FS#51319 - {AUR} Make reporting abuse and spam easier

Attached to Project: AUR web interface
Opened by Moabit (Moabit) - Monday, 10 October 2016, 23:18 GMT
Last edited by Doug Newgard (Scimmia) - Monday, 10 October 2016, 23:23 GMT
Task Type Feature Request
Category Web Sites
Status Unconfirmed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 19
Private No


Currently there is no easy way to report abuse and spam in AUR comments, nor abusive accounts. It would be great if there were an easy way to do both of these, similarly to the simply way one can flag packages.

As background, this package was recently spammed [1]. I searched for a way to flag the posts for deletion, and/or suggest banning the user, but there was no easy link I could click. This forum thread [2] mentions spam in another package's comments [3], where it's even worse. The poster was advised to join a mailing list, and request deletion of these comments there. However, this was never completed, presumably because it was too fiddly. Similarly, I'm disinclined to join a mailing list just to report a few spam messages on my package. (I'd bother if it were worse.)

The second package has spam going back to 1.5 years ago. Any way in which the AUR could make fighting spam more easy would be welcome IMO.

[1] https://aur.archlinux.org/packages/unicode/
[2] https://bbs.archlinux.org/viewtopic.php?id=215759
[3] https://aur.archlinux.org/packages/backbonejs/?comments=all
This task depends upon

Comment by Eli Schwartz (eschwartz) - Tuesday, 11 October 2016, 00:28 GMT
Perhaps there could also be a restriction on the rate of new comments added? Spammers often post multiple pieces of spam within the span of a minute or two -- they did here -- and this should never happen for non-spammers.
Comment by x33a (x33a) - Tuesday, 11 October 2016, 05:07 GMT
The spam comments seem to be automated. Also, I noticed that many of them seem to advertise packers and movers services. Since AUR is related to *packages*, I think that's why it is being targeted.

Perhaps, for starters, we can implement a captcha system for posting comments? That would take care of all the automated ones.
Comment by Moabit (Moabit) - Tuesday, 11 October 2016, 05:58 GMT
@eschwartz Since these are probably bots, I'm not sure if that would work too well. What kind of limit would be reasonable for humans to deal with? Even something like 3 minutes might be annoying for humans, but a bot could post every 5 minutes and still produce a ton of spam over 24 hours. (I'm not sure that this is the case for these bots, but it's possible in theory at least.)

@x33a Ah yes, interesting find. I wonder if that means that the original identification of the site and registration are also automated? Registration might be another prevention point, but I guess would not stop the manually-registered but automatically-commented bots. Captchas for comments would stop almost all, but it's also the most intrusive for humans. I wonder if we could have some kind of tiered system, but I'm not sure what that could be based on.
Comment by Eli Schwartz (eschwartz) - Tuesday, 11 October 2016, 14:35 GMT
In theory they can do that, yes. In practice, they usually don't -- or at least, usually try to post multiple times per minute. Most spam bots aren't that clever -- their operators are targeting many sites and looking for the low-hanging fruit.

It's not an uncommon tactic for stalling spammers. But of course it is no harder to check for users that have posted 100 comments over the last few hours. ;)

I seriously doubt any real user needs to post multiple comments within *5* minutes, certainly on the same package -- in fact, they should be encouraged to edit their comment instead!
Comment by Moabit (Moabit) - Wednesday, 12 October 2016, 00:49 GMT
@eschwartz Rethinking it, I guess it depends on how the prevention operates. If it just blocks posts within 5 minutes of the previous successful post, then a bot could still spam every 10 seconds. If only one post every 5 minutes is successful, then that would still be annoying. I guess it could block posts within 5 minutes of a comment *attempt*, although that would also be annoying for real users.

If the prevention only operates on comments for a single package, then a bot could spam (e.g.) all packages at once. However, if the prevention operated on comments for *all* packages, this would be very annoying for users. I certainly have posted within 5 minutes on multiple packages, for example if the comment applies to foo and foo-git, or variants of this. I also probably have posted within 5 minutes on a single package, when there have been quick replies between me and another user.
Comment by Moabit (Moabit) - Sunday, 16 October 2016, 04:50 GMT
And… I just had two more spam messages on this same package [1]. I wonder if they target specific packages as a group, somehow.

