sb8244
commented
8 years ago Wow, thanks for noticing!
@luigi any thoughts? We can put a captcha on it
Open dydx opened 8 years ago
sb8244
commented
8 years ago Wow, thanks for noticing!
@luigi any thoughts? We can put a captcha on it
luigi
commented
8 years ago I think we should force a sign in to comment.
dydx
commented
8 years ago Yeah, that would really be the most straight forward solution.
sb8244
commented
8 years ago A few years ago, I was deploying a captcha-less captcha which stopped > 99% of spam (assuming you don't get targeted). It had no impact on users and worked great. We could try that before limiting the functionality of the app.
luigi
commented
8 years ago Using a honeypot? I made this a while ago:
sb8244
commented
8 years ago Honey pots work, but this was a little different. It had a hidden element which started as value 0. When you click on the form (element button etc), it would change the value to a known value. The server then checks that this param is correct to know that a real click event happened.
It operates by knowing that most spam bots don't actually do things on the window, so focus events (which are window only events) won't fire.
luigi
commented
8 years ago Ah right, so the opposite of a honeypot (the spambot won't fill in the correct value). Makes sense.
alex-hall
commented
7 years ago Is this still a priority @luigi? A simple fix would be to remove the else statement here and add validation in the comments controller.
EDIT: I'll gladly submit a pull request for this...
sb8244
commented
7 years ago Hey @alex-hall . I submitted a PR awhile ago and manually cleaned the existing comments. I haven't checked, but I think it's taken care of. We still do want anonymous commenting
sb8244
commented
7 years ago It looks like there is still spam. This is possibly human submitted spam, which a honeypot or captcha wouldn't catch. It's significantly less than before though. Curious for @luigi thoughts here.
alex-hall
commented
7 years ago Thanks for the reply @sb8244.
Yeah there will always be some % of spam no matter what. But taking a cursory glance at the comments, it's like 50:1 spam to legitimate anonymous comments.
If anonymous comments are absolutely required then a captcha solution really has to be implemented.
sb8244
commented
7 years ago I'd like to record the parameters passed up with comments to see what people are submitting parameter wise. There might be an edge case when JS is turned off with how this works. We can put a really simple honey pot for that, though.
The hidden captcha system should kill nearly all spam, unless there's a targeted attack. I believe scripting off is the most likely culprit, which is easily fixed.
alex-hall
commented
7 years ago Let me know if you find anything interesting with the params route, but I feel it's important to mention this issue has been open for more than a year now.
It might be time to bite the bullet and implement a Captcha rather than spending time tweaking a honey pot solution.
On Jan 20, 2017 4:00 PM, "Stephen Bussey" notifications@github.com wrote:
I'd like to record the parameters passed up with comments to see what people are submitting parameter wise. There might be an edge case when JS is turned off with how this works. We can put a really simple honey pot for that, though.
The hidden captcha system should kill nearly all spam, unless there's a targeted attack. I believe scripting off is the most likely culprit, which is easily fixed.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/codeforatlanta/connector/issues/46#issuecomment-274178473, or mute the thread https://github.com/notifications/unsubscribe-auth/AFVwL-KDBX3UL4CYoH5NiPcBGY6Zmy7Hks5rUSA_gaJpZM4HCxYF .
luigi
commented
7 years ago Thanks for keeping up with this y'all. Let's just do a ReCAPTCHA. Quickest to implement and most popular.
sb8244
commented
7 years ago The new ReCAPTCHA is great. The previous one was very difficult to use (would often take me 3-4 tries to get it right). I'd happily see the new v2 ReCAPTCHA implemented here. Is @alex-hall taking that?
There is one sticking point for me. Based on the volume of spam before / after the last solution implemented, plus the fact that a noscript solution was not implemented, I believe the current spam is coming from noscript bots. We should make sure that the iframe noscript solution that ReCAPTCHA provides is implemented in addition to the JS one.
Edit:
Looking back on https://github.com/codeforatlanta/connector/pull/52/files, it looks like this wouldn't support noscript at all. So the source of spam must just be more sophisticated bots then when this nocaptcha system was first implemented.
sb8244
commented
7 years ago Here is the link to the noscript ReCAPTCHA documentation: https://developers.google.com/recaptcha/docs/faq#does-recaptcha-support-users-that-dont-have-javascript-enabled
alex-hall
commented
7 years ago Thanks for the references. I'll take a look at this today.
On Jan 21, 2017 4:11 PM, "Stephen Bussey" notifications@github.com wrote:
Here is the link to the noscript ReCAPTCHA documentation: https://developers.google.com/recaptcha/docs/faq#does- recaptcha-support-users-that-dont-have-javascript-enabled
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/codeforatlanta/connector/issues/46#issuecomment-274288532, or mute the thread https://github.com/notifications/unsubscribe-auth/AFVwL0xpey532Jfn_4WvEwfUu3pGYNbYks5rUnRogaJpZM4HCxYF .
alex-hall
commented
7 years ago Pull request submitted: #54
This is pretty intense!
3400+ spam posts
I'd suggest either disabling the anonymous comment feature, or at least adding a captcha system to it.
I can work on this a little tonight