Spam is still getting through

[mathiasbynens]

E.g.

https://jsperf.com/manny0899231
https://jsperf.com/https-imgur-com-gallery-bb4dz

Any ideas?

---

It would be nice if we could whitelist admin accounts (i.e. our own + some trusted folks) who could then access e.g. https://jsperf.com/some-test-case/spam to mark https://jsperf.com/some-test-case as spam, i.e. delete the test + blacklist the GitHub account that was used to create this test.

This same whitelist could be used to unlock /delete functionality on tests and comments.

• [ ] map pages to GitHub accounts in the database, i.e. add authorGitHub field to pages table (which contains the user’s GitHub identifier) (#153 needs this too)
• [ ] implement admin safelist (of GitHub identifiers)
• [ ] use admin safelist to enable /spam and /delete features

[maxbeatty]

nothing stopping spammers form registering for new github accounts. blacklist creators of spammy tests?

[mathiasbynens]

comment moved to OP

[remy]

Couple of ideas (mostly from my own experience with jsbin):

• Hellban over blacklist (and I'd hellban the user by ip, so they could see their content even if they were signed out but the ip matched)
• potentially use github repo and gist count as an indicator of whether extra validation is required, ie. If no repos or gists, then you need to validate your email address before posts are public
• jsbin has a black list regexp (private) that prevents bins containing certain phrases from saving entirely (again, this is silent, akin to hellbanning)
• I found zero success on reporting spam, but it's worth adding a link to notify (if you don't have it already)
• bins posted on Facebook counted for a lot of spam, so if a bin is loaded and the referrer is facebook, it has a negative flag and potentially spammy mark.

I know the author of rawgit had some post about spam too, you may have read it already, but if you can find it, some useful bits in there too (sorry, typing from mobile so can't easily go hunting).

[bd82]

No relevant experience, but could limiting the max number of actions (editing/posting) per user per time period combined with requiring minimum "age" for the github accounts help?

Example (arbitrary numbers, replace as needed):

• At most 10 new test cases per day.
• At most 50 new test cases per month.
• Github account must be 48 hours old hours old.
• For github accounts younger than 48 hours only a single test case may be created.

If a spammer requires 100,000+ github accounts to be effective won't that (hopefully) cause them difficulties with github's DOS prevention mechanisms(technical and legal)?

[tomByrer]

I vote:

• Need to login with Github/Gitlab/Atlassian account
• filter the test for blacklisted domains
• allow users to flag (also helps with non-functional tests with no results that I keep finding)
• mods as described in OP

[oriadam]

Not sure of related, but I cannot add new tests. Keep getting the "I'm not a robot" screen of cloudflare, pass it successfully, and getting the same page back - without my tests. Tried it tons of times on different computers and locations. Not sure if my github user is blocked, my country's IP is blocked, or am I just really unlucky.

I suggest that blocked users/IPs (for any reason) will not be able to type in the tests in the first place. It's very frustrating to add 5 tests, hit submit, pass the captcha - only to find out that it was all for nothing.

[farwayer]

I would be happy to have access to delete functionality for regular users also. At least for non-published tests. Just created temp test and can't delete it now :disappointed:

[madskonradsen]

Could we kill the "Latest" page? It's the only place where the spam really is visible, and if the spam isn't visible I guess it takes the fun out of it for the spammers?

[mathiasbynens]

It’s not just /latest, but also /popular and feeds…

[woj-tek]

I just found out about the project and was really excited (starting with javascript) but the amount of spam is really discouraging so +1 for adding any form of validation (mail/github)

[PlNG]

There must be a successful jsperf test run with some code before it can be published publicly. Edits to tests must also adhere to the requirement.

This will work against straight link dropping form filler spam.

[dead-claudia]

Stopping by to drop a specific example of one account, if that helps you out any.

[dead-claudia]

@mathiasbynens Oh, and after about ~30 min of perusing, here's a list of Google searches to try, which amount to near-100% spam. Oh, and you might notice quite a few spam networks in that mix (and you might want to start looking at the GH usernames in the database to spot patterns and start banning them and targeting their posts/comments more effectively).

Just as a heads up, most of those are safe to nuke from orbit without much interpretation.

[mathiasbynens]

@isiahmeadows

and you might want to start looking at the GH usernames in the database to spot patterns and start banning them and targeting their posts/comments more effectively

The GitHub usernames are currently not tracked in the database. See https://github.com/jsperf/jsperf.com/issues/312.

[dead-claudia]

@mathiasbynens I read that after I made the comment... (Probably should've edited that to clarify...)

But yeah, if you have any sort of identifying info, you might be able to figure out some of them.

I'll note that comments seem to have their GH users tracked, though - otherwise, I wouldn't have been able to click the "aa" username from some of those comments and trace it to the particular deleted GitHub user.

[insign]

Recaptcha and CloudFlare are two great solutions