trac registration, spam, etc

Jean-Paul Calderone jean-paul+tahoe-dev at leastauthority.com
Mon Jul 29 13:03:59 UTC 2019


Hi all,

A few weeks ago I disabled registration on trac due to the high volume of
spam coming in.  I've now managed to figure out how to enable some
additional spam filtering so I recently re-enabled registration.

Since the state of the art in spam filtering remains an arms race I
anticipate making a number of changes to the configuration in the coming
weeks in response to spam activity I observe on the system.

I'll share some things I've observed so far, a potential articles of
interest:

   - There were almost 400k entries in the session table.
   - Of these, 190k were authenticated.
   - Of these, 86k have as `last_visit` not equal to 0 (but it's not
   completely clear what this means).
   - 100 new unauthenticated sessions were created while I wrote this email
   - The TracSpamFilter plugin thinks 189953 out of the 190121 registered
   users are probably spammers but it won't tell me why it thinks so, who they
   are, or give me a button to easily delete them.

I ended up building another tool for the trac management toolbox which can
go in and delete users that look like spammers to *me*.  This got us down
to about 200 users but this has since grown to 500, with the difference
presumably all being spam users.

Unfortunately it seems like many of the trac features in this area are
either not documented well enough to easily use or are just broken when
used with the version of trac we have deployed.  I had begun to hope that
switching off registration and using GitHub as an OAuth provider for
accounts would help a lot but my efforts to enable this have so far failed.

It's looking increasingly like migrating off of trac may not be any more
work than fixing the trac deployment to be tolerable.

For now, the end result is mainly that there is now an admin spam
monitoring page which can possibly be used to train spambayes to reject
more content.  I'm not particularly hopeful this will yield excellent
results but we shall see.

We probably need to begin to discuss what the replacement for trac for the
project is going to be.

Jean-Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20190729/e0c362d3/attachment.html>


More information about the tahoe-dev mailing list