On 9/6/18 11:55 AM, David Galloway wrote: > On 09/05/2018 10:39 AM, David Galloway wrote: >> >> On 08/29/2018 12:38 PM, David Galloway wrote: >>> >>> On 08/28/2018 04:33 PM, Nathan Cutler wrote: >>>>> I think this is going to be the only surefire way we can prevent this >>>>> from happening again. >>>>> >>>>> Alternatively, I could block certain user agents (one in particular was >>>>> used this time) and add a Captcha to the registration page. >>>>> >>>>> I'd like the community's input. >>>> >>>> Non-member issue creation is widely used. It would suck if one had to be >>>> a developer to create Redmine issues (i.e., report bugs). >>>> >>>> So, my vote goes to the second option. >>>> >>>> Thanks, David, for fighting this anti-social behavior. >>>> >>> >>> >>> Okay, I've added a Captcha to the registration page, blocked the User >>> Agent that was creating spammy issues, and re-enabled issue creation for >>> regular users. >>> >>> Fingers crossed. >>> >> >> The spammers are somehow successfully passing the Captcha on the >> registration page so more spam issues have been created over the past week. >> >> I just created a fail2ban rule to block excessive issue creation (I'm >> intentionally leaving details out so they can't be used against me/us). >> This will reduce but not block spam entirely. I'm not sure adding a >> Captcha to the issue creation page would help but that's next. >> > > Whatever tool is being used to create the spammy issues must use a long > keepalive which is no surprise. This means the TCP connection remains > open even after the firewall rule has been put in place to block the IP. > > I just added a reCaptcha when creating or editing issues if a user is > not a member of a group (this is the default for new accounts). > These measures had helped cut down on the spam for a while but they're back. I just enabled a setting that will require a Redmine admin to approve accounts after registration. This may only be a temporary stopgap until I can find a more clever solution.
