[SAC] OSGeo Id creation disabled

Alex M tech_dev at wildintellect.com
Tue May 3 15:33:03 PDT 2016 

I'm glad to re-enable as soon as we have a good way to mitigate the trac
spam. Either finding and removing spam accounts more quickly
(automation), or just making it harder to spam Trac to begin with.

Right now only Martin seems to know the method for removing identified
spam accounts. I think we should cron job every 5 mins, and have that
job read a text file more admins can write to. So when we find spam
accounts, they get removed fast.

Course then that also needs to feed into killing matching sessions in trac.


I agree if they're willing to sign up by hand that makes it real hard to
block at the sign up.

Thanks,
Alex

On 05/03/2016 04:53 PM, Frank Warmerdam wrote:
> Alex,
> 
> There is very little defense available against spammers willing to
> spend lots of human time doing their thing.  What is our plan on this?
>  I'm not too happy with an approach that makes it very difficult to be
> a new contributor.
> 
> Best regards,
> Frank
> 
> 
> On Tue, May 3, 2016 at 1:05 PM, Alex M <tech_dev at wildintellect.com> wrote:
>> Sorry, doesn't seem to be enough, had to disable it again. Trac spamming
>> still is squashed and I did verify that new accounts since your change
>> are being used.
>>
>> Though looking at the rate, makes me think someone is doing it by hand
>> (although shifting IPs).
>>
>> Updated ticket.
>>
>> Thanks,
>> Alex
>>
>> On 04/30/2016 01:58 PM, Frank Warmerdam wrote:
>>> Alex,
>>>
>>> I can do that.
>>>
>>> I have created ticket https://trac.osgeo.org/osgeo/ticket/1665 to
>>> track my work today.
>>>
>>> hmm, It appears I neglected to send this earlier today when I started
>>> this work and it is now done, actually using Recaptcha:
>>>
>>> https://www2.osgeo.org/cgi-bin/ldap_create_user.py
>>>
>>> Best regards,
>>> Frank
>>>
>>> On Fri, Apr 29, 2016 at 8:24 PM, Alex Mandel <tech_dev at wildintellect.com> wrote:
>>>> I just recalled something useful. It would be great if we could
>>>> blacklist certain email domains. In particular yopmail and dayrep which
>>>> are disposable email addresses (public readable, trashes all mail after
>>>> 8 days) were used for many of the spam accounts recently. An email
>>>> service like that is contradictory to being able to use email recover
>>>> passwords when forgotten.
>>>>
>>>> Thanks,
>>>> Alex
>>>>
>>>> On 2016-04-29 09:23, Alex M wrote:
>>>>> Frank,
>>>>>
>>>>> I don't think there's a ticket yet. We should make those 2 items, 2
>>>>> different tickets.
>>>>>
>>>>> Also I'll make a ticket for me, I'll attempt to spruce up the pages with
>>>>> a little OSGeo branding to make them look less sketchy.
>>>>>
>>>>> Thanks,
>>>>> Alex
>>>>>
>>>>> On 04/29/2016 09:18 AM, Frank Warmerdam wrote:
>>>>>> Folks,
>>>>>>
>>>>>> I'm willing to update the LDAP account creation to require email
>>>>>> validation.  That is, I'll send out an email and they have to follow
>>>>>> the link in the email to confirm before the account is actually
>>>>>> created.
>>>>>>
>>>>>> Is there a SAC ticket on this?  I should be able to do it today or tomorrow.
>>>>>>
>>>>>> I'll likely also try and put in place self-service password reset
>>>>>> using a similar mechanism.
>>>>>>
>>>>>> Best regards,
>>>>>> Frank
>>>>>>
>>>>>>
>>>>>> On Thu, Apr 28, 2016 at 8:05 AM, Alex Mandel <tech_dev at wildintellect.com> wrote:
>>>>>>> On 04/28/2016 08:04 AM, Alex Mandel wrote:
>>>>>>>> On 04/28/2016 07:19 AM, Alex Mandel wrote:
>>>>>>>>> On 04/28/2016 01:41 AM, Sandro Santilli wrote:
>>>>>>>>>> On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
>>>>>>>>>>
>>>>>>>>>>> As a follow-up, we are now looking for someone who wants to improve our
>>>>>>>>>>> creation system with Captcha, and/or email confirmation. If you think
>>>>>>>>>>> you can build (or modify the existing) such a system to work with our
>>>>>>>>>>> LDAP please contact the osgeo System Administration Committee (SAC).
>>>>>>>>>>
>>>>>>>>>> Should this part be sent on osgeo-discuss ?
>>>>>>>>>
>>>>>>>>> Maybe, all the people who run sites using this should be on the SAC
>>>>>>>>> list. We could add a link to the maintenance page on how to contact SAC.
>>>>>>>>>
>>>>>>>>>> Anyway, what about doing something simple like asking to enter
>>>>>>>>>> a number derived from some request headers ? Like the first
>>>>>>>>>> 5 characters of the md5 of the remote ip ...
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Yes anything for now that is hard for a bot (since it might get
>>>>>>>>> re-written). With a more robust solution later.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Alex
>>>>>>>>
>>>>>>>> https://www.ldap-account-manager.org/lamcms/lamPro/features#selfService
>>>>>>>>
>>>>>>>> Of course the open source variant doesn't have the User Self service
>>>>>>>> module...
>>>>>>>>
>>>>>>>> That's the only pre-built solution I've found so far with user
>>>>>>>> self-registration, email verification and user self service password reset.
>>>>>>>>
>>>>>>>> Keep looking.
>>>>>>>>
>>>>>>>> Alex
>>>>>>>
>>>>>>>
>>>>>>> Correction, also this
>>>>>>> http://ltb-project.org/wiki/documentation/self-service-password
>>>>>>>
>>>>>>> But it's not clear it has a registration tool.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Alex
>>>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
> 
> 
>

More information about the Sac mailing list