Closed Bug 936509 Opened 12 years ago Closed 11 years ago

Automatically disable accounts based on the number of comments tagged as spam

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Product:
bugzilla.mozilla.org
Component:
Extensions
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: bzbarsky, Assigned: glob)

References

Details

Attachments

(1 file, 1 obsolete file)

936509_2.patch
6.24 KB, patch
dkl
: review+
Details | Diff | Splinter Review
There has been a rash of abusive comments in bugzilla recently, apparently due to someone poorly-socialized people disliking Australis. These comments have absolutely no redeeming value, being mostly strings of profanity and applications of Godwin's Law. What we've been doing is a really labor-intensive process of hiding the comments by marking them security-private (a hack), disabling the user, pinging #it to do manual SQL stuff to delete the comments, them pinging people to rebuild indices, etc. This really doesn't scale; this whole thing is being a semi-effective DoS attack on us. Can we just have some web UI so whenever someone sees a comment like this they can simply nuke it? I understand that we may need to restrict the list of "someone"s so empowered, but I don't think it should be too restrictive. Generally, I would think we can trust people with editbugs to not misuse this sort of power... Thoughts?
I would second this as a whole and for all bugzilla not just Mozilla sites
Assignee: nobody → ui
Component: General → User Interface
OS: Mac OS X → All
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Hardware: x86 → All
Version: Production → unspecified
We have been taking a different approach this week of blocking the accounts from being created before the comments are made. Problem of marking as spam (not that it is a bad idea) is that the email has already been sent to a lot of people before the comment is even marked. Blocking before the comment is made will be better overall. There is a new feature under review now, that got stalled due to other quarterly priorities, that would help with the tagging side of things (bug 793963). dkl
Preventing is clearly better if it's doable, I agree; we may need both. :(
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
And that's why I filed this as a bmo extension, because doing this for Bugzilla in general has been blocked for almost a decade now...
Exactly. Bug 936574 has been reopened for dealing with the immediate issue, so let's discuss a more general approach here for BMO.
Assignee: ui → nobody
Status: RESOLVED → REOPENED
Component: User Interface → Extensions: Other
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Resolution: DUPLICATE → ---
Version: unspecified → Development/Staging
I'd like to see two additions to Bugzilla's UI to help deal with spam and abuse (primarily the low-rate issues we've always had). Distributing power to deal with problems like this is an effective technique that's used by just about every web comment forum. 1) Create a "moderator" group that has the ability to delete comments/attachments and disable users. Bug 690833 added the ability to restrict additional comments on a bug to only users with editbugs, and bug 871411 created a group granting the privilege to add/remove that restriction. We should broaden the scope of that group to general moderation. Established contributors with a history of responsibility should have access (many-dozens). 2) Give generally established users (editbugs? or broader?) the ability to flag comments as spam/abuse/off-topic. Once a comment (and/or user?) has been flagged N times, it gets hidden by default. Perhaps with N being extra-small for new accounts. The way TBPL Robot comments are suppressed is almost ideal (random example: bug 910521). Basically, a soft-block that enables crowd-sourced moderation. (Presumably moderation would not apply to editbugs users, to limit the possibility of using moderation as an attack.) #1 should be simple to implement, #2 would need more care. ISTR that some forums (Reddit? Or was it Slashdot's karma?) basically combine the two, by making a user's moderation power scale according to how others agree... EG, if everything you downvote is also heavily downvoted by others, you're probably a very good moderator. But if your downvotes are being countered by upvotes from others, your judgement is called into question and thus your power is scaled back. That's probably overkill for Bugzilla, though. One thing this doesn't deal help with is bugmail. I think we'd either have to ignore that problem, or investigate some separate way of automated detection. (Kind of a solved problem for email in general -- bayesian spam filters -- but I'm not optimistic that would work well for bugzilla comments.)
