Rails core - Sep 2006 - Worrisome trac spam

Hi all,

Today I ran into this particular spammed ticket:

http://dev.rubyonrails.org/ticket/5114

Notice the spammer completely obliterated the ticket attributes.

It''s possible that a lot of tickets will, in effect, disappear and  
never be resolved as a result of such exploits.

Is there anything that can be done regarding trac spam in general?  
Anything in the pipeline?

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

On 9/7/06, Caio Chassot <lists@v2studio.com>
wrote:
>
> It''s possible that a lot of tickets will, in effect, disappear and
> never be resolved as a result of such exploits.
>
> Is there anything that can be done regarding trac spam in general?
> Anything in the pipeline?

Trac has a spam filter (see the BadContent wiki page) and admins can delete
spam comments and tickets. We''re looking at requiring logins.

jeremy


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

Another example (I''ve corrected today) - the "eminem" spam:
http://dev.rubyonrails.org/ticket/4661

Can''t you add a form field hidden with CSS, labeled "do not fill
this out",
that Trac checks for and discards the post if it has value? Spambots almost
always fill out every field they can find, and this sort of spam confirms
it. Most of the users will not even see the field, while non-sighted users
will be warned against it by its label.

Also, no human will ever post a comment with tens of links inside with the
same text (or href). I don''t see why this spam pattern is not checked
for
and blocked.

--
Mislav


On 9/7/06, Caio Chassot <lists@v2studio.com>
wrote:
>
>
> Hi all,
>
> Today I ran into this particular spammed ticket:
>
> http://dev.rubyonrails.org/ticket/5114
>
> Notice the spammer completely obliterated the ticket attributes.
>
> It''s possible that a lot of tickets will, in effect, disappear and
> never be resolved as a result of such exploits.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

On 2006-09-07, at 16:10 , Jeremy Kemper wrote:
> Trac has a spam filter (see the BadContent wiki page) and admins  
> can delete spam comments and tickets.
Is there a place to report spam?

I suppose trac offers no way to revert a ticket? would be really  
helpful for cases where data is modified, not just added.
> We''re looking at requiring logins.
I support that. Any reasons not to do it?


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

> Can''t you add a form field hidden with CSS, labeled "do not
fill this out",
> that Trac checks for and discards the post if it has value? Spambots almost
> always fill out every field they can find, and this sort of spam confirms
> it. Most of the users will not even see the field, while non-sighted users
> will be warned against it by its label.
>
> Also, no human will ever post a comment with tens of links inside with the
> same text (or href). I don''t see why this spam pattern is not
checked for
> and blocked.
We used to do exactly that.  But the thing is, patches *do* contain
heaps of links, especially when they include an html document:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xml:lang="en-US" lang="en-US">
<head profile="http://www.w3.org/2000/08/w3c-synd/#"><meta
http-equiv="Content-Type" content="text/html; charset=utf-8"
/>

We do have filters in place which blocks a bunch of spam.  The reality
is, everything you do to block spam increases the number of false
positives.  We''re going to have to require logins, there''s no
way
around it.

-- 
Cheers

Koz

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

On 9/7/06, Michael Koziarski <michael@koziarski.com>
wrote:
>  We''re going to have to require logins, there''s no way
> around it.
Great! Logins are no problem and it should be spam free.

Peter

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

Peter Michaux wrote:
> On 9/7/06, Michael Koziarski <michael@koziarski.com> wrote:
>>  We''re going to have to require logins, there''s no
way
>> around it.
> 
> Great! Logins are no problem and it should be spam free.
+1 (for the wiki, also)

   Justin

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

>
> We do have filters in place which blocks a bunch of spam.  The reality
> is, everything you do to block spam increases the number of false
> positives.  We''re going to have to require logins,
there''s no way
> around it.
How will the login system work - just let anyone sign up via trac?  I
don''t suppose there is anyway to set up an account for everyone who
subscribes to rails-core, for instance?

- rob
-- 
http://www.robsanheim.com
http://www.seekingalpha.com
http://www.ajaxian.com

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

+1 here too. I have no problem signing up for a trac account if it  
prevents spam.

Cheers
Luke

On 8 Sep 2006, at 00:42, Justin Forder wrote:
>
> Peter Michaux wrote:
>> On 9/7/06, Michael Koziarski <michael@koziarski.com> wrote:
>>>  We''re going to have to require logins, there''s
no way
>>> around it.
>>
>> Great! Logins are no problem and it should be spam free.
>
> +1 (for the wiki, also)
>
>    Justin
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

+1 to stop talking about it and flip the switch

Bob Silva
http://i.nfectio.us/


-----Original Message-----
From: rubyonrails-core@googlegroups.com
[mailto:rubyonrails-core@googlegroups.com] On Behalf Of Luke Redpath
Sent: Friday, September 08, 2006 2:17 AM
To: rubyonrails-core@googlegroups.com
Subject: [Rails-core] Re: Worrisome trac spam


+1 here too. I have no problem signing up for a trac account if it  
prevents spam.

Cheers
Luke

On 8 Sep 2006, at 00:42, Justin Forder wrote:
>
> Peter Michaux wrote:
>> On 9/7/06, Michael Koziarski <michael@koziarski.com> wrote:
>>>  We''re going to have to require logins, there''s
no way
>>> around it.
>>
>> Great! Logins are no problem and it should be spam free.
>
> +1 (for the wiki, also)
>
>    Justin
>
> >




--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

On Sep 7, 2006, at 1:22 PM, Michael Koziarski wrote:
> We''re going to have to require logins, there''s no way
around it.
+1

I don''t see any downside in requiring logins.  Well, perhaps someone  
who just wanted to enter their first bug might consider that too much  
work, but in that case the quality of the bug report would likely be  
low anyway so we wouldn''t be missing much.  I like the idea of  
getting rid of anonymous tickets, comments and patches, and it''s  
easier for me too if I don''t have to type my email address several  
times when uploading a patch.

Can we require logins for making changes to the wiki too?

--
Josh Susser
http://blog.hasmanythrough.com



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

On 2006-09-08, at 12:10 , Josh Susser wrote:
> I don''t see any downside in requiring logins.  Well, perhaps
someone
> who just wanted to enter their first bug might consider that too much
> work, but in that case the quality of the bug report would likely be
> low anyway so we wouldn''t be missing much.  I like the idea of
> getting rid of anonymous tickets, comments and patches, and it''s
> easier for me too if I don''t have to type my email address several
> times when uploading a patch.
I was going to say something along these lines.

Also sucks when a ticket is closed by anonymous with no comment. You  
never know if it''s a core member in a hurry or someone clueless  
messing around.
> Can we require logins for making changes to the wiki too?
The wiki is more problematic, I think. Lots more people deal with the  
wiki, many only very rarely, and some just want to fix a typo or add  
a bit of information.

If there''s no other way, I''d say go for it. But how about
something
like captchas? (I''m not a big fan, would prefer a login, in fact.  
Just throwing ideas)

Another idea for the wiki: allow a small number of anonymous updates  
(identified by ip), say 3, and on the forth, require a login. So  
casual users can fix their typos but spam activity is reduced.



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

If login is going to make my name/email remembered and provide me with links
to my tickets or tickets I watch or have commented on, then I look forward
to login system too - not just because of not seeing spam anymore, but as a
usability improvement.

--
Mislav


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

On 9/8/06, Mislav Marohnić <mislav.marohnic@gmail.com>
wrote:
>
> If login is going to make my name/email remembered and provide me with
> links to my tickets or tickets I watch or have commented on, then I look
> forward to login system too - not just because of not seeing spam anymore,
> but as a usability improvement.
>
Anyone can store a cookie with name/email - see the Settings link at the
bottom of the page.

jeremy

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

Wow. A bit obscure, isn''t it? Thanks for pointing that out, Jeremy...
never
saw the link.

On 9/8/06, Jeremy Kemper <jeremy@bitsweat.net>
wrote:
>
> Anyone can store a cookie with name/email - see the Settings link at the
> bottom of the page.
>
> jeremy
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

On 9/9/06, Mislav Marohnić <mislav.marohnic@gmail.com>
wrote:
>
> Wow. A bit obscure, isn't it? Thanks for pointing that out, Jeremy...
> never saw the link.
>
Quite obscure. You can now register a user:
  http://dev.rubyonrails.org/register

jeremy


On 9/8/06, Jeremy Kemper < jeremy@bitsweat.net>
wrote:
> >
> > Anyone can store a cookie with name/email - see the Settings link at
the
> > bottom of the page.
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core
-~----------~----~----~----~------~----~------~--~---

Is there some one who is responsible for deleting old spam comments
from dev.rubyonrails.org? I've come across a couple while going
through the open tickets and I'd love to be able to just get rid of
the spam, or notify a maintainer who can get rid of it, rather than
ignore it.

V/r
Anthony Eden

On 9/9/06, Jeremy Kemper <jeremy@bitsweat.net>
wrote:
> On 9/9/06, Mislav Marohni  <mislav.marohnic@gmail.com> wrote:
> >
> > Wow. A bit obscure, isn't it? Thanks for pointing that out,
Jeremy...
> never saw the link.
>
> Quite obscure. You can now register a user:
>   http://dev.rubyonrails.org/register
>
> jeremy
>
>
> >
> >
> > On 9/8/06, Jeremy Kemper < jeremy@bitsweat.net> wrote:
> > >
> > > Anyone can store a cookie with name/email - see the Settings link
at the
> bottom of the page.
> > >
> >
>
>  >
>

-- 
Cell: 808 782-5046
Current Location: Melbourne, FL

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

anyone with svn commit rights can access the trac admin pages and
delete the spam.  If you want to maintain a list somewhere, I''m happy
to log in and remove it (still pretty laborious).

