[Pulp-dev] Spam on plan.io

Brian Bouterse bbouters at redhat.com
Wed Oct 31 17:28:47 UTC 2018 

Below is what plan.io got back to me with. I list some options below that.

===== start message =======

Due to the structure of our regular plans, where each additional user comes
with a price attached, running Planio in combination with self registration
is a very rare use case. Consequently, the problems you're seeing are more
or less unique to pulp.plan.io.

Nevertheless I would like to assure you, that we are 100 % committed to
support the open source projects, which are hosted on Planio.

In order to find out, what might be done to improve your situation, I had a
closer look at our web server logs. In the following table you may see the
user registrations on pulp.plan.io over the last 7 days.
Time of Registration (Berlin time) Comment
2018-10-30 11:02 Failed at email activation
2018-10-30 10:41 Spam account - see ashutoshweb3.txt
2018-10-29 10:55 Failed at email activation
2018-10-28 14:38 Spam account - see rrbb45.txt
2018-10-27 11:03 Did not post anything - see Himanshu0709.txt
2018-10-26 19:43 Failed at email activation
2018-10-26 12:27 Spam account - see itsalina.txt
2018-10-26 11:49 Spam account - see peterjobs.txt
2018-10-25 13:46 Spam account - see ketty33.txt
2018-10-25 11:54 Spam account - see johnrenfroe.txt
2018-10-25 07:10 Failed at email activation
2018-10-24 22:37 Failed at email activation
2018-10-24 22:19 Failed at email activation
2018-10-24 14:39 Regular user

After taking a closer look at the user sessions of the successful spammers,
I think it's safe to say that pulp.plan.io is not attacked by automated
scripts, but by human users. Each sessions is very different. The time
spent on the registration page is relatively long. They are not only
requesting the plain web pages, but also additional assets.

Consequently, the obvious solution, i.e. adding a capture to the
registration page, would not help with your situation.

Do you maybe have alternative ideas of how Planio could be more helpful in
addressing these issues? How would you address this situation in a
self-hosted environment?

===== end message =======

They make a compelling point that we probably won't do better on our own
since these are real humans they will be able to beat the captchas and
other bayesian systems we would put into place in a self-hosted
environment. I think this leaves only two choices:

a) manage the spam better

b) create a "trusted users" group and have that allow users to either post
comments, post issues, or both and then disable those permissions for
"other accounts". This would prevent a new user from filing a bug in a
self-service way though.

c) add an approval step to the self-service registration

d) $other_idea

What should we do?



On Tue, Oct 30, 2018 at 9:50 AM Brian Bouterse <bbouters at redhat.com> wrote:

> I've contacted plan.io support about the untenable spam situation [0] in
> the Redmine tracker. I'll let you know what they say, and we can take it
> from there.
>
> [0]: https://pulp.plan.io/issues/67
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20181031/85322a14/attachment.htm>

More information about the Pulp-dev mailing list