-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lots of spam in project comments #46
Comments
Wow, thanks for noticing! @luigi any thoughts? We can put a captcha on it |
I think we should force a sign in to comment. |
Yeah, that would really be the most straight forward solution. |
A few years ago, I was deploying a captcha-less captcha which stopped > 99% of spam (assuming you don't get targeted). It had no impact on users and worked great. We could try that before limiting the functionality of the app. |
Using a honeypot? I made this a while ago: |
Honey pots work, but this was a little different. It had a hidden element which started as value 0. When you click on the form (element button etc), it would change the value to a known value. The server then checks that this param is correct to know that a real click event happened. It operates by knowing that most spam bots don't actually do things on the window, so focus events (which are window only events) won't fire. |
Ah right, so the opposite of a honeypot (the spambot won't fill in the correct value). Makes sense. |
Hey @alex-hall . I submitted a PR awhile ago and manually cleaned the existing comments. I haven't checked, but I think it's taken care of. We still do want anonymous commenting |
It looks like there is still spam. This is possibly human submitted spam, which a honeypot or captcha wouldn't catch. It's significantly less than before though. Curious for @luigi thoughts here. |
Thanks for the reply @sb8244. Yeah there will always be some % of spam no matter what. If anonymous comments are absolutely required then a captcha solution really has to be implemented. |
I'd like to record the parameters passed up with comments to see what people are submitting parameter wise. There might be an edge case when JS is turned off with how this works. We can put a really simple honey pot for that, though. The hidden captcha system should kill nearly all spam, unless there's a targeted attack. I believe scripting off is the most likely culprit, which is easily fixed. |
Let me know if you find anything interesting with the params route, but I
feel it's important to mention this issue has been open for more than a
year now.
It might be time to bite the bullet and implement a Captcha rather than
spending time tweaking a honey pot solution.
…On Jan 20, 2017 4:00 PM, "Stephen Bussey" ***@***.***> wrote:
I'd like to record the parameters passed up with comments to see what
people are submitting parameter wise. There might be an edge case when JS
is turned off with how this works. We can put a really simple honey pot for
that, though.
The hidden captcha system should kill nearly all spam, unless there's a
targeted attack. I believe scripting off is the most likely culprit, which
is easily fixed.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#46 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVwL-KDBX3UL4CYoH5NiPcBGY6Zmy7Hks5rUSA_gaJpZM4HCxYF>
.
|
Thanks for keeping up with this y'all. Let's just do a ReCAPTCHA. Quickest to implement and most popular. |
The new ReCAPTCHA is great. The previous one was very difficult to use (would often take me 3-4 tries to get it right). I'd happily see the new v2 ReCAPTCHA implemented here. Is @alex-hall taking that? There is one sticking point for me. Based on the volume of spam before / after the last solution implemented, plus the fact that a noscript solution was not implemented, I believe the current spam is coming from noscript bots. We should make sure that the iframe noscript solution that ReCAPTCHA provides is implemented in addition to the JS one. Edit: Looking back on https://github.com/codeforatlanta/connector/pull/52/files, it looks like this wouldn't support |
Here is the link to the noscript ReCAPTCHA documentation: https://developers.google.com/recaptcha/docs/faq#does-recaptcha-support-users-that-dont-have-javascript-enabled |
Thanks for the references. I'll take a look at this today.
…On Jan 21, 2017 4:11 PM, "Stephen Bussey" ***@***.***> wrote:
Here is the link to the noscript ReCAPTCHA documentation:
https://developers.google.com/recaptcha/docs/faq#does-
recaptcha-support-users-that-dont-have-javascript-enabled
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#46 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVwL0xpey532Jfn_4WvEwfUu3pGYNbYks5rUnRogaJpZM4HCxYF>
.
|
Pull request submitted: #54 |
This is pretty intense!
3400+ spam posts
I'd suggest either disabling the anonymous comment feature, or at least adding a captcha system to it.
I can work on this a little tonight
The text was updated successfully, but these errors were encountered: