Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#1569 closed task (fixed)

Remove message captcha

Reported by: planetcruiser Owned by: coroa
Priority: critical Milestone: 0.5.6 - bugfixing
Component: BW Mail Keywords: captcha Spam contact member
Cc:

Description (last modified by planetcruiser)

Issue:

Solution:

  • We need to find other ways to fight abuse, so for now I suggest to remove the captcha all together

Related tickets:

Change History (15)

comment:1 Changed 7 years ago by planetcruiser

  • Milestone changed from unassigned to 0.5.6 - bugfixing

comment:2 Changed 7 years ago by planetcruiser

  • Description modified (diff)

comment:3 Changed 7 years ago by jeanyves

This captcha was added to prevent nigerian spam ("my parents died in a plane crash, I need you to withdraw $5 000 000 from a swizz bank, 10% for you ...).

I proposed it and it was decided (not by me) after some heavy spam.

It was suppose to work as follow: While someone has no positive comment, he has to fill a captcha to contact another member. There was also a feature to force someone to fill a captcha regardless the comment he has (it was a precaution in case in spam suspicion, never used as far as I remember)

Problem: Currently this Captcha has no effect (it is a regression after the messages have been moved to row, I think this is a bug.

Other problem, just today, Thorgal67 ask me to banned a member who has sent a spam (typical nigerian spam). I checked, this member has sent his spam to 593 of the active BW members.

It took one day to detect it. Too late.

So, I think this captcha (until we have something better and efficient) still make sense. I understand that new members who just subscribe and want to send a request for host to 50 hosts in Barcelona will not like it. For now, I think constraint (captcha mantatory for people without commment - when it works) is less a problem than the 593 spam

Last edited 7 years ago by jeanyves (previous) (diff)

comment:4 Changed 7 years ago by jeanyves

  • Keywords captcha Spam contact member added
  • Summary changed from Remove message captcha to Remove message captcha + Catptcha has no effect

comment:5 Changed 7 years ago by planetcruiser

  • Summary changed from Remove message captcha + Catptcha has no effect to Remove message captcha

@jeanyves: thanks for the feedback. i had no idea we had nigerian spammers. but anyway, if i were a spammer i would just open 2 different accounts, give myself a positive comment, and bam! i can spam. a captcha is no solution against human spammers. a "flag this user" or similar is a very good protection.

i mean, spammers follow patterns, e.g. send many messages per hour. we need to recognise these patterns and work against them. annoying all users with features against a few black sheep, and blocking blind users, can't be a solution. i mean, cs and other online communities also manage without captcha, right?

please open another ticket for "Catptcha has no effect", and add it to "related tickets". sorry, several issues in one ticket make things too confusing

comment:6 Changed 7 years ago by planetcruiser

if the captcha actually doesn't block a message if filled out incorrectly than that's a real bug for sure. this ticket here should be seen as a quick temporary "solution" until the captcha is a little bit smarter and doing its job

Last edited 7 years ago by planetcruiser (previous) (diff)

comment:7 Changed 7 years ago by coroa

  • Owner set to coroa
  • Status changed from new to accepted

already went over the respective code, while fixing the spam report mark.

comment:8 follow-up: Changed 7 years ago by coroa

there was some logic back in bw/mymessages.php to check before sending email, that the member have more than some number (3?) of sent messages which were marked as spam during some time duration (a week?).

i could tweak the code to only show the captcha when such a condition is fulfilled to slow a potential spammer down and give the reported spam-checkers more time to react.

if everybody is fine with that i would prepare two topic branches:

  1. captcha check removed (should be done soon)
  2. logic proposed above

is there some better way too slow spammers down? limited number of messages per day if above condition is true (more than some number of spam messages during time)? opinions?

comment:9 in reply to: ↑ 8 Changed 7 years ago by planetcruiser

Replying to coroa:

i could tweak the code to only show the captcha when such a condition is fulfilled to slow a potential spammer down and give the reported spam-checkers more time to react.

yes, i think this is standard, only to show a captcha if suspicious activity is detected. but where to draw the line? i sent a message to 8 members at my next travel destination within one hour the other day.

so, maybe show a captcha after 10 messages per hour? and only for members without comments? not sure.

if everybody is fine with that i would prepare two topic branches:

  1. captcha check removed (should be done soon)
  2. logic proposed above

i am fine if you simply commit to develop.

is there some better way too slow spammers down? limited number of messages per day if above condition is true (more than some number of spam messages during time)? opinions?

hm, difficult to say. maybe we should ban members from sending messages entirely after they have been flagged as spammer and show something like "Your messages were reported by several members as spam. Therefore we have blocked you for now. If you feel this is a mistake, please contact our abuse volunteers at xxx".

as stated above, i don't think a captcha is going to discourage any person from sending spam. it takes 5 seconds to solve. to my knowledge captchas are mainly there to block scripted spam.

so i'm sticking with my suggested solution: remove the captcha (and find more effective ways to fight the few spammers we have)

comment:10 Changed 7 years ago by planetcruiser

coroa: what shall we do? my suggestion is to simply remove the captcha for now until it is fully working and open another ticket a la "bring back message captcha and make it smart" with a pointer to this ticket here. do you think you could do this in the next 2 days before the milestone will be released? otherwise please assign the ticket to me.

btw: i didn't see a single message marked as spam in the past few weeks.

comment:11 follow-up: Changed 7 years ago by coroa

ok, sorry. the remove message captcha functionality has been already living happily on a local branch of mine for quite some time now (committed as 54ad712). and i was halfheartily trying different smart counter spam approaches.

a branch which disallows sending any messages if one has more than 5 messages marked as spam which were sent during the last week is pretty much ready. (ETA this weekend).

i don't mind if we move that to a new ticket.

comment:12 Changed 7 years ago by coroa

  • follow_up changed from none to move to alpha

comment:13 in reply to: ↑ 11 Changed 7 years ago by planetcruiser

  • Resolution set to fixed
  • Status changed from accepted to closed

Replying to coroa:

i don't mind if we move that to a new ticket.

ok. please create one and attach it to the next milestone (0.5.7)

i tested sending a message on alpha as meinhard_test and no captcha was displayed - closing

comment:14 Changed 7 years ago by globetrotter_tt

Last week, one guy signed up and immediately managed to send 306 scam messages in 3h. His status was "pending", but he had a real looking address, so he would have probably been accepted. After we received a couple of complains, i kicked him. In total his profile last only a couple of hours, but the damage he did was quite impressive. At least one member ask for getting deleted from bewelcome because of this incident. We should really think about a message limit and probably also a content based filter, as i could easily find the content of the message on several othe websites.

comment:15 Changed 7 years ago by planetcruiser

  • Description modified (diff)

ouch. ok, the new ticket for messaging limits is #1588

Note: See TracTickets for help on using tickets.