llvm-iwg icon indicating copy to clipboard operation
llvm-iwg copied to clipboard

Published 20 hours ago verified publisher icon llvm

spam comments on Phabricator

Open ChristianKuehnel opened this issue 3 years ago • 8 comments

from meeting on 2022-03-01:

  • example: https://reviews.llvm.org/rTa77ad335b95d4e004b0536c2a194ad247201c0fc
    • We disabled that user account.
    • There are probably more users creating spam, so we need a systematic solution.
  • We should involve the @joker-eph in the discussion as Phabricator admin.
  • ideas going forward:
    • Do we require a GitHub or Google account? If so, how do we enforce this?
    • Can you create accounts through the Conduit API or some other back channel?
    • Can we search/filter for users that did not verify their email accounts and then disable them?

ChristianKuehnel avatar Mar 01 '22 16:03 ChristianKuehnel

We disabled registration through email for a while now, we only accept GitHub and Google accounts, I think this one is a GitHub one: https://github.com/robernmiles I was hoping that GitHub would do a better job at verification :(

joker-eph avatar Mar 02 '22 10:03 joker-eph

@joker-eph Looks like this might be circumvented somehow. This is the user I just disabled: https://reviews.llvm.org/people/manage/24413/

asl avatar Mar 02 '22 11:03 asl

GitHub one: https://github.com/robernmiles

I opened an abuse report on GitHub.

How did you see that this was a GitHub user account?

I just disabled these users:

  • https://reviews.llvm.org/people/manage/24284/
  • https://reviews.llvm.org/people/manage/24310/
  • https://reviews.llvm.org/people/manage/24323/
  • https://reviews.llvm.org/people/manage/23549/

All were spamming on the same commit: https://reviews.llvm.org/rTa77ad335b95d4e004b0536c2a194ad247201c0fc#1061165 I removed also removed their comments on that commit.

ChristianKuehnel avatar Mar 02 '22 11:03 ChristianKuehnel

And I found a couple of more suspicious accounts by scanning through the recent activities:

  • https://reviews.llvm.org/p/jaipurescortservice/
  • https://reviews.llvm.org/p/hondaservice856/
  • https://reviews.llvm.org/p/Javinishka/
  • https://reviews.llvm.org/p/lorinthomes/
  • https://reviews.llvm.org/p/daintreesolutions/
  • https://reviews.llvm.org/p/bookbangaloregirls/
  • https://reviews.llvm.org/p/spiritualityinveins/
  • https://reviews.llvm.org/p/mxd874507440/

Looks like someone has a way of creating these in an automated way. The logins are mostly coming from different IP addresses.

ChristianKuehnel avatar Mar 02 '22 11:03 ChristianKuehnel

I opened an abuse report on GitHub.

That was a bit fast, I was still investigating!

I went through the database and figured these are all Google accounts!

joker-eph avatar Mar 02 '22 12:03 joker-eph

I also enabled email verification now: I checked from my google account and the verification applies. I don't know if these scripts are good enough to follow the link from the verification emails, but the screen it leads to requires to click on a button to confirm.

joker-eph avatar Mar 02 '22 12:03 joker-eph

Discourse discussion on this topic: https://discourse.llvm.org/t/spam-accounts-on-phabricator/60631

ChristianKuehnel avatar Mar 29 '22 15:03 ChristianKuehnel

no progress here, unclear how to proceed, removing from backlog

ChristianKuehnel avatar Jul 05 '22 15:07 ChristianKuehnel