Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lots of spam in project comments #46

Open
dydx opened this issue Jan 12, 2016 · 18 comments
Open

Lots of spam in project comments #46

dydx opened this issue Jan 12, 2016 · 18 comments

Comments

@dydx
Copy link
Contributor

dydx commented Jan 12, 2016

This is pretty intense!

http://www.codeforatlanta.org/projects/2

3400+ spam posts

I'd suggest either disabling the anonymous comment feature, or at least adding a captcha system to it.

I can work on this a little tonight

@sb8244
Copy link
Contributor

sb8244 commented Jan 12, 2016

Wow, thanks for noticing!

@luigi any thoughts? We can put a captcha on it

@luigi
Copy link
Member

luigi commented Jan 12, 2016

I think we should force a sign in to comment.

@dydx
Copy link
Contributor Author

dydx commented Jan 12, 2016

Yeah, that would really be the most straight forward solution.

@sb8244
Copy link
Contributor

sb8244 commented Jan 12, 2016

A few years ago, I was deploying a captcha-less captcha which stopped > 99% of spam (assuming you don't get targeted). It had no impact on users and worked great. We could try that before limiting the functionality of the app.

@luigi
Copy link
Member

luigi commented Jan 12, 2016

Using a honeypot? I made this a while ago:

https://github.com/sunlightlabs/rack-honeypot

@sb8244
Copy link
Contributor

sb8244 commented Jan 12, 2016

Honey pots work, but this was a little different. It had a hidden element which started as value 0. When you click on the form (element button etc), it would change the value to a known value. The server then checks that this param is correct to know that a real click event happened.

It operates by knowing that most spam bots don't actually do things on the window, so focus events (which are window only events) won't fire.

@luigi
Copy link
Member

luigi commented Jan 12, 2016

Ah right, so the opposite of a honeypot (the spambot won't fill in the correct value). Makes sense.

@alex-hall
Copy link
Contributor

alex-hall commented Jan 20, 2017

Is this still a priority @luigi? A simple fix would be to remove the else statement here and add validation in the comments controller.

EDIT: I'll gladly submit a pull request for this...

@sb8244
Copy link
Contributor

sb8244 commented Jan 20, 2017

Hey @alex-hall . I submitted a PR awhile ago and manually cleaned the existing comments. I haven't checked, but I think it's taken care of. We still do want anonymous commenting

@sb8244
Copy link
Contributor

sb8244 commented Jan 20, 2017

It looks like there is still spam. This is possibly human submitted spam, which a honeypot or captcha wouldn't catch. It's significantly less than before though. Curious for @luigi thoughts here.

@alex-hall
Copy link
Contributor

alex-hall commented Jan 20, 2017

Thanks for the reply @sb8244.

Yeah there will always be some % of spam no matter what.
But taking a cursory glance at the comments, it's like 50:1 spam to legitimate anonymous comments.

If anonymous comments are absolutely required then a captcha solution really has to be implemented.

@sb8244
Copy link
Contributor

sb8244 commented Jan 20, 2017

I'd like to record the parameters passed up with comments to see what people are submitting parameter wise. There might be an edge case when JS is turned off with how this works. We can put a really simple honey pot for that, though.

The hidden captcha system should kill nearly all spam, unless there's a targeted attack. I believe scripting off is the most likely culprit, which is easily fixed.

@alex-hall
Copy link
Contributor

alex-hall commented Jan 20, 2017 via email

@luigi
Copy link
Member

luigi commented Jan 21, 2017

Thanks for keeping up with this y'all. Let's just do a ReCAPTCHA. Quickest to implement and most popular.

https://github.com/ambethia/recaptcha

@sb8244
Copy link
Contributor

sb8244 commented Jan 21, 2017

The new ReCAPTCHA is great. The previous one was very difficult to use (would often take me 3-4 tries to get it right). I'd happily see the new v2 ReCAPTCHA implemented here. Is @alex-hall taking that?

There is one sticking point for me. Based on the volume of spam before / after the last solution implemented, plus the fact that a noscript solution was not implemented, I believe the current spam is coming from noscript bots. We should make sure that the iframe noscript solution that ReCAPTCHA provides is implemented in addition to the JS one.

Edit:

Looking back on https://github.com/codeforatlanta/connector/pull/52/files, it looks like this wouldn't support noscript at all. So the source of spam must just be more sophisticated bots then when this nocaptcha system was first implemented.

@sb8244
Copy link
Contributor

sb8244 commented Jan 21, 2017

Here is the link to the noscript ReCAPTCHA documentation: https://developers.google.com/recaptcha/docs/faq#does-recaptcha-support-users-that-dont-have-javascript-enabled

@alex-hall
Copy link
Contributor

alex-hall commented Jan 22, 2017 via email

@alex-hall
Copy link
Contributor

Pull request submitted: #54

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants