AUR web interface

**This is the bug tracker for the AUR web interface.**

Use this tracker to report bugs or make feature requests regarding the behaviour or implementation of the AUR software.
Please read the Reporting Bug Guidelines before filing a new task.
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

- Please report bugs related to Arch Linux official packages here: http://bugs.archlinux.org/index.php?project=1
- Please report bugs for [community] packages here: http://bugs.archlinux.org/index.php?project=5
- For any packages in the AUR contact the maintainer or leave a comment on the package's detail page.

Source Code:
https://projects.archlinux.org/aurweb.git/
Tasklist

FS#63087 - We need better ways to delete spam

Attached to Project: AUR web interface
Opened by Eli Schwartz (eschwartz) - Wednesday, 03 July 2019, 14:02 GMT
Last edited by Eli Schwartz (eschwartz) - Wednesday, 03 July 2019, 15:39 GMT
Task Type Feature Request
Category Backend
Status Unassigned
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version 4.7.0
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 1
Private No

Details

cf. the current waves of spam comments that are percolating throughout the AUR, and related to FS#51319 which asks for ways to report such abuse.

Manually deleting each comment and suspending/deleting the user is unwieldy. We should be able to do better.

Proposal: Instead of just having the option to "Click here if you want to permanently delete this account", we should additionally have a TU button "click here to delete this account as spam". The button should also:

- delete comments instead of leaving them orphaned as "anonymous" (fully delete, don't leave them in the db to be visible to TUs looking at the package details),

- blacklist the IP to prevent more spam from the same IP address,

- flag any other account using the same IP for manual review, e.g. displaying account names and comments.
This task depends upon

Comment by Robin Broda (coderobe) - Thursday, 04 July 2019, 15:58 GMT
blacklisting the IP comes with plenty of trade-offs.
think about VPN services, university networks, or provider NATs.
Comment by Eli Schwartz (eschwartz) - Thursday, 04 July 2019, 16:04 GMT
Are the first two a major supplier of spammer IPs? Even for the third, we could just prevent such users from registering accounts, we don't need to prevent existing users from logging in. And it would make sense to have the blacklist expire eventually.
Comment by Bryan L. Gay (linuxninja) - Saturday, 10 August 2019, 05:13 GMT
I can tell you after running a web hosting platform for more than a decade that blacklisting IPs is not the way to go, but a system similar to 'greylisting' works well for me. For 'greylisted' IPs, have an additional human step, such as email confirmation, to prove the comment isn't automated. While I detest captchas, other metadata collected from the client system might reveal a pattern that can be used to further 'downgrade' an IP to be added to a 'greylist'. Reputation scores for users seems like an obvious path, but then the burden of reviewing messages again becomes monotonous. Maybe give non-TUs an ability to review a 'holding' message queue to distribute the burden??

My experience shows that spammers rarely come from the same IPs and EXPECT to get blacklisted, so they move on to new IPs very regularly. My current blacklist counter shows very few return hits from a blacklisted IP after a few days, so the act of blacklisting is only good for a very short period of time, while a blacklisted IP shared by potentially thousands of users (VPN services, for example) should flag messages for review rather than reject them outright.

My $0.02
Comment by Jelle van der Waa (jelly) - Friday, 06 September 2019, 17:42 GMT
Another option is 'rate limitting' comments as in, a user who comments a lot in $time period get's flagged for manual review. Or we create a dashboard that shows "suspicious" accounts.

Loading...