Lots of spammers on GitLab.com

There has been quite an influx of spammers lately and it is starting to affect the GitLab CE project. They have been posting a lot of issues on the repository and, based on @JobV 's analysis they are generating a lot of traffic.

They are mostly links to live football matches.

@ayufan suggested we add https://www.google.com/recaptcha/intro/index.html

Like @JobV suggested, it might be good to add it to the registration form, so we avoid bots.

@sytses what do you think?

/cc @dzaporozhets @jacobvosmaer @marin @DouweM

We have a unique case with GitLab: you can run your own public instance. We're discovering that spam prevention is part of that.

To me it seems only logical to have recaptcha's as a configuration option in front of registration. It should be painless, so the Google click-option is great. Another option that doesn't require external calls is to require an action such as click on the donkey and then having multiple animal images.

I'm OK with adding optional Recaptcha credentials to gitlab.rb. I don't believe in click the donkey or anything else except maybe akismet.

That's also a perfect example or use case for an hide issue or delete issue feature.

+1 for google captchas when signing up. Should be opt-in so that you can still install gitlab without a google account :)

@dzaporozhets?

@sytses @JobV Captcha is a bad idea:

• Its is awful user experience. I saw 0 people happy about it.
• We have email confirmation for signup. This is already a protection
• Companies like Twitter and GitHub does not have captcha because it leads to loosing users on signup stage.
• It does not solve spam problem. You add captcha. I can create ~ 100 users manually during day. It will be enough for month to spam.

The problem is in report process:

1. I notice spam issue
2. I write email to support asking to block it
3. I wait while GitLab admin will actually block the user
4. I rename issue or remove comment with spam content

I will be able to signup users with captcha faster than you would block it with such report process.

Note that some very high-traffic issues are spam, but can only be found through manual search (in analytics or in Gitlab).

What do you think @dzaporozhets? Add a 'report this' button?

@dzaporozhets what about @mrtux's suggestion?

Now we're moving to .com for all our issues, we don't want spam to clog up our issues.

Add a 'report this' button?

@JobV yes it should help us block spam users faster

what about @mrtux's suggestion?

yeah we should think about hide/remove content that authored by spam user. I dont know yet how exactly to implement.

@JobV @sytses I wondering why we just not remove spam users? In this case all their issues and comments will be removed too.

@dzaporozhets for that

yeah we should think about hide/remove content that authored by spam user. I dont know yet how exactly to implement.

Maybe a voting system like hackernews has?
Issues/MRs/comments with x reports could be hidden from the Project feed.

@Haydn Voting is pretty complex and with hackernews it is still readable. Lets try something simple first.

@haynes Hannes see above ^^ from @sytses

@sytses we could make a very simple implementation.
If a comment gets reported x times, hide it completly until an admin took a look at it.
That way spam comments disappear very quickly on gitlab.com.
The Admin just needs the ability to either delete the comment or reset that counter if it isn't spam.

@Haydn Thanks :)

@haynes We will make a object and model for the spam reports. If we need to hide stuff based on it we can do that later. /cc @dzaporozhets

@sytses cool :)
One more question. When you make the model, who will be able to remove the spam?
Only the admins? That might become a lot of work as gitlab.com grows further.
Maybe it makes sense for project owners to be able to remove spam in their projects?
If the project owner does not respond to reports, the users can always email the admin to do it, but I think for large instances this is the better alternative.

@haynes Lets try admins first and expand if needed.

@haynes

Can someone delete those users? https://gitlab.com/gitlab-org/gitlab-ce/issues?%20utf8=%C3%A2%C2%9C%C2%93&issue_search=spam&state=closed&scope=all&assignee_id=&author_id=&milestone_id=&label_id=

@axil done. I made sure they were using their accounts only for spam before deleting, which was the case for all of them.

@patricio well done

@patricio thank you!

@patricio Another spammer :( https://gitlab.com/u/asolahart

Thanks @razer6, blocked. I'm now seeing that they create a lot of groups, making it VERY time consuming just to remove one user.

I am going to implement report spam button

GitLab admins will decide if remove user or not based on this reports

@dzaporozhets That's nice. But please make it generic for any reports e.g. offence content.

@razer6 thanks for tip

UI screenshots:

WIP merge request - !1105 (merged)

+1 for unobtrusiveness

Does it make sense to add that button to comments as well so the you don't have to visit the user page first?
It would fit the gui since we already have the edit and delete button there and makes it very easy to report those spam comments.

@haynes Editing and deleting comments is way more common than reporting one for abuse. I don't want an always-visible button with every single comment for this rare task.

@DouweM Fair enough :)

• https://gitlab.com/ettakiysn15/watchlivestreaming/issues/141
• https://gitlab.com/gsbursa/gsbursa/issues/1
• https://gitlab.com/taffesutu/events/issues/58
• https://gitlab.com/goldenpond/NFLTV/issues/2
• https://gitlab.com/matchendirect/nicemonaco/issues/11
• https://gitlab.com/papiamar19/L1-en-direct-streaming/issues/7

Thanks @mrtux.

If you see a spammer now, go to their profile. There is a button to report the abusive user, which will make handling it much faster for us.

We've added a functionality to report spammers. We will make it easier to use, but this issue is done as far as I'm concerned.

Status changed to closed

mentioned in merge request !14785