[tor-bugs] #31052 [Internal Services/Services Admin Team]: Guest accounts in the ticketing system

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jul 1 18:21:38 UTC 2019 

#31052: Guest accounts in the ticketing system
---------------------------------------------------+---------------------
 Reporter:  gaba                                   |          Owner:  qbi
     Type:  project                                |         Status:  new
 Priority:  Medium                                 |      Milestone:
Component:  Internal Services/Services Admin Team  |        Version:
 Severity:  Normal                                 |     Resolution:
 Keywords:  ticket-system-migration                |  Actual Points:
Parent ID:  #30857                                 |         Points:
 Reviewer:                                         |        Sponsor:
---------------------------------------------------+---------------------

Comment (by gaba):

 From irc on how riseup manage the anti-spam in their gitlab instance.

 - limiting domains that can signup to ones we know (whitelist), limiting
 projects/group creation to a low number unless requested to increase, and
 then searching on the internet for links to our gitlab instance in order
 to find spam

 on spam:
 'snippets' are the most common way (eg. https://0xacab.org/snippets/776) .
 Even with monthly cleanup, we have been put into RBL lists for email
 delivery blacklisting because of the spam on gitlab. Spam goes in so many
 different possible ways, its mostly impossible to control, unless you
 dedicate a HUGE amount of time to it. Its extremely easy to miss spammers.
 If they don't have access to snippits, they make comments, or user pages,
 etc

 The only thing that works is to close/limit registration (which is what
 gitlab.com does) or turn on google captcha/akismet

 about the amount of labor on fighting spam:
 You will spend at minimum 6 hours a week dealing with spam, with an open
 gitlab. It is not simple as just click a delete button, since you have to
 copy and paste the names as conformation

 Not only will you spend a huge amount of time dealing with the spam, but
 you will also get the domain blacklisted :(
 A huge amount of our spam came from gmail accounts even

 We played 'whack a mole' for a while by blocking domains that were
 spamming but we ended up going crazy, and so we only whitelist domains
 now.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31052#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list