[SAC] OSGeo Id creation disabled

Jorge Sanz jsanz at osgeo.org
Tue May 3 15:45:01 PDT 2016


What about that idea on a confirmation e-mail?

Putting a small delay on sending the e-mail (say 5 minutes) would make
maybe harder to complete the signup, but no idea how "persistent"
these spammers can be :-/

On 4 May 2016 at 00:33, Alex M <tech_dev at wildintellect.com> wrote:
> I'm glad to re-enable as soon as we have a good way to mitigate the trac
> spam. Either finding and removing spam accounts more quickly
> (automation), or just making it harder to spam Trac to begin with.
>
> Right now only Martin seems to know the method for removing identified
> spam accounts. I think we should cron job every 5 mins, and have that
> job read a text file more admins can write to. So when we find spam
> accounts, they get removed fast.
>
> Course then that also needs to feed into killing matching sessions in trac.
>
>
> I agree if they're willing to sign up by hand that makes it real hard to
> block at the sign up.
>
> Thanks,
> Alex
>
> On 05/03/2016 04:53 PM, Frank Warmerdam wrote:
>> Alex,
>>
>> There is very little defense available against spammers willing to
>> spend lots of human time doing their thing.  What is our plan on this?
>>  I'm not too happy with an approach that makes it very difficult to be
>> a new contributor.
>>
>> Best regards,
>> Frank
>>
>>
>> On Tue, May 3, 2016 at 1:05 PM, Alex M <tech_dev at wildintellect.com> wrote:
>>> Sorry, doesn't seem to be enough, had to disable it again. Trac spamming
>>> still is squashed and I did verify that new accounts since your change
>>> are being used.
>>>
>>> Though looking at the rate, makes me think someone is doing it by hand
>>> (although shifting IPs).
>>>
>>> Updated ticket.
>>>
>>> Thanks,
>>> Alex
>>>
>>> On 04/30/2016 01:58 PM, Frank Warmerdam wrote:
>>>> Alex,
>>>>
>>>> I can do that.
>>>>
>>>> I have created ticket https://trac.osgeo.org/osgeo/ticket/1665 to
>>>> track my work today.
>>>>
>>>> hmm, It appears I neglected to send this earlier today when I started
>>>> this work and it is now done, actually using Recaptcha:
>>>>
>>>> https://www2.osgeo.org/cgi-bin/ldap_create_user.py
>>>>
>>>> Best regards,
>>>> Frank
>>>>
>>>> On Fri, Apr 29, 2016 at 8:24 PM, Alex Mandel <tech_dev at wildintellect.com> wrote:
>>>>> I just recalled something useful. It would be great if we could
>>>>> blacklist certain email domains. In particular yopmail and dayrep which
>>>>> are disposable email addresses (public readable, trashes all mail after
>>>>> 8 days) were used for many of the spam accounts recently. An email
>>>>> service like that is contradictory to being able to use email recover
>>>>> passwords when forgotten.
>>>>>
>>>>> Thanks,
>>>>> Alex
>>>>>
>>>>> On 2016-04-29 09:23, Alex M wrote:
>>>>>> Frank,
>>>>>>
>>>>>> I don't think there's a ticket yet. We should make those 2 items, 2
>>>>>> different tickets.
>>>>>>
>>>>>> Also I'll make a ticket for me, I'll attempt to spruce up the pages with
>>>>>> a little OSGeo branding to make them look less sketchy.
>>>>>>
>>>>>> Thanks,
>>>>>> Alex
>>>>>>
>>>>>> On 04/29/2016 09:18 AM, Frank Warmerdam wrote:
>>>>>>> Folks,
>>>>>>>
>>>>>>> I'm willing to update the LDAP account creation to require email
>>>>>>> validation.  That is, I'll send out an email and they have to follow
>>>>>>> the link in the email to confirm before the account is actually
>>>>>>> created.
>>>>>>>
>>>>>>> Is there a SAC ticket on this?  I should be able to do it today or tomorrow.
>>>>>>>
>>>>>>> I'll likely also try and put in place self-service password reset
>>>>>>> using a similar mechanism.
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Frank
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Apr 28, 2016 at 8:05 AM, Alex Mandel <tech_dev at wildintellect.com> wrote:
>>>>>>>> On 04/28/2016 08:04 AM, Alex Mandel wrote:
>>>>>>>>> On 04/28/2016 07:19 AM, Alex Mandel wrote:
>>>>>>>>>> On 04/28/2016 01:41 AM, Sandro Santilli wrote:
>>>>>>>>>>> On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
>>>>>>>>>>>
>>>>>>>>>>>> As a follow-up, we are now looking for someone who wants to improve our
>>>>>>>>>>>> creation system with Captcha, and/or email confirmation. If you think
>>>>>>>>>>>> you can build (or modify the existing) such a system to work with our
>>>>>>>>>>>> LDAP please contact the osgeo System Administration Committee (SAC).
>>>>>>>>>>>
>>>>>>>>>>> Should this part be sent on osgeo-discuss ?
>>>>>>>>>>
>>>>>>>>>> Maybe, all the people who run sites using this should be on the SAC
>>>>>>>>>> list. We could add a link to the maintenance page on how to contact SAC.
>>>>>>>>>>
>>>>>>>>>>> Anyway, what about doing something simple like asking to enter
>>>>>>>>>>> a number derived from some request headers ? Like the first
>>>>>>>>>>> 5 characters of the md5 of the remote ip ...
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Yes anything for now that is hard for a bot (since it might get
>>>>>>>>>> re-written). With a more robust solution later.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Alex
>>>>>>>>>
>>>>>>>>> https://www.ldap-account-manager.org/lamcms/lamPro/features#selfService
>>>>>>>>>
>>>>>>>>> Of course the open source variant doesn't have the User Self service
>>>>>>>>> module...
>>>>>>>>>
>>>>>>>>> That's the only pre-built solution I've found so far with user
>>>>>>>>> self-registration, email verification and user self service password reset.
>>>>>>>>>
>>>>>>>>> Keep looking.
>>>>>>>>>
>>>>>>>>> Alex
>>>>>>>>
>>>>>>>>
>>>>>>>> Correction, also this
>>>>>>>> http://ltb-project.org/wiki/documentation/self-service-password
>>>>>>>>
>>>>>>>> But it's not clear it has a registration tool.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Alex
>>>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>
> _______________________________________________
> Sac mailing list
> Sac at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/sac



-- 
Jorge Sanz
http://www.osgeo.org
http://wiki.osgeo.org/wiki/Jorge_Sanz


More information about the Sac mailing list