[1] https://aur.archlinux.org/packages/unicode/
Comment by Moabit (Moabit) - Tuesday, 29 November 2016, 11:36 GMT
Three more spam messages were just posted on the same package [1], for eight total.

[1] https://aur.archlinux.org/packages/unicode/
Comment by Jakub Klinkovský (lahwaacz) - Friday, 07 April 2017, 07:56 GMT
More spam here: https://aur.archlinux.org/packages/pacserve/ (2017-04-06 11:34)
Comment by Chris Severance (severach) - Wednesday, 18 July 2018, 00:25 GMT

More spam here. Spammers like to post links. Any way to block links for new users?
Comment by Matthias Lisin (matthias.lisin) - Thursday, 09 August 2018, 13:56 GMT
More spam here: https://aur.archlinux.org/packages/android-studio/

Any planned actions? I've seen some more spam recently.
Comment by Benjamin Hodgetts (Enverex) - Monday, 20 August 2018, 12:12 GMT
All posts by this user are spam too - https://aur.archlinux.org/account/DorisAndrade/comments

Any way of actually reporting this yet?
Comment by Teoh Han Hui (teohhanhui) - Friday, 14 December 2018, 16:33 GMT Comment by Dan Ziemba (zman0900) - Wednesday, 10 April 2019, 06:30 GMT Comment by edac val (edacval) - Wednesday, 01 May 2019, 13:13 GMT Comment by Johnny Halfmoon (jhalfmoon) - Sunday, 12 May 2019, 21:12 GMT Comment by Aaron Fischer (aaronmueller) - Sunday, 16 June 2019, 17:45 GMT Comment by Aaron Fischer (aaronmueller) - Sunday, 16 June 2019, 18:16 GMT
I've searched through the aurweb codebase and found out that only TU's and Developer can delete all comments.
Package maintainers and co-maintainers can pin comments, but not delete it.
Two suggestions:

1. Add a "mark as spam" option to the list of actions for package maintainers (same permissions as pinning comments)
2. Allow package maintainers delete comments from own package. This is the easy one, because there need just a little adjustment in the "can_delete_comment" function (use the logic from can_pin_comment).

This is a political question. Should package maintainers have the right to delete unwanted comments from their packages? IMHO this is the right way (giving the maintainers the right to delete comments on their own packages).
Comment by Moabit (Moabit) - Sunday, 16 June 2019, 21:51 GMT
Personally, I'd be fairly reticent to push for (2). Occasionally, I'll find a recalcitrant AUR maintainer, or a broken/dangerous package. I don't think that the maintainer should have the power to censor comments unvetted.

Of course, (1) is much more work intensive for the TUs, but more thorough overall. There's a few other proposals above that are also possible.
Comment by UnicornDarkness (Xorg) - Friday, 28 June 2019, 17:08 GMT Comment by Tom Alexander (craftkiller) - Wednesday, 10 July 2019, 15:35 GMT Comment by UnicornDarkness (Xorg) - Wednesday, 17 July 2019, 03:48 GMT
Still spamming: https://aur.archlinux.org/account/BenStevens/comments
Please delete all spamming comments.
Comment by Teoh Han Hui (teohhanhui) - Wednesday, 31 July 2019, 12:33 GMT Comment by Eternal (eternal) - Tuesday, 13 August 2019, 12:05 GMT Comment by Vorbote (vorbote) - Thursday, 28 May 2020, 00:26 GMT
New spammer. https://aur.archlinux.org/packages/ttf-bookerly/#comment-745340

Note it has been flying under the radar for a loong time now. https://aur.archlinux.org/account/david230
Comment by Bario (barmadrid) - Sunday, 27 September 2020, 18:04 GMT Comment by Jonas Witschel (diabonas) - Sunday, 27 September 2020, 18:22 GMT
@barmadrid I removed the harassments and suspended the account.
Comment by Thom Wiggers (twiggers) - Wednesday, 20 January 2021, 13:31 GMT
This also looks like spam.


Edit: it's gone now.