[aur-general] Fighting spam on the AUR

Fri Mar 15 07:09:16 EDT 2013

On Fri, 2013-03-15 at 11:17 +0100, oliver wrote:
> On Fri, Mar 15, 2013 at 11:04:38AM +0100, Timothy Redaelli wrote:
> > On Wednesday, March 13, 2013 11:33:18 AM Lukas Fleischer wrote:
> > > Status quo:
> > > 
> > >     06:54 < gtmanfred> ok, it really is time for something else
> > >     06:54 < gtmanfred> the spammer is now creating a new account for
> > >     every comment and flag out of date
> > > 
> > > The account suspension feature does not help here.
> > > 
> > > Options:
> > > 
> > > * Allow package maintainers to block the "Flag package out-of-date"
> > >   feature for a certain amount of time. Note that this might eventually
> > >   cripple the "out-of-date" function. Also, this does not work for
> > >   comments.
> > > 
> > > * Use CAPTCHAs during account registration. We could either use MAPTCHAs
> > >   ("What is 1 + 1?") or something like reCAPTCHA [1].
> > > 
> > > * Moderate new accounts. Might be a lot of work. We need some TUs that
> > >   review and unlock accounts. Also, it might be hard to distinguish a
> > >   spam bot from a regular user. If we require a short application text,
> > >   this might result in less users joining the AUR.
> > > 
> > > * Block IP addresses. Bye-bye, Tor users!
> > > 
> > > Comments and suggestions welcome! We need to find a proper solution as
> > > soon as possible!
> > > 
> > > [1] http://www.google.com/recaptcha
> > 
> > Hi,
> > I suggest to use http://www.flameeyes.eu/projects/modsec instead (and in wiki 
> > too, so we can remove the horrible captcha).
> > It's an Apache mod_security backlist that reduce the spam (using DNSBL and 
> > User-Agent validation).
> 
> 
> But blacklisting is bad too.
> We already had discussed this issue: if the spammer is coming from
> a provider who gives IPs dynamically to their users, then one spammer
> will be blocked and changes the IP... the next user of the blocked IP
> then will not have access to AUR.
> 
> Ciao,
>    Oliver

That depends on how the blacklisting is done. You can have an IP
blacklist for new account creations only. Or just implement a filtering:
if someone tries to create an account with a blaklisted IP, warn him
that his registration will need to be moderated before he can do
anything (and explain why we do this). Same if user is behind a proxy.
It's true that this won't work with dynamic IPs though, and I don't
believe filtering an entire ISP range is reasonable.

Also requiring a non disposable mail address should be the default, it's
more time consuming to create a fake non disposable address, and there
are only 3 reasons to use a disposable address imho:
- you're up to no good,
- you're a privacy freak,
- you're registering to post one comment and never access your account
again.
Although the second point is arguable, we hardly need these kind of
users in the AUR.

-- 
Maxime
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20130315/6ac2c90a/attachment.asc>