Spam countermeasures?


#1

Our phabricator instance is suffering from chinese spam posts. Always 10 tasks created at the same time by a random character/digit newly created username. Example: https://lab.apertus.org/p/pti0520pa/
It happens every couple of days and requires an admin to manually clean out the tasks from the CLI - very annoying.

Now I am quite surprised that there are zero posts/reports/mentions of other people receiving spam in phabricator or any countermeasures here on this forum or the internet in general. Are we really the only ones?
Enabling Recaptcha has had no success in stopping the spam posts.


#2

See https://secure.phabricator.com/T10215 for general discussion.


#3

@apertus: You definitely are not alone in dealing with spam. Wikimedia has seen some spam and vandalism, and quite a lot recently. We’ve resorted to requiring approval for new accounts, unfortunately, due to the lack of adequate countermeasures in Phabricator when configured as a public / open system.


#4

Very interesting, thanks for the feedback!

I now also switched our phabricator to requiring approval for new accounts.

Do your admins just go through the approval queue and delete obvious random character spam accounts or do you ask real people to contact you for getting their accounts approved?


#5

We were doing a combination of disabling obvious spam accoutns plus approving those who got ahold of us in IRC. We are no longer requiring approval thanks to an anti-spam/anti-vandalism extension that I have been working on. I was inspired by “SecureShieldsUpAction” and built a herald action which responds to task creation and editing activity. I intend to release the source under an open license in the near future, see https://phabricator.wikimedia.org/T202080 to follow the status of that release.


#6

That’s great! I will check the task regularly.


#7

Well, it does take place. Latest example in upstream is the bot using https://secure.phabricator.com/p/GoogleLegacy/ :frowning: