On 09/05/2018 10:39 AM, David Galloway wrote: > > On 08/29/2018 12:38 PM, David Galloway wrote: >> >> On 08/28/2018 04:33 PM, Nathan Cutler wrote: >>>> I think this is going to be the only surefire way we can prevent this >>>> from happening again. >>>> >>>> Alternatively, I could block certain user agents (one in particular was >>>> used this time) and add a Captcha to the registration page. >>>> >>>> I'd like the community's input. >>> >>> Non-member issue creation is widely used. It would suck if one had to be >>> a developer to create Redmine issues (i.e., report bugs). >>> >>> So, my vote goes to the second option. >>> >>> Thanks, David, for fighting this anti-social behavior. >>> >> >> >> Okay, I've added a Captcha to the registration page, blocked the User >> Agent that was creating spammy issues, and re-enabled issue creation for >> regular users. >> >> Fingers crossed. >> > > The spammers are somehow successfully passing the Captcha on the > registration page so more spam issues have been created over the past week. > > I just created a fail2ban rule to block excessive issue creation (I'm > intentionally leaving details out so they can't be used against me/us). > This will reduce but not block spam entirely. I'm not sure adding a > Captcha to the issue creation page would help but that's next. > Whatever tool is being used to create the spammy issues must use a long keepalive which is no surprise. This means the TCP connection remains open even after the firewall rule has been put in place to block the IP. I just added a reCaptcha when creating or editing issues if a user is not a member of a group (this is the default for new accounts).
