Opened 13 months ago

Last modified 12 months ago

#27409 new defect

improve captcha used by trac

Reported by: cypherpunks3 Owned by: qbi
Priority: Medium Milestone:
Component: Internal Services/Service - trac Version:
Severity: Normal Keywords: cypherpunks, captcha, spam
Cc: hiro Actual Points:
Parent ID: #26752 Points:
Reviewer: Sponsor:

Description

In July, the cypherpunks account was locked down due to spam. teor says:

The vandal(s) are already passing the captcha test, which is why they post updates every minute or so.

Child Tickets

Change History (5)

comment:1 Changed 13 months ago by cypherpunks3

What is the current captcha plugin being used right now?

comment:2 Changed 13 months ago by qbi

Currently thr ExpressionCaptcha is used.

comment:3 in reply to:  2 Changed 13 months ago by cypherpunks3

Using this plugin, right?

If we switch to ImageCaptcha instead of the default ExpressionCaptcha ( https://trac.edgewall.org/wiki/SpamFilter#Captcha notes that the simple text-based ExpressionCaptcha is easily bypassed and not recommended, so no idea why it's still the default), can we try lifting the restrictions on the cypherpunks account?

What about other tweaks like Bayesian filtering, didn't the spammer have one thing in particular they advertised? Could also reduce the amount of karma earned from each solved captcha.

comment:4 Changed 12 months ago by qbi

I changed the CAPTCHA to ImageCaptcha and will see how this evolves.

A problem I see with the cypherpunks account is not necessarily related to CAPTCHAs. If we lift the restrictions the cypherpunks account can do all sort of bad stuff. So personally I'd like to see what happens. But if someone goes berzerk again, there need to be restrictions again.

comment:5 in reply to:  4 Changed 12 months ago by cypherpunks3

Replying to qbi:

I changed the CAPTCHA to ImageCaptcha and will see how this evolves.

A problem I see with the cypherpunks account is not necessarily related to CAPTCHAs. If we lift the restrictions the cypherpunks account can do all sort of bad stuff.

Well yeah, but 'anonymity can be used for bad' was always true, but the account existed anyway. It was useable until extremely recently, and the project managed to survive for years until what was possibly a single spammer noticed they could trivially solve the ExpressionCaptcha.

So personally I'd like to see what happens. But if someone goes berzerk again, there need to be restrictions again.

The restrictions that are still in place right now? Is there a plan to lift any of them at all to try the new captcha?

It looks like cypherpunks can't even edit trac wiki pages, which is an even more recently added restriction. Let alone reply to or file trac tickets.

Why were there no trac tickets filed for making these changes that were judged necessary to fix the vandal problem, anyway? It's not even clear when the changes happened, and there was no explanation for why they happened anywhere but on the mailing list, well after they had been done, and only in reply to someone asking about undoing them. (Meanwhile the more recent wiki restriction has no explanation at all anywhere.)

Note: See TracTickets for help on using tickets.