Can’t you add a form field hidden with CSS, labeled “do not fill this out”, that Trac checks for and discards the post if it has value? Spambots almost always fill out every field they can find, and this sort of spam confirms it. Most of the users will not even see the field, while non-sighted users will be warned against it by its label.
Also, no human will ever post a comment with tens of links inside with the same text (or href). I don’t see why this spam pattern is not checked for and blocked.
Can't you add a form field hidden with CSS, labeled "do not fill this out",
that Trac checks for and discards the post if it has value? Spambots almost
always fill out every field they can find, and this sort of spam confirms
it. Most of the users will not even see the field, while non-sighted users
will be warned against it by its label.
Also, no human will ever post a comment with tens of links inside with the
same text (or href). I don't see why this spam pattern is not checked for
and blocked.
We used to do exactly that. But the thing is, patches *do* contain
heaps of links, especially when they include an html document:
We do have filters in place which blocks a bunch of spam. The reality
is, everything you do to block spam increases the number of false
positives. We're going to have to require logins, there's no way
around it.
We do have filters in place which blocks a bunch of spam. The reality
is, everything you do to block spam increases the number of false
positives. We're going to have to require logins, there's no way
around it.
How will the login system work - just let anyone sign up via trac? I
don't suppose there is anyway to set up an account for everyone who
subscribes to rails-core, for instance?
I don't see any downside in requiring logins. Well, perhaps someone who just wanted to enter their first bug might consider that too much work, but in that case the quality of the bug report would likely be low anyway so we wouldn't be missing much. I like the idea of getting rid of anonymous tickets, comments and patches, and it's easier for me too if I don't have to type my email address several times when uploading a patch.
Can we require logins for making changes to the wiki too?
I don't see any downside in requiring logins. Well, perhaps someone
who just wanted to enter their first bug might consider that too much
work, but in that case the quality of the bug report would likely be
low anyway so we wouldn't be missing much. I like the idea of
getting rid of anonymous tickets, comments and patches, and it's
easier for me too if I don't have to type my email address several
times when uploading a patch.
I was going to say something along these lines.
Also sucks when a ticket is closed by anonymous with no comment. You never know if it's a core member in a hurry or someone clueless messing around.
Can we require logins for making changes to the wiki too?
The wiki is more problematic, I think. Lots more people deal with the wiki, many only very rarely, and some just want to fix a typo or add a bit of information.
If there's no other way, I'd say go for it. But how about something like captchas? (I'm not a big fan, would prefer a login, in fact. Just throwing ideas)
Another idea for the wiki: allow a small number of anonymous updates (identified by ip), say 3, and on the forth, require a login. So casual users can fix their typos but spam activity is reduced.
If login is going to make my name/email remembered and provide me with links to my tickets or tickets I watch or have commented on, then I look forward to login system too - not just because of not seeing spam anymore, but as a usability improvement.
Is there some one who is responsible for deleting old spam comments
from dev.rubyonrails.org? I've come across a couple while going
through the open tickets and I'd love to be able to just get rid of
the spam, or notify a maintainer who can get rid of it, rather than
ignore it.
anyone with svn commit rights can access the trac admin pages and
delete the spam. If you want to maintain a list somewhere, I'm happy
to log in and remove it (still pretty laborious).
Stupid question: Why doesn't some go ahead and make it so that you
have to register an account with a captcha in order to post to the
Rails trac? Is it that difficult?
Stupid question: Why doesn't some go ahead and make it so that you
have to register an account with a captcha in order to post to the
Rails trac? Is it that difficult?
Spammers are already manually registering accounts and then spamming
all the tickets they can find. I don't believe it'll make a blind
bit of difference sadly.