Hi all,
Today I ran into this particular spammed ticket:
http://dev.rubyonrails.org/ticket/5114
Notice the spammer completely obliterated the ticket attributes.
It's possible that a lot of tickets will, in effect, disappear and never be resolved as a result of such exploits.
Is there anything that can be done regarding trac spam in general? Anything in the pipeline?
Trac has a spam filter (see the BadContent wiki page) and admins can delete spam comments and tickets. We’re looking at requiring logins.
jeremy
Another example (I’ve corrected today) - the “eminem” spam: http://dev.rubyonrails.org/ticket/4661
Can’t you add a form field hidden with CSS, labeled “do not fill this out”, that Trac checks for and discards the post if it has value? Spambots almost always fill out every field they can find, and this sort of spam confirms it. Most of the users will not even see the field, while non-sighted users will be warned against it by its label.
Also, no human will ever post a comment with tens of links inside with the same text (or href). I don’t see why this spam pattern is not checked for and blocked.
Trac has a spam filter (see the BadContent wiki page) and admins can delete spam comments and tickets.
Is there a place to report spam?
I suppose trac offers no way to revert a ticket? would be really helpful for cases where data is modified, not just added.
We're looking at requiring logins.
I support that. Any reasons not to do it?
Can't you add a form field hidden with CSS, labeled "do not fill this out", that Trac checks for and discards the post if it has value? Spambots almost always fill out every field they can find, and this sort of spam confirms it. Most of the users will not even see the field, while non-sighted users will be warned against it by its label.
Also, no human will ever post a comment with tens of links inside with the same text (or href). I don't see why this spam pattern is not checked for and blocked.
We used to do exactly that. But the thing is, patches *do* contain heaps of links, especially when they include an html document:
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <head profile="An XHTML profile for RDF Site Summaries http-equiv="Content-Type" content="text/html; charset=utf-8" />
We do have filters in place which blocks a bunch of spam. The reality is, everything you do to block spam increases the number of false positives. We're going to have to require logins, there's no way around it.
Great! Logins are no problem and it should be spam free.
Peter
Peter Michaux wrote:
We do have filters in place which blocks a bunch of spam. The reality is, everything you do to block spam increases the number of false positives. We're going to have to require logins, there's no way around it.
How will the login system work - just let anyone sign up via trac? I don't suppose there is anyway to set up an account for everyone who subscribes to rails-core, for instance?
- rob
+1 here too. I have no problem signing up for a trac account if it
prevents spam.
Cheers Luke
+1
I don't see any downside in requiring logins. Well, perhaps someone who just wanted to enter their first bug might consider that too much work, but in that case the quality of the bug report would likely be low anyway so we wouldn't be missing much. I like the idea of getting rid of anonymous tickets, comments and patches, and it's easier for me too if I don't have to type my email address several times when uploading a patch.
Can we require logins for making changes to the wiki too?
I don't see any downside in requiring logins. Well, perhaps someone who just wanted to enter their first bug might consider that too much work, but in that case the quality of the bug report would likely be low anyway so we wouldn't be missing much. I like the idea of getting rid of anonymous tickets, comments and patches, and it's easier for me too if I don't have to type my email address several times when uploading a patch.
I was going to say something along these lines.
Also sucks when a ticket is closed by anonymous with no comment. You never know if it's a core member in a hurry or someone clueless messing around.
Can we require logins for making changes to the wiki too?
The wiki is more problematic, I think. Lots more people deal with the wiki, many only very rarely, and some just want to fix a typo or add a bit of information.
If there's no other way, I'd say go for it. But how about something like captchas? (I'm not a big fan, would prefer a login, in fact. Just throwing ideas)
Another idea for the wiki: allow a small number of anonymous updates (identified by ip), say 3, and on the forth, require a login. So casual users can fix their typos but spam activity is reduced.
If login is going to make my name/email remembered and provide me with links to my tickets or tickets I watch or have commented on, then I look forward to login system too - not just because of not seeing spam anymore, but as a usability improvement.
Anyone can store a cookie with name/email - see the Settings link at the bottom of the page.
jeremy
Wow. A bit obscure, isn’t it? Thanks for pointing that out, Jeremy… never saw the link.
Wow. A bit obscure, isn’t it? Thanks for pointing that out, Jeremy… never saw the link.
Quite obscure. You can now register a user: http://dev.rubyonrails.org/register
jeremy
Is there some one who is responsible for deleting old spam comments from dev.rubyonrails.org? I've come across a couple while going through the open tickets and I'd love to be able to just get rid of the spam, or notify a maintainer who can get rid of it, rather than ignore it.
V/r Anthony Eden
anyone with svn commit rights can access the trac admin pages and delete the spam. If you want to maintain a list somewhere, I'm happy to log in and remove it (still pretty laborious).
Of course, hopefully that list won't get spammed 
Stupid question: Why doesn't some go ahead and make it so that you have to register an account with a captcha in order to post to the Rails trac? Is it that difficult?
Stupid question: Why doesn't some go ahead and make it so that you have to register an account with a captcha in order to post to the Rails trac? Is it that difficult?
Spammers are already manually registering accounts and then spamming all the tickets they can find. I don't believe it'll make a blind bit of difference sadly.
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks