Ticket #2045 (closed task: fixed)

Opened 9 years ago

Last modified 8 years ago

Enable CAPTCHA and email confirmation for creating new TRAC users

Reported by: birdie Owned by:
Priority: blocker Milestone:
Component: adm Version:
Keywords: Cc:
Blocked By: Blocking:
Branch state: Votes for changeset:

Description

There's an insane amount of SPAM coming from midnight-commander.org tracker for the last few days.

Change History

comment:1 Changed 9 years ago by andrew_b

  • Type changed from defect to task
  • Version version not selected deleted
  • Component changed from mc-core to adm
  • Milestone 4.7 deleted

comment:3 Changed 9 years ago by slavazanko

  • Status changed from new to closed
  • Resolution set to wontfix

I think, this is not need at present time. This will significantly complicate life for the good of users. If spam continues to appear more times, we will returns to this ticket :)

P.S. TracRecaptcha? plugin already present (was added long time ago), but now inactive...

P.P.S if someone think that Captcha is strongly needed, just vote by this ticket by pressing 'up arrow' image (under main menu at ticket header).

comment:4 follow-up: ↓ 5 Changed 9 years ago by ossi

are you kidding? do you *like* removing spam from 1500 tickets, your mailbox and the list archive? or do you find it funny that everyone has to lose time on cleaning up their mailboxes and wading through useless crap when browsing archives? exhibit some responsibility, dude.

comment:5 in reply to: ↑ 4 Changed 9 years ago by angel_il

Replying to ossi:

are you kidding? do you *like* removing spam from 1500 tickets, your mailbox and the list archive?

ok, why you don't vote for TracRecaptcha? just now?

comment:6 follow-up: ↓ 7 Changed 9 years ago by slavazanko

Ossi, Last session of spam was from real man. He was registered on our trac and then he was ran spam-bot with already registered auth data. How Captcha will help in this case? May be, need Captcha for adding all comments?... Is this good for other users?

comment:7 in reply to: ↑ 6 ; follow-ups: ↓ 8 ↓ 10 Changed 9 years ago by ossi

Replying to angel_il:

ok, why you don't vote for TracRecaptcha? just now?

and who says i didn't? ;)

Replying to slavazanko:

Ossi, Last session of spam was from real man. He was registered on our trac and then he was ran spam-bot with already registered auth data.

how do you know that? do you think there are no auto-registering bots yet?

How Captcha will help in this case?

it wouldn't.

May be, need Captcha for adding all comments?... Is this good for other users?

no, that's too annoying.

one would have to correlate the submissions of a user within a given time frame and require a captcha (or even ban the user) if a spammy pattern is detected. maybe there is already some plugin for that?
note that there are also direct spam-filtering plugins. a regular spamassassin with a proper bayes filter configuration would probably work.

comment:8 in reply to: ↑ 7 ; follow-up: ↓ 9 Changed 9 years ago by birdie

Please, correct this ticket title:

s/CAPTHA/CAPTCHA/

Thanks.

Replying to ossi:

one would have to correlate the submissions of a user within a given time frame and require a captcha (or even ban the user) if a spammy pattern is detected. maybe there is already some plugin for that?
note that there are also direct spam-filtering plugins. a regular spamassassin with a proper bayes filter configuration would probably work.

I second a time frame based limiter. If a given user adds more than one comment to different bug reports more than once per every three minutes then make him answer CAPTCHA question.

comment:9 in reply to: ↑ 8 Changed 9 years ago by andrew_b

  • Summary changed from Enable CAPTHA and email confirmation for creating new TRAC users to Enable CAPTCHA and email confirmation for creating new TRAC users

Replying to birdie:

Please, correct this ticket title:

s/CAPTHA/CAPTCHA/

Thanks.

Done. Thanks!

comment:10 in reply to: ↑ 7 Changed 9 years ago by angel_il

Replying to ossi:

Replying to angel_il:

ok, why you don't vote for TracRecaptcha? just now?

and who says i didn't? ;)

i see what "Votes for changeset:" is empty :)

You have the right to vote as a MC developer, but you do not do this, why?

comment:11 Changed 9 years ago by ossi

oh, *these* votes ... this makes no sense. you are using this field to collect reviews for concrete implementations, i.e., patches. i have no patch to look at, and this bug isn't even open, so this process doesn't seem to apply. so i used trac's feature to vote up the actual report itself (you *do* see the little up/down arrows right below the trac "menu bar", right?).

comment:12 Changed 9 years ago by angel_il

little up/down arrows right below the trac

this rating (carma) of a tiket, shows the relevance of this tiket.

"Votes for changeset:" votes for solution, idea or votes for a branch

comment:13 Changed 9 years ago by angel_il

about me, i dont know how to Captcha will help in case "human+bot", or need Captcha for adding comments, but it is a really annoying...

comment:14 Changed 9 years ago by slavazanko

  • Status changed from closed to reopened
  • Resolution wontfix deleted

birdie:

I second a time frame based limiter. If a given user adds more than one comment to different bug
reports more than once per every three minutes then make him answer CAPTCHA question.

Well... this great idea. Ticket now reopen.

angel_il:

"Votes for changeset:" votes for solution, idea or votes for a branch

Just for developers or for ticket starters (if ticketstarter confirms good bugfix).

For all other present up/down arrows at below menubar of ticket. This is a karma of ticket :)

about me, i dont know how to Captcha will help in case "human+bot", or need Captcha for adding comments, but it is a really annoying...

For example, one message per minute from one user... in other case user will see captcha.

comment:15 Changed 9 years ago by ossi

i'm not sure about the concrete time frame. has someone looked at the submission times of the last bot attack?
i don't remember - where all the spams identical or did they only follow a common pattern? blocking users which submit an identical message within a few hours would be simple. recognizing more abstract patterns would be way harder.
btw, a common algorithm employed in network rate limiting is giving each user an initial karma which is decremented with every message and is "recharged" over time. that way one can send a few messages in close succession, but cannot constantly flood the system.

comment:16 Changed 8 years ago by slavazanko

  • Status changed from reopened to closed
  • Resolution set to fixed

Now need entering the Captcha when user registering.

Note: See TracTickets for help on using tickets.