Of course, hopefully that list won''t get spammed :)

On 1/17/07, Anthony Eden <anthonyeden@gmail.com>
wrote:
> Is there some one who is responsible for deleting old spam comments
> from dev.rubyonrails.org? I''ve come across a couple while going
> through the open tickets and I''d love to be able to just get rid
of
> the spam, or notify a maintainer who can get rid of it, rather than
> ignore it.
>
> V/r
> Anthony Eden
>
> On 9/9/06, Jeremy Kemper <jeremy@bitsweat.net> wrote:
> > On 9/9/06, Mislav Marohni  <mislav.marohnic@gmail.com> wrote:
> > >
> > > Wow. A bit obscure, isn''t it? Thanks for pointing that
out, Jeremy...
> > never saw the link.
> >
> > Quite obscure. You can now register a user:
> >   http://dev.rubyonrails.org/register
> >
> > jeremy
> >
> >
> > >
> > >
> > > On 9/8/06, Jeremy Kemper < jeremy@bitsweat.net> wrote:
> > > >
> > > > Anyone can store a cookie with name/email - see the Settings
link at the
> > bottom of the page.
> > > >
> > >
> >
> >  >
> >
>
>
> --
> Cell: 808 782-5046
> Current Location: Melbourne, FL
>
> >
>

-- 
Cheers

Koz

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

Stupid question: Why doesn''t some go ahead and make it so that you
have to register an account with a captcha in order to post to the
Rails trac? Is it that difficult?

On 1/16/07, Michael Koziarski <michael@koziarski.com>
wrote:
>
> anyone with svn commit rights can access the trac admin pages and
> delete the spam.  If you want to maintain a list somewhere, I''m
happy
> to log in and remove it (still pretty laborious).
>
> Of course, hopefully that list won''t get spammed :)
>
> On 1/17/07, Anthony Eden <anthonyeden@gmail.com> wrote:
> > Is there some one who is responsible for deleting old spam comments
> > from dev.rubyonrails.org? I''ve come across a couple while
going
> > through the open tickets and I''d love to be able to just get
rid of
> > the spam, or notify a maintainer who can get rid of it, rather than
> > ignore it.
> >
> > V/r
> > Anthony Eden
> >
> > On 9/9/06, Jeremy Kemper <jeremy@bitsweat.net> wrote:
> > > On 9/9/06, Mislav Marohni  <mislav.marohnic@gmail.com>
wrote:
> > > >
> > > > Wow. A bit obscure, isn''t it? Thanks for pointing
that out, Jeremy...
> > > never saw the link.
> > >
> > > Quite obscure. You can now register a user:
> > >   http://dev.rubyonrails.org/register
> > >
> > > jeremy
> > >
> > >
> > > >
> > > >
> > > > On 9/8/06, Jeremy Kemper < jeremy@bitsweat.net> wrote:
> > > > >
> > > > > Anyone can store a cookie with name/email - see the
Settings link at the
> > > bottom of the page.
> > > > >
> > > >
> > >
> > >  >
> > >
> >
> >
> > --
> > Cell: 808 782-5046
> > Current Location: Melbourne, FL
> >
> > >
> >
>
>
> --
> Cheers
>
> Koz
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

> Stupid question: Why doesn''t some go ahead and make it so that you
> have to register an account with a captcha in order to post to the
> Rails trac? Is it that difficult?
Spammers are already manually registering accounts and then spamming
all the tickets they can find.   I don''t believe it''ll make a
blind
bit of difference sadly.




-- 
Cheers

Koz

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

On 17.1.2007, at 7.09, Michael Koziarski wrote:
>
>> Stupid question: Why doesn''t some go ahead and make it so that
you
>> have to register an account with a captcha in order to post to the
>> Rails trac? Is it that difficult?
>
> Spammers are already manually registering accounts and then spamming
> all the tickets they can find.   I don''t believe it''ll
make a blind
> bit of difference sadly.

Fortunately I think a lot of the existing spam in trac is from the  
days before the mandatory login:

http://dev.rubyonrails.org/ticket/1942#comment:3
http://dev.rubyonrails.org/ticket/1923#comment:15
http://dev.rubyonrails.org/ticket/1241

--
Jarkko Laine
http://jlaine.net
http://dotherightthing.com
http://www.railsecommerce.com
http://odesign.fi