AUR web interface

**This is the bug tracker for the AUR web interface.**

Use this tracker to report bugs or make feature requests regarding the behaviour or implementation of the AUR software.
Please read the Reporting Bug Guidelines before filing a new task.
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

- Please report bugs related to Arch Linux official packages here: http://bugs.archlinux.org/index.php?project=1
- Please report bugs for [community] packages here: http://bugs.archlinux.org/index.php?project=5
- For any packages in the AUR contact the maintainer or leave a comment on the package's detail page.

Source Code:
https://projects.archlinux.org/aurweb.git/
Tasklist

FS#51319 - {AUR} Make reporting abuse and spam easier

Attached to Project: AUR web interface
Opened by Moabit (Moabit) - Monday, 10 October 2016, 23:18 GMT
Last edited by Doug Newgard (Scimmia) - Monday, 10 October 2016, 23:23 GMT
Task Type Feature Request
Category Web Sites
Status Unconfirmed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 9
Private No

Details

Currently there is no easy way to report abuse and spam in AUR comments, nor abusive accounts. It would be great if there were an easy way to do both of these, similarly to the simply way one can flag packages.

As background, this package was recently spammed [1]. I searched for a way to flag the posts for deletion, and/or suggest banning the user, but there was no easy link I could click. This forum thread [2] mentions spam in another package's comments [3], where it's even worse. The poster was advised to join a mailing list, and request deletion of these comments there. However, this was never completed, presumably because it was too fiddly. Similarly, I'm disinclined to join a mailing list just to report a few spam messages on my package. (I'd bother if it were worse.)

The second package has spam going back to 1.5 years ago. Any way in which the AUR could make fighting spam more easy would be welcome IMO.

[1] https://aur.archlinux.org/packages/unicode/
[2] https://bbs.archlinux.org/viewtopic.php?id=215759
[3] https://aur.archlinux.org/packages/backbonejs/?comments=all
This task depends upon

Comment by Eli Schwartz (eschwartz) - Tuesday, 11 October 2016, 00:28 GMT
Perhaps there could also be a restriction on the rate of new comments added? Spammers often post multiple pieces of spam within the span of a minute or two -- they did here -- and this should never happen for non-spammers.
Comment by x33a (x33a) - Tuesday, 11 October 2016, 05:07 GMT
The spam comments seem to be automated. Also, I noticed that many of them seem to advertise packers and movers services. Since AUR is related to *packages*, I think that's why it is being targeted.

Perhaps, for starters, we can implement a captcha system for posting comments? That would take care of all the automated ones.
Comment by Moabit (Moabit) - Tuesday, 11 October 2016, 05:58 GMT
@eschwartz Since these are probably bots, I'm not sure if that would work too well. What kind of limit would be reasonable for humans to deal with? Even something like 3 minutes might be annoying for humans, but a bot could post every 5 minutes and still produce a ton of spam over 24 hours. (I'm not sure that this is the case for these bots, but it's possible in theory at least.)

@x33a Ah yes, interesting find. I wonder if that means that the original identification of the site and registration are also automated? Registration might be another prevention point, but I guess would not stop the manually-registered but automatically-commented bots. Captchas for comments would stop almost all, but it's also the most intrusive for humans. I wonder if we could have some kind of tiered system, but I'm not sure what that could be based on.
Comment by Eli Schwartz (eschwartz) - Tuesday, 11 October 2016, 14:35 GMT
In theory they can do that, yes. In practice, they usually don't -- or at least, usually try to post multiple times per minute. Most spam bots aren't that clever -- their operators are targeting many sites and looking for the low-hanging fruit.

It's not an uncommon tactic for stalling spammers. But of course it is no harder to check for users that have posted 100 comments over the last few hours. ;)

I seriously doubt any real user needs to post multiple comments within *5* minutes, certainly on the same package -- in fact, they should be encouraged to edit their comment instead!
Comment by Moabit (Moabit) - Wednesday, 12 October 2016, 00:49 GMT
@eschwartz Rethinking it, I guess it depends on how the prevention operates. If it just blocks posts within 5 minutes of the previous successful post, then a bot could still spam every 10 seconds. If only one post every 5 minutes is successful, then that would still be annoying. I guess it could block posts within 5 minutes of a comment *attempt*, although that would also be annoying for real users.

If the prevention only operates on comments for a single package, then a bot could spam (e.g.) all packages at once. However, if the prevention operated on comments for *all* packages, this would be very annoying for users. I certainly have posted within 5 minutes on multiple packages, for example if the comment applies to foo and foo-git, or variants of this. I also probably have posted within 5 minutes on a single package, when there have been quick replies between me and another user.
Comment by Moabit (Moabit) - Sunday, 16 October 2016, 04:50 GMT
And… I just had two more spam messages on this same package [1]. I wonder if they target specific packages as a group, somehow.

[1] https://aur.archlinux.org/packages/unicode/
Comment by Moabit (Moabit) - Tuesday, 29 November 2016, 11:36 GMT
Three more spam messages were just posted on the same package [1], for eight total.

[1] https://aur.archlinux.org/packages/unicode/
Comment by Jakub Klinkovský (lahwaacz) - Friday, 07 April 2017, 07:56 GMT
More spam here: https://aur.archlinux.org/packages/pacserve/ (2017-04-06 11:34)
Comment by Chris Severance (severach) - Wednesday, 18 July 2018, 00:25 GMT
https://aur.archlinux.org/packages/gcc47/

More spam here. Spammers like to post links. Any way to block links for new users?
Comment by Matthias Lisin (matthias.lisin) - Thursday, 09 August 2018, 13:56 GMT
More spam here: https://aur.archlinux.org/packages/android-studio/

Any planned actions? I've seen some more spam recently.
Comment by Benjamin Hodgetts (Enverex) - Monday, 20 August 2018, 12:12 GMT
All posts by this user are spam too - https://aur.archlinux.org/account/DorisAndrade/comments

Any way of actually reporting this yet?

Loading...