Closed
Bug 1119532
Opened 9 years ago
Closed 9 years ago
[spam] bot blocker for account/profile creation
Categories
(developer.mozilla.org Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: aspivak, Assigned: groovecoder)
References
Details
(Whiteboard: [LOE:?])
Implement features (honeypot, etc.) that will block bots from creating spam profiles in MDN. Samples of spam profiles: Typical: https://developer.mozilla.org/en-US/profiles/ashleyrosa2754 https://developer.mozilla.org/en-US/profiles/WilliamsJohn682 https://developer.mozilla.org/en-US/profiles/ramonpribnow https://developer.mozilla.org/en-US/profiles/Hometwone01 (https://developer.mozilla.org/admin/users/userprofile/194663/) New trend, also creates a github account: https://developer.mozilla.org/en-US/profiles/SuitlandMD24 https://developer.mozilla.org/en-US/profiles/SevernaParkMD2
Reporter | ||
Updated•9 years ago
|
Summary: bot blocker for account/profile creation → [spam] bot blocker for account/profile creation
Comment 1•9 years ago
|
||
Question: Should obvious bot submissions have their IP automatically banned? I think so.
Comment 2•9 years ago
|
||
In bug 1119545 I have been using a data export to explore profile data. Most recently I found some patterns relevant to this bug: * A huge number of spammy profiles have populated the URL and bio fields, but have 0 revisions * A huge number of spammy profiles have usernames that are random gibberish or include digits (for example, of the 23,913 profiles that include a URL, 11,435 have a digit in their username). The second point above suggests to me that spam profiles are being created with automation, and we could prevent them by building this feature. :groovecoder, can we get an LOE on... 1. Add honeypot fields to profile create and edit screens 2. When profiles created or edited include those fields, ignore the request but do not indicate that in the response Optionally... 3. Ban the IP with django-banish
Whiteboard: [LOE:?]
Assignee | ||
Comment 3•9 years ago
|
||
I'm looking at this library from sunlightlabs: https://github.com/sunlightlabs/django-honeypot/ Looks very promising, if :jezdez approves.
Assignee: nobody → lcrouch
Flags: needinfo?(jezdez)
Comment 4•9 years ago
|
||
:groovecoder as long as you don't use django-honeypots' automatic response content patching via the HoneypotResponseMiddleware middleware. IIRC you can use it explicitly via the template tag and decorator
Flags: needinfo?(jezdez)
Comment 5•9 years ago
|
||
Commits pushed to master at https://github.com/mozilla/kuma https://github.com/mozilla/kuma/commit/fb781f5971698db94e832fd9b5ad77fe3006a678 bug 1119532 - add django-honeypot library https://github.com/mozilla/kuma/commit/084dded0c8588d6743418842ce45d73979c797e0 bug 1119532 - add honeypot across all MDN forms https://github.com/mozilla/kuma/commit/86fd1b2ede2f203d07b6ac683af9ef492d1c29d2 bug 1119532 - honeypot_field helper for precision https://github.com/mozilla/kuma/commit/ac0eaf9795d34ce4299824830759329262b1d4a6 bug 1119532 - update tests with honeypot field https://github.com/mozilla/kuma/commit/26259b6bf0d9c57da2512505de01f1d20a1d0ef0 bug 1119532 - isinstance better than type 'response' better then 'ret' https://github.com/mozilla/kuma/commit/5af877da05b7c43b7172f1688510638462a65531 Merge pull request #3065 from groovecoder/django-honeypot-1119532 fix bug 1119532 - add honeypot field to account signup form
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 6•9 years ago
|
||
Just a note here: this has had 0 effect on the number of accounts created. mysql> select count(id) from auth_user where date_joined > '2015-02-11'; +-----------+ | count(id) | +-----------+ | 1551 | +-----------+ 1 row in set (0.09 sec) mysql> select count(id) from auth_user where date_joined > '2015-02-04' and date_joined < '2015-02-11'; +-----------+ | count(id) | +-----------+ | 1525 | +-----------+ 1 row in set (0.05 sec) So, the current account registration rate appears to be all humans. ;)
Comment 7•9 years ago
|
||
(In reply to Luke Crouch [:groovecoder] from comment #6) > Just a note here: this has had 0 effect on the number of accounts created. A steady rate might indicate great success blocking bot attacks, or a lack of bot attacks. This feature (and bug 1124390) is a preventative. Thanks for adding it!
Updated•4 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•