(In reply to Justin Dolske [:Dolske] from comment #8) > 1) Create a "moderator" group that has the ability to delete > comments/attachments and disable users. editing users is already controlled by a group - editusers. we're tracking development of an extension to edit comments in bug 936165. > 2) Give generally established users (editbugs? or broader?) the ability to > flag comments as spam/abuse/off-topic. you've just perfectly described comment tagging (bug 793963) which already implements this suggestion with the exception of "flagged N times". comments can only be tagged once, and as soon as a comment is tagged as "spam" (or whatever), it'll be collapsed by default. my foolishly titled blog post has more info: http://globau.wordpress.com/2012/10/16/coming-attraction-comment-tagging/ bug 793963 already has a patch waiting for review, and addresses the summary of this bug. while that review has some age on it, recent events have significantly bumped its priority. > One thing this doesn't deal help with is bugmail. indeed; these measures are reactive rather than proactive. rather than track multiple tasks on the same bug, i'm going to morph this bug slightly. once comment tagging has been implemented, it would then be possible to automatically disable accounts which are clear bugzilla abusers. i'm picturing a system where we consider a user's age, the number of non-spam comments, and the number of comments marked as spam. once they hit a threshold they are automatically disabled with a clear message about how to get their account re-enabled if required. an example would be automatic disabling of users less than 24 hours old who have create at least 3 comments marked as spam, and haven't created any not-spam comments.
Status: REOPENED → NEW
Depends on: 793963
Summary: Would it make sense to have a web UI for flagging/deleting abusive comments? → Automatically disable accounts based on the number of comments tagged as spam
Version: Development/Staging → Production
Assignee: nobody → glob
Component: Extensions: Other → Extensions: AntiSpam
Attached patch 936509_1.patch (obsolete) — Splinter Review
adds the ability to say "automatically disable a user if they have made X comments, and ALL their comments are marked as spam". - uses the comment_after_add_tag and comment_after_remove_tag hooks from bug 975943 - users in a specified group are immune from this (default: canconfirm) - users who are not considered "new to bugzilla" are immune - comment_count and disable_text are admin configurable parameters
Attachment #8380514 - Flags: review?(dkl)
See Also: → 937821
For users that are submitting multiple comments per minute, might we end up in the situation where they've already added N new comments by the time we've tagged the prior ones, so we're always chasing the elusive 100% of comments marked as spam?
Good point. How about saying that if their first X comments are marked as spam, they get disabled? Gerv
Is there a bug for exponentially rate-limiting comments on new accounts?
More useful if it's X comments in a row perhaps or X comments in a week or day or hour. We sometimes get new users that start OK, things don't go their way because they want something that we're not going to do for them and they then get abusive. Their first couple of comments may therefore be OK.
I'm not saying it would be a panacea, but it would have helped for attacks like last week's. Also, we could also make it apply to anyone who doesn't have editbugs or something to have some level of vouching play into it.
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #13) > Is there a bug for exponentially rate-limiting comments on new accounts? bug 937821 (In reply to Gervase Markham [:gerv] from comment #12) > Good point. How about saying that if their first X comments are marked as > spam, they get disabled? sounds easy enough, i'll work on that. there's no need to over-complicate or build a "perfect" system now. i want to get something functional live asap, and iterate on the design over time if required.
Attachment #8380514 - Attachment is obsolete: true
Attachment #8380514 - Flags: review?(dkl)
Attached patch 936509_2.patchSplinter Review
changes: - disable if first N comments are spam - disable if last N comments are spam
Attachment #8380636 - Flags: review?(dkl)
Comment on attachment 8380636 [details] [diff] [review] 936509_2.patch Review of attachment 8380636 [details] [diff] [review]: ----------------------------------------------------------------- Hooks already there so need to be removed. Otherwise looks good and works as expected. r=dkl ::: extensions/AntiSpam/Extension.pm @@ +179,5 @@ > + } > + > + # check if the last N comments are spam > + elsif (!scalar(grep { $_ } @$comments[-$spam_count..-1])) { > + $reason = "last $spam_count commennts are spam"; s/commennts/comments/
Attachment #8380636 - Flags: review?(dkl) → review+
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git f9c1b97..572c581 4.2 -> 4.2
Status: NEW → RESOLVED
Closed: 12 years ago11 years ago
Resolution: --- → FIXED
Component: Extensions: AntiSpam → Extensions
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: