
> I suggest to use http://www.flameeyes.eu/projects/modsec instead (and in wiki
> too, so we can remove the horrible captcha).
> It's an Apache mod_security backlist that reduce the spam (using DNSBL and
> User-Agent validation).
But blacklisting is bad too.
We already had discussed this issue: if the spammer is coming from
a provider who gives IPs dynamically to their users, then one spammer
will be blocked and changes the IP... the next user of the blocked IP
then will not have access to AUR.
Ciao,
Oliver
More information about the aur-general
mailing list