Trac Spam
August 23, 2006 – 11:43 amThe folks at Enthought (sponsors of SciPy) were kind enough to set up a Trac so that I could manage development of the Software Carpentry course. Unfortunately, spammers have figured out how to bomb Trac: over a dozen tickets relating to gay porn, online casinos, and the like have been filed, and there are literally dozens of comments (undeletable) along the same lines on the useful tickets. I could have prevented this by not giving anonymous users the ability to file tickets, but requiring people to register in order to give feedback on the course notes would greatly reduce the amount of feedback I got.
I don’t have an answer to this, but we’re going to have to come up with one for DrProject. We’re also going to have to come up with a better way to manage user accounts. Right now, DrP requires people to have accounts on the underlying Unix system. That makes sense for classroom use, but not for “open” projects — I’ve had to request guest accounts so that people outside the university can be on the DrP development mailing list, for examlpe, and that doesn’t scale to dozens of contributors. I do not want to add user account management, password checking, and the like to DrP: it’s a lot of work to do properly, a security hole when done improperly, and synchronizing it all with Subversion would be just one more thing that could go wrong. If you have ideas, I’m easy to find…
5 Responses to “Trac Spam”
Have you heard of the Spam Plugin for Trac? I’m trying to install it on a site we’re starting, but it’s difficult to confirm that it works. It has several different means for filtering spam tickets/comments. The one I find very useful is Akismet, which was originally for WordPress.
The jury’s out on how well it will work.
By Neil on Aug 23, 2006
Spam is a hard problem for sites that want to enable users to submit content without requiring registration. As Neil pointed out, we’ve developed the SpamFilter plugin that provides a number of options for filtering out bad content (right now regex matching, IP blacklisting, Akismet queries).
It doesn’t get rid of all the spam, but quite a bit. On the Trac project site, before we installed SpamFilter, we were getting flooded with spam. Now, the most annoying submissions are people submitting tickets to test the system… wonder how to get rid of those
By Christopher Lenz on Aug 23, 2006
Greg, couldn’t you use one of those “type the word seen in the partially scrambled image above” forms?
By Ben on Aug 24, 2006
Ben - those are referred to as CAPTCHA systems (for Completely Automated Public Turing test to tell Computers and Humans Apart). There’s a pretty thorough article at Wikipedia: http://en.wikipedia.org/wiki/Captchas.
Greg - if the Trac SPAM plugin doesn’t work for you, maybe you can figure out a way to work with Akismet? It’s the spam system built by Automattic (makers of WordPress) to beat comment and trackback spam on their blogs. The system works through a distributed approach to identifying and deleting SPAM - see http://akismet.com/ for more information. We just came across a Java API for Akismet (http://sourceforge.net/projects/akismet-java/), so I would imagine you can find one in your favourite language.
By Jay Goldman on Aug 25, 2006
Consider looking at Bruce Guenter’s Credential Validation Modules (CVM) package to handle authentication. AFAIK, there’s no Python client library but it may be straightforward to create SWIG bindings or write a pure-Python client.
http ://untroubled.org/cvm/cvm.html
For the DrP development mailing list: Why not just make the list public?
By Alan on Aug 26, 2006