Worrisome trac spam

Hi all,

Today I ran into this particular spammed ticket:

http://dev.rubyonrails.org/ticket/5114

Notice the spammer completely obliterated the ticket attributes.

It's possible that a lot of tickets will, in effect, disappear and never be resolved as a result of such exploits.

Is there anything that can be done regarding trac spam in general? Anything in the pipeline?

Trac has a spam filter (see the BadContent wiki page) and admins can delete spam comments and tickets. We’re looking at requiring logins.

jeremy

Another example (I’ve corrected today) - the “eminem” spam:
http://dev.rubyonrails.org/ticket/4661

Can’t you add a form field hidden with CSS, labeled “do not fill this out”, that Trac checks for and discards the post if it has value? Spambots almost always fill out every field they can find, and this sort of spam confirms it. Most of the users will not even see the field, while non-sighted users will be warned against it by its label.

Also, no human will ever post a comment with tens of links inside with the same text (or href). I don’t see why this spam pattern is not checked for and blocked.

Trac has a spam filter (see the BadContent wiki page) and admins can delete spam comments and tickets.

Is there a place to report spam?

I suppose trac offers no way to revert a ticket? would be really helpful for cases where data is modified, not just added.

We're looking at requiring logins.

I support that. Any reasons not to do it?

Can't you add a form field hidden with CSS, labeled "do not fill this out",
that Trac checks for and discards the post if it has value? Spambots almost
always fill out every field they can find, and this sort of spam confirms
it. Most of the users will not even see the field, while non-sighted users
will be warned against it by its label.

Also, no human will ever post a comment with tens of links inside with the
same text (or href). I don't see why this spam pattern is not checked for
and blocked.

We used to do exactly that. But the thing is, patches *do* contain
heaps of links, especially when they include an html document:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head profile="http://www.w3.org/2000/08/w3c-synd/#"><meta
http-equiv="Content-Type" content="text/html; charset=utf-8" />

We do have filters in place which blocks a bunch of spam. The reality
is, everything you do to block spam increases the number of false
positives. We're going to have to require logins, there's no way
around it.

Great! Logins are no problem and it should be spam free.

Peter

Peter Michaux wrote:

We do have filters in place which blocks a bunch of spam. The reality
is, everything you do to block spam increases the number of false
positives. We're going to have to require logins, there's no way
around it.

How will the login system work - just let anyone sign up via trac? I
don't suppose there is anyway to set up an account for everyone who
subscribes to rails-core, for instance?

- rob

+1 here too. I have no problem signing up for a trac account if it
prevents spam.

Cheers
Luke

+1 to stop talking about it and flip the switch

Bob Silva
http://i.nfectio.us/

+1

I don't see any downside in requiring logins. Well, perhaps someone who just wanted to enter their first bug might consider that too much work, but in that case the quality of the bug report would likely be low anyway so we wouldn't be missing much. I like the idea of getting rid of anonymous tickets, comments and patches, and it's easier for me too if I don't have to type my email address several times when uploading a patch.

Can we require logins for making changes to the wiki too?

I don't see any downside in requiring logins. Well, perhaps someone
who just wanted to enter their first bug might consider that too much
work, but in that case the quality of the bug report would likely be
low anyway so we wouldn't be missing much. I like the idea of
getting rid of anonymous tickets, comments and patches, and it's
easier for me too if I don't have to type my email address several
times when uploading a patch.

I was going to say something along these lines.

Also sucks when a ticket is closed by anonymous with no comment. You never know if it's a core member in a hurry or someone clueless messing around.

Can we require logins for making changes to the wiki too?

The wiki is more problematic, I think. Lots more people deal with the wiki, many only very rarely, and some just want to fix a typo or add a bit of information.

If there's no other way, I'd say go for it. But how about something like captchas? (I'm not a big fan, would prefer a login, in fact. Just throwing ideas)

Another idea for the wiki: allow a small number of anonymous updates (identified by ip), say 3, and on the forth, require a login. So casual users can fix their typos but spam activity is reduced.

If login is going to make my name/email remembered and provide me with links to my tickets or tickets I watch or have commented on, then I look forward to login system too - not just because of not seeing spam anymore, but as a usability improvement.

Anyone can store a cookie with name/email - see the Settings link at the bottom of the page.

jeremy

Wow. A bit obscure, isn’t it? Thanks for pointing that out, Jeremy… never saw the link.

Wow. A bit obscure, isn’t it? Thanks for pointing that out, Jeremy… never saw the link.

Quite obscure. You can now register a user:
http://dev.rubyonrails.org/register

jeremy

Is there some one who is responsible for deleting old spam comments
from dev.rubyonrails.org? I've come across a couple while going
through the open tickets and I'd love to be able to just get rid of
the spam, or notify a maintainer who can get rid of it, rather than
ignore it.

V/r
Anthony Eden

anyone with svn commit rights can access the trac admin pages and
delete the spam. If you want to maintain a list somewhere, I'm happy
to log in and remove it (still pretty laborious).

Of course, hopefully that list won't get spammed :slight_smile:

Stupid question: Why doesn't some go ahead and make it so that you
have to register an account with a captcha in order to post to the
Rails trac? Is it that difficult?

Stupid question: Why doesn't some go ahead and make it so that you
have to register an account with a captcha in order to post to the
Rails trac? Is it that difficult?

Spammers are already manually registering accounts and then spamming
all the tickets they can find. I don't believe it'll make a blind
bit of difference sadly.