= phenomenon =
Recently, the NEEDS_TRIAGE tickets section of the https://fedorahosted.org/pki/ website has been SPAMMED with what appears to be several bot-based random SPAM messages.
= recommendation =
Currently, we have simply performed batch moves of the SPAM messages to the N/A milestone, but this is time-consuming and annoying.
My research revealed http://trac.edgewall.org/wiki/SpamFilter, but the plug-in states the following: {{{ This plugin allows different ways to reject contributions that contain spam. It requires at least Trac release 1.0. The source code for version 0.12 and before isn't updated any more, but is still available. }}}
Unfortunately, the PKI TRAC instance appears to be the following version and therefore does not have the older version of SpamFilter installed: {{{ System Information Trac 0.12.5 Babel 0.9.4 Docutils 0.6 Genshi 0.6 (without speedups) Mercurial 1.4 mod_wsgi 3.2 (WSGIProcessGroup WSGIApplicationGroup %{GLOBAL}) Pygments 1.1.1 pysqlite 2.3.5 Python 2.6.6 (r266:84292, May 22 2015, 08:34:51) [GCC 4.4.7 20120313 (Red Hat 4.4.7-15)] pytz 2010h RPC 1.1.0 setuptools 0.6 SQLite 3.6.20 Subversion 1.6.11 (r934486) jQuery: 1.4.4
Installed Plugins AdvancedTicketWorkflowPlugin 0.11dev /usr/lib/python2.6/site-packages BatchModify 0.8.0-trac0.12 /usr/lib/python2.6/site-packages CondFieldsGenshiPlugin 0.2 /usr/lib/python2.6/site-packages DefaultCc 0.3dev /usr/lib/python2.6/site-packages IniAdmin 0.2 /usr/lib/python2.6/site-packages NavAdd 0.1 /usr/lib/python2.6/site-packages sensitivetickets 0.21 /usr/lib/python2.6/site-packages trac-fedmsg-plugin N/A /usr/lib/python2.6/site-packages/trac_fedmsg_plugin.pyc TracAuthOpenId 0.4.6 /usr/lib/python2.6/site-packages TracBzr 0.4.2 /usr/lib/python2.6/site-packages TracCGit 1.0.4 /usr/lib/python2.6/site-packages TracCodeComments 1.2.0-alpha2 /usr/lib/python2.6/site-packages TracCustomFieldAdmin 0.2.6 /usr/lib/python2.6/site-packages TracDoxygen 0.11.0.2 /usr/lib/python2.6/site-packages TracGit 0.12.0.5dev /usr/lib/python2.6/site-packages TracMasterTickets 3.0.3 /usr/lib/python2.6/site-packages TracMercurial 0.12.0.29dev /usr/lib/python2.6/site-packages TracPrivateTickets 2.0.2 /usr/lib/python2.6/site-packages TracSumFields 1.0.1 /usr/lib/python2.6/site-packages TracTicketTemplate 0.7 /usr/lib/python2.6/site-packages TracTocMacro 11.0.0.3 /usr/lib/python2.6/site-packages tracvatar 1.9 /usr/lib/python2.6/site-packages TracWatchlistPlugin 0.5 /usr/lib/python2.6/site-packages TracWorkflowAdmin 0.12.0.2 /usr/lib/python2.6/site-packages TracXMLRPC 1.1.0 /usr/lib/python2.6/site-packages }}}
We would be interested in potentially having the CAPTCHA-style "human" verification be integrated into the PKI TRAC interface as provided via the SpamFilter plug-in, but it is believed that the first course of action requires updating the PKI TRAC instance to be running TRAC 1.0.
This leads to the following questions: Would it be possible to upgrade to TRAC 1.0 or later? Is there another alternative that other projects are using for SPAM prevention?
We are actually looking at an upgrade to trac 1.0 before too long. We want to move to a rhel7 based fedorahosted. We don't have a specific timeline for this yet, just as soon as we can get everything in place.
We may want to look at our captcha on fedora account system accounts, as it seems like all these people got past that to spam, perhaps something is failing there. ;(
There's nothing else I know of that people are using for spam prevention, it's just not been a problem until recently. ;(
Sorry for the delay here, we have been tracking down this issue and working on tooling.
We have now:
Sorry for this incident, but hopefully we have it fixed up now.
Please re-open if there's anything else we can do for you or you notice something we missed. Thanks.
Login to comment on this ticket.