For those not on IRC. We've temporarily disabled OSGeo Id creation.
Accounts were being autogenerated and then used to spam the Trac
instances. Other systems using OSGeo auth should check for any unusual
activity.
As a follow-up, we are now looking for someone who wants to improve our
creation system with Captcha, and/or email confirmation. If you think
you can build (or modify the existing) such a system to work with our
LDAP please contact the osgeo System Administration Committee (SAC).
On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
As a follow-up, we are now looking for someone who wants to improve our
creation system with Captcha, and/or email confirmation. If you think
you can build (or modify the existing) such a system to work with our
LDAP please contact the osgeo System Administration Committee (SAC).
Should this part be sent on osgeo-discuss ?
Anyway, what about doing something simple like asking to enter
a number derived from some request headers ? Like the first
5 characters of the md5 of the remote ip ...
On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
As a follow-up, we are now looking for someone who wants to improve our
creation system with Captcha, and/or email confirmation. If you think
you can build (or modify the existing) such a system to work with our
LDAP please contact the osgeo System Administration Committee (SAC).
Should this part be sent on osgeo-discuss ?
Maybe, all the people who run sites using this should be on the SAC
list. We could add a link to the maintenance page on how to contact SAC.
Anyway, what about doing something simple like asking to enter
a number derived from some request headers ? Like the first
5 characters of the md5 of the remote ip ...
Yes anything for now that is hard for a bot (since it might get
re-written). With a more robust solution later.
On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
As a follow-up, we are now looking for someone who wants to improve our
creation system with Captcha, and/or email confirmation. If you think
you can build (or modify the existing) such a system to work with our
LDAP please contact the osgeo System Administration Committee (SAC).
Should this part be sent on osgeo-discuss ?
Maybe, all the people who run sites using this should be on the SAC
list. We could add a link to the maintenance page on how to contact SAC.
Anyway, what about doing something simple like asking to enter
a number derived from some request headers ? Like the first
5 characters of the md5 of the remote ip ...
Yes anything for now that is hard for a bot (since it might get
re-written). With a more robust solution later.
On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
As a follow-up, we are now looking for someone who wants to improve our
creation system with Captcha, and/or email confirmation. If you think
you can build (or modify the existing) such a system to work with our
LDAP please contact the osgeo System Administration Committee (SAC).
Should this part be sent on osgeo-discuss ?
Maybe, all the people who run sites using this should be on the SAC
list. We could add a link to the maintenance page on how to contact SAC.
Anyway, what about doing something simple like asking to enter
a number derived from some request headers ? Like the first
5 characters of the md5 of the remote ip ...
Yes anything for now that is hard for a bot (since it might get
re-written). With a more robust solution later.
I'm willing to update the LDAP account creation to require email
validation. That is, I'll send out an email and they have to follow
the link in the email to confirm before the account is actually
created.
Is there a SAC ticket on this? I should be able to do it today or tomorrow.
I'll likely also try and put in place self-service password reset
using a similar mechanism.
Best regards,
Frank
On Thu, Apr 28, 2016 at 8:05 AM, Alex Mandel <tech_dev@wildintellect.com> wrote:
On 04/28/2016 08:04 AM, Alex Mandel wrote:
On 04/28/2016 07:19 AM, Alex Mandel wrote:
On 04/28/2016 01:41 AM, Sandro Santilli wrote:
On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
As a follow-up, we are now looking for someone who wants to improve our
creation system with Captcha, and/or email confirmation. If you think
you can build (or modify the existing) such a system to work with our
LDAP please contact the osgeo System Administration Committee (SAC).
Should this part be sent on osgeo-discuss ?
Maybe, all the people who run sites using this should be on the SAC
list. We could add a link to the maintenance page on how to contact SAC.
Anyway, what about doing something simple like asking to enter
a number derived from some request headers ? Like the first
5 characters of the md5 of the remote ip ...
Yes anything for now that is hard for a bot (since it might get
re-written). With a more robust solution later.
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Software Developer
I don't think there's a ticket yet. We should make those 2 items, 2
different tickets.
Also I'll make a ticket for me, I'll attempt to spruce up the pages with
a little OSGeo branding to make them look less sketchy.
Thanks,
Alex
On 04/29/2016 09:18 AM, Frank Warmerdam wrote:
Folks,
I'm willing to update the LDAP account creation to require email
validation. That is, I'll send out an email and they have to follow
the link in the email to confirm before the account is actually
created.
Is there a SAC ticket on this? I should be able to do it today or tomorrow.
I'll likely also try and put in place self-service password reset
using a similar mechanism.
Best regards,
Frank
On Thu, Apr 28, 2016 at 8:05 AM, Alex Mandel <tech_dev@wildintellect.com> wrote:
On 04/28/2016 08:04 AM, Alex Mandel wrote:
On 04/28/2016 07:19 AM, Alex Mandel wrote:
On 04/28/2016 01:41 AM, Sandro Santilli wrote:
On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
As a follow-up, we are now looking for someone who wants to improve our
creation system with Captcha, and/or email confirmation. If you think
you can build (or modify the existing) such a system to work with our
LDAP please contact the osgeo System Administration Committee (SAC).
Should this part be sent on osgeo-discuss ?
Maybe, all the people who run sites using this should be on the SAC
list. We could add a link to the maintenance page on how to contact SAC.
Anyway, what about doing something simple like asking to enter
a number derived from some request headers ? Like the first
5 characters of the md5 of the remote ip ...
Yes anything for now that is hard for a bot (since it might get
re-written). With a more robust solution later.
I just recalled something useful. It would be great if we could
blacklist certain email domains. In particular yopmail and dayrep which
are disposable email addresses (public readable, trashes all mail after
8 days) were used for many of the spam accounts recently. An email
service like that is contradictory to being able to use email recover
passwords when forgotten.
Thanks,
Alex
On 2016-04-29 09:23, Alex M wrote:
Frank,
I don't think there's a ticket yet. We should make those 2 items, 2
different tickets.
Also I'll make a ticket for me, I'll attempt to spruce up the pages with
a little OSGeo branding to make them look less sketchy.
Thanks,
Alex
On 04/29/2016 09:18 AM, Frank Warmerdam wrote:
Folks,
I'm willing to update the LDAP account creation to require email
validation. That is, I'll send out an email and they have to follow
the link in the email to confirm before the account is actually
created.
Is there a SAC ticket on this? I should be able to do it today or tomorrow.
I'll likely also try and put in place self-service password reset
using a similar mechanism.
Best regards,
Frank
On Thu, Apr 28, 2016 at 8:05 AM, Alex Mandel <tech_dev@wildintellect.com> wrote:
On 04/28/2016 08:04 AM, Alex Mandel wrote:
On 04/28/2016 07:19 AM, Alex Mandel wrote:
On 04/28/2016 01:41 AM, Sandro Santilli wrote:
On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
As a follow-up, we are now looking for someone who wants to improve our
creation system with Captcha, and/or email confirmation. If you think
you can build (or modify the existing) such a system to work with our
LDAP please contact the osgeo System Administration Committee (SAC).
Should this part be sent on osgeo-discuss ?
Maybe, all the people who run sites using this should be on the SAC
list. We could add a link to the maintenance page on how to contact SAC.
Anyway, what about doing something simple like asking to enter
a number derived from some request headers ? Like the first
5 characters of the md5 of the remote ip ...
Yes anything for now that is hard for a bot (since it might get
re-written). With a more robust solution later.
On Fri, Apr 29, 2016 at 8:24 PM, Alex Mandel <tech_dev@wildintellect.com> wrote:
I just recalled something useful. It would be great if we could
blacklist certain email domains. In particular yopmail and dayrep which
are disposable email addresses (public readable, trashes all mail after
8 days) were used for many of the spam accounts recently. An email
service like that is contradictory to being able to use email recover
passwords when forgotten.
Thanks,
Alex
On 2016-04-29 09:23, Alex M wrote:
Frank,
I don't think there's a ticket yet. We should make those 2 items, 2
different tickets.
Also I'll make a ticket for me, I'll attempt to spruce up the pages with
a little OSGeo branding to make them look less sketchy.
Thanks,
Alex
On 04/29/2016 09:18 AM, Frank Warmerdam wrote:
Folks,
I'm willing to update the LDAP account creation to require email
validation. That is, I'll send out an email and they have to follow
the link in the email to confirm before the account is actually
created.
Is there a SAC ticket on this? I should be able to do it today or tomorrow.
I'll likely also try and put in place self-service password reset
using a similar mechanism.
Best regards,
Frank
On Thu, Apr 28, 2016 at 8:05 AM, Alex Mandel <tech_dev@wildintellect.com> wrote:
On 04/28/2016 08:04 AM, Alex Mandel wrote:
On 04/28/2016 07:19 AM, Alex Mandel wrote:
On 04/28/2016 01:41 AM, Sandro Santilli wrote:
On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
As a follow-up, we are now looking for someone who wants to improve our
creation system with Captcha, and/or email confirmation. If you think
you can build (or modify the existing) such a system to work with our
LDAP please contact the osgeo System Administration Committee (SAC).
Should this part be sent on osgeo-discuss ?
Maybe, all the people who run sites using this should be on the SAC
list. We could add a link to the maintenance page on how to contact SAC.
Anyway, what about doing something simple like asking to enter
a number derived from some request headers ? Like the first
5 characters of the md5 of the remote ip ...
Yes anything for now that is hard for a bot (since it might get
re-written). With a more robust solution later.
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Software Developer
Sorry, doesn't seem to be enough, had to disable it again. Trac spamming
still is squashed and I did verify that new accounts since your change
are being used.
Though looking at the rate, makes me think someone is doing it by hand
(although shifting IPs).
On Fri, Apr 29, 2016 at 8:24 PM, Alex Mandel <tech_dev@wildintellect.com> wrote:
I just recalled something useful. It would be great if we could
blacklist certain email domains. In particular yopmail and dayrep which
are disposable email addresses (public readable, trashes all mail after
8 days) were used for many of the spam accounts recently. An email
service like that is contradictory to being able to use email recover
passwords when forgotten.
Thanks,
Alex
On 2016-04-29 09:23, Alex M wrote:
Frank,
I don't think there's a ticket yet. We should make those 2 items, 2
different tickets.
Also I'll make a ticket for me, I'll attempt to spruce up the pages with
a little OSGeo branding to make them look less sketchy.
Thanks,
Alex
On 04/29/2016 09:18 AM, Frank Warmerdam wrote:
Folks,
I'm willing to update the LDAP account creation to require email
validation. That is, I'll send out an email and they have to follow
the link in the email to confirm before the account is actually
created.
Is there a SAC ticket on this? I should be able to do it today or tomorrow.
I'll likely also try and put in place self-service password reset
using a similar mechanism.
Best regards,
Frank
On Thu, Apr 28, 2016 at 8:05 AM, Alex Mandel <tech_dev@wildintellect.com> wrote:
On 04/28/2016 08:04 AM, Alex Mandel wrote:
On 04/28/2016 07:19 AM, Alex Mandel wrote:
On 04/28/2016 01:41 AM, Sandro Santilli wrote:
On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
As a follow-up, we are now looking for someone who wants to improve our
creation system with Captcha, and/or email confirmation. If you think
you can build (or modify the existing) such a system to work with our
LDAP please contact the osgeo System Administration Committee (SAC).
Should this part be sent on osgeo-discuss ?
Maybe, all the people who run sites using this should be on the SAC
list. We could add a link to the maintenance page on how to contact SAC.
Anyway, what about doing something simple like asking to enter
a number derived from some request headers ? Like the first
5 characters of the md5 of the remote ip ...
Yes anything for now that is hard for a bot (since it might get
re-written). With a more robust solution later.
There is very little defense available against spammers willing to
spend lots of human time doing their thing. What is our plan on this?
I'm not too happy with an approach that makes it very difficult to be
a new contributor.
Best regards,
Frank
On Tue, May 3, 2016 at 1:05 PM, Alex M <tech_dev@wildintellect.com> wrote:
Sorry, doesn't seem to be enough, had to disable it again. Trac spamming
still is squashed and I did verify that new accounts since your change
are being used.
Though looking at the rate, makes me think someone is doing it by hand
(although shifting IPs).
On Fri, Apr 29, 2016 at 8:24 PM, Alex Mandel <tech_dev@wildintellect.com> wrote:
I just recalled something useful. It would be great if we could
blacklist certain email domains. In particular yopmail and dayrep which
are disposable email addresses (public readable, trashes all mail after
8 days) were used for many of the spam accounts recently. An email
service like that is contradictory to being able to use email recover
passwords when forgotten.
Thanks,
Alex
On 2016-04-29 09:23, Alex M wrote:
Frank,
I don't think there's a ticket yet. We should make those 2 items, 2
different tickets.
Also I'll make a ticket for me, I'll attempt to spruce up the pages with
a little OSGeo branding to make them look less sketchy.
Thanks,
Alex
On 04/29/2016 09:18 AM, Frank Warmerdam wrote:
Folks,
I'm willing to update the LDAP account creation to require email
validation. That is, I'll send out an email and they have to follow
the link in the email to confirm before the account is actually
created.
Is there a SAC ticket on this? I should be able to do it today or tomorrow.
I'll likely also try and put in place self-service password reset
using a similar mechanism.
Best regards,
Frank
On Thu, Apr 28, 2016 at 8:05 AM, Alex Mandel <tech_dev@wildintellect.com> wrote:
On 04/28/2016 08:04 AM, Alex Mandel wrote:
On 04/28/2016 07:19 AM, Alex Mandel wrote:
On 04/28/2016 01:41 AM, Sandro Santilli wrote:
On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
As a follow-up, we are now looking for someone who wants to improve our
creation system with Captcha, and/or email confirmation. If you think
you can build (or modify the existing) such a system to work with our
LDAP please contact the osgeo System Administration Committee (SAC).
Should this part be sent on osgeo-discuss ?
Maybe, all the people who run sites using this should be on the SAC
list. We could add a link to the maintenance page on how to contact SAC.
Anyway, what about doing something simple like asking to enter
a number derived from some request headers ? Like the first
5 characters of the md5 of the remote ip ...
Yes anything for now that is hard for a bot (since it might get
re-written). With a more robust solution later.
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Software Developer
I'm glad to re-enable as soon as we have a good way to mitigate the trac
spam. Either finding and removing spam accounts more quickly
(automation), or just making it harder to spam Trac to begin with.
Right now only Martin seems to know the method for removing identified
spam accounts. I think we should cron job every 5 mins, and have that
job read a text file more admins can write to. So when we find spam
accounts, they get removed fast.
Course then that also needs to feed into killing matching sessions in trac.
I agree if they're willing to sign up by hand that makes it real hard to
block at the sign up.
Thanks,
Alex
On 05/03/2016 04:53 PM, Frank Warmerdam wrote:
Alex,
There is very little defense available against spammers willing to
spend lots of human time doing their thing. What is our plan on this?
I'm not too happy with an approach that makes it very difficult to be
a new contributor.
Best regards,
Frank
On Tue, May 3, 2016 at 1:05 PM, Alex M <tech_dev@wildintellect.com> wrote:
Sorry, doesn't seem to be enough, had to disable it again. Trac spamming
still is squashed and I did verify that new accounts since your change
are being used.
Though looking at the rate, makes me think someone is doing it by hand
(although shifting IPs).
On Fri, Apr 29, 2016 at 8:24 PM, Alex Mandel <tech_dev@wildintellect.com> wrote:
I just recalled something useful. It would be great if we could
blacklist certain email domains. In particular yopmail and dayrep which
are disposable email addresses (public readable, trashes all mail after
8 days) were used for many of the spam accounts recently. An email
service like that is contradictory to being able to use email recover
passwords when forgotten.
Thanks,
Alex
On 2016-04-29 09:23, Alex M wrote:
Frank,
I don't think there's a ticket yet. We should make those 2 items, 2
different tickets.
Also I'll make a ticket for me, I'll attempt to spruce up the pages with
a little OSGeo branding to make them look less sketchy.
Thanks,
Alex
On 04/29/2016 09:18 AM, Frank Warmerdam wrote:
Folks,
I'm willing to update the LDAP account creation to require email
validation. That is, I'll send out an email and they have to follow
the link in the email to confirm before the account is actually
created.
Is there a SAC ticket on this? I should be able to do it today or tomorrow.
I'll likely also try and put in place self-service password reset
using a similar mechanism.
Best regards,
Frank
On Thu, Apr 28, 2016 at 8:05 AM, Alex Mandel <tech_dev@wildintellect.com> wrote:
On 04/28/2016 08:04 AM, Alex Mandel wrote:
On 04/28/2016 07:19 AM, Alex Mandel wrote:
On 04/28/2016 01:41 AM, Sandro Santilli wrote:
On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
As a follow-up, we are now looking for someone who wants to improve our
creation system with Captcha, and/or email confirmation. If you think
you can build (or modify the existing) such a system to work with our
LDAP please contact the osgeo System Administration Committee (SAC).
Should this part be sent on osgeo-discuss ?
Maybe, all the people who run sites using this should be on the SAC
list. We could add a link to the maintenance page on how to contact SAC.
Anyway, what about doing something simple like asking to enter
a number derived from some request headers ? Like the first
5 characters of the md5 of the remote ip ...
Yes anything for now that is hard for a bot (since it might get
re-written). With a more robust solution later.
Putting a small delay on sending the e-mail (say 5 minutes) would make
maybe harder to complete the signup, but no idea how "persistent"
these spammers can be :-/
On 4 May 2016 at 00:33, Alex M <tech_dev@wildintellect.com> wrote:
I'm glad to re-enable as soon as we have a good way to mitigate the trac
spam. Either finding and removing spam accounts more quickly
(automation), or just making it harder to spam Trac to begin with.
Right now only Martin seems to know the method for removing identified
spam accounts. I think we should cron job every 5 mins, and have that
job read a text file more admins can write to. So when we find spam
accounts, they get removed fast.
Course then that also needs to feed into killing matching sessions in trac.
I agree if they're willing to sign up by hand that makes it real hard to
block at the sign up.
Thanks,
Alex
On 05/03/2016 04:53 PM, Frank Warmerdam wrote:
Alex,
There is very little defense available against spammers willing to
spend lots of human time doing their thing. What is our plan on this?
I'm not too happy with an approach that makes it very difficult to be
a new contributor.
Best regards,
Frank
On Tue, May 3, 2016 at 1:05 PM, Alex M <tech_dev@wildintellect.com> wrote:
Sorry, doesn't seem to be enough, had to disable it again. Trac spamming
still is squashed and I did verify that new accounts since your change
are being used.
Though looking at the rate, makes me think someone is doing it by hand
(although shifting IPs).
On Fri, Apr 29, 2016 at 8:24 PM, Alex Mandel <tech_dev@wildintellect.com> wrote:
I just recalled something useful. It would be great if we could
blacklist certain email domains. In particular yopmail and dayrep which
are disposable email addresses (public readable, trashes all mail after
8 days) were used for many of the spam accounts recently. An email
service like that is contradictory to being able to use email recover
passwords when forgotten.
Thanks,
Alex
On 2016-04-29 09:23, Alex M wrote:
Frank,
I don't think there's a ticket yet. We should make those 2 items, 2
different tickets.
Also I'll make a ticket for me, I'll attempt to spruce up the pages with
a little OSGeo branding to make them look less sketchy.
Thanks,
Alex
On 04/29/2016 09:18 AM, Frank Warmerdam wrote:
Folks,
I'm willing to update the LDAP account creation to require email
validation. That is, I'll send out an email and they have to follow
the link in the email to confirm before the account is actually
created.
Is there a SAC ticket on this? I should be able to do it today or tomorrow.
I'll likely also try and put in place self-service password reset
using a similar mechanism.
Best regards,
Frank
On Thu, Apr 28, 2016 at 8:05 AM, Alex Mandel <tech_dev@wildintellect.com> wrote:
On 04/28/2016 08:04 AM, Alex Mandel wrote:
On 04/28/2016 07:19 AM, Alex Mandel wrote:
On 04/28/2016 01:41 AM, Sandro Santilli wrote:
On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
As a follow-up, we are now looking for someone who wants to improve our
creation system with Captcha, and/or email confirmation. If you think
you can build (or modify the existing) such a system to work with our
LDAP please contact the osgeo System Administration Committee (SAC).
Should this part be sent on osgeo-discuss ?
Maybe, all the people who run sites using this should be on the SAC
list. We could add a link to the maintenance page on how to contact SAC.
Anyway, what about doing something simple like asking to enter
a number derived from some request headers ? Like the first
5 characters of the md5 of the remote ip ...
Yes anything for now that is hard for a bot (since it might get
re-written). With a more robust solution later.
On Wed, May 04, 2016 at 12:45:01AM +0200, Jorge Sanz wrote:
What about that idea on a confirmation e-mail?
Putting a small delay on sending the e-mail (say 5 minutes) would make
maybe harder to complete the signup, but no idea how "persistent"
these spammers can be :-/