On Fri, 2013-03-15 at 11:17 +0100, oliver wrote:
> On Fri, Mar 15, 2013 at 11:04:38AM +0100, Timothy Redaelli wrote:
> > On Wednesday, March 13, 2013 11:33:18 AM Lukas Fleischer wrote:
> > > Status quo:
> > >
> > > 06:54 < gtmanfred> ok, it really is time for something else
> > > 06:54 < gtmanfred> the spammer is now creating a new account for
> > > every comment and flag out of date
> > >
> > > The account suspension feature does not help here.
> > >
> > > Options:
> > >
> > > * Allow package maintainers to block the "Flag package out-of-date"
> > > feature for a certain amount of time. Note that this might eventually
> > > cripple the "out-of-date" function. Also, this does not work for
> > > comments.
> > >
> > > * Use CAPTCHAs during account registration. We could either use MAPTCHAs
> > > ("What is 1 + 1?") or something like reCAPTCHA [1].
> > >
> > > * Moderate new accounts. Might be a lot of work. We need some TUs that
> > > review and unlock accounts. Also, it might be hard to distinguish a
> > > spam bot from a regular user. If we require a short application text,
> > > this might result in less users joining the AUR.
> > >
> > > * Block IP addresses. Bye-bye, Tor users!
> > >
> > > Comments and suggestions welcome! We need to find a proper solution as
> > > soon as possible!
> > >
> > > [1] http://www.google.com/recaptcha
> >
> > Hi,
> > I suggest to use http://www.flameeyes.eu/projects/modsec instead (and in
> > wiki
> > too, so we can remove the horrible captcha).
> > It's an Apache mod_security backlist that reduce the spam (using DNSBL and
> > User-Agent validation).
>
>
> But blacklisting is bad too.
> We already had discussed this issue: if the spammer is coming from
> a provider who gives IPs dynamically to their users, then one spammer
> will be blocked and changes the IP... the next user of the blocked IP
> then will not have access to AUR.
>
> Ciao,
> OliverThat depends on how the blacklisting is done. You can have an IP blacklist for new account creations only. Or just implement a filtering: if someone tries to create an account with a blaklisted IP, warn him that his registration will need to be moderated before he can do anything (and explain why we do this). Same if user is behind a proxy. It's true that this won't work with dynamic IPs though, and I don't believe filtering an entire ISP range is reasonable. Also requiring a non disposable mail address should be the default, it's more time consuming to create a fake non disposable address, and there are only 3 reasons to use a disposable address imho: - you're up to no good, - you're a privacy freak, - you're registering to post one comment and never access your account again. Although the second point is arguable, we hardly need these kind of users in the AUR. -- Maxime
signature.asc
Description: This is a digitally signed message part
