spam comments on Phabricator

[ChristianKuehnel]

from meeting on 2022-03-01:

• example: https://reviews.llvm.org/rTa77ad335b95d4e004b0536c2a194ad247201c0fc
  • We disabled that user account.
  • There are probably more users creating spam, so we need a systematic solution.
• We should involve the @joker-eph in the discussion as Phabricator admin.
• ideas going forward:
  • Do we require a GitHub or Google account? If so, how do we enforce this?
  • Can you create accounts through the Conduit API or some other back channel?
  • Can we search/filter for users that did not verify their email accounts and then disable them?

[joker-eph]

We disabled registration through email for a while now, we only accept GitHub and Google accounts, I think this one is a GitHub one: https://github.com/robernmiles I was hoping that GitHub would do a better job at verification :(

[asl]

@joker-eph Looks like this might be circumvented somehow. This is the user I just disabled: https://reviews.llvm.org/people/manage/24413/

[ChristianKuehnel]

GitHub one: https://github.com/robernmiles

I opened an abuse report on GitHub.

How did you see that this was a GitHub user account?

I just disabled these users:

• https://reviews.llvm.org/people/manage/24284/
• https://reviews.llvm.org/people/manage/24310/
• https://reviews.llvm.org/people/manage/24323/
• https://reviews.llvm.org/people/manage/23549/

All were spamming on the same commit: https://reviews.llvm.org/rTa77ad335b95d4e004b0536c2a194ad247201c0fc#1061165 I removed also removed their comments on that commit.

[ChristianKuehnel]

And I found a couple of more suspicious accounts by scanning through the recent activities:

• https://reviews.llvm.org/p/jaipurescortservice/
• https://reviews.llvm.org/p/hondaservice856/
• https://reviews.llvm.org/p/Javinishka/
• https://reviews.llvm.org/p/lorinthomes/
• https://reviews.llvm.org/p/daintreesolutions/
• https://reviews.llvm.org/p/bookbangaloregirls/
• https://reviews.llvm.org/p/spiritualityinveins/
• https://reviews.llvm.org/p/mxd874507440/

Looks like someone has a way of creating these in an automated way. The logins are mostly coming from different IP addresses.

[joker-eph]

I opened an abuse report on GitHub.

That was a bit fast, I was still investigating!

I went through the database and figured these are all Google accounts!

[joker-eph]

I also enabled email verification now: I checked from my google account and the verification applies. I don't know if these scripts are good enough to follow the link from the verification emails, but the screen it leads to requires to click on a button to confirm.

[ChristianKuehnel]

Discourse discussion on this topic: https://discourse.llvm.org/t/spam-accounts-on-phabricator/60631

[ChristianKuehnel]

no progress here, unclear how to proceed, removing from backlog