there goes the neighbourhood (launchpad is getting owned by spammers)

Complete agreement from me. I filed bug 493960 a few days ago.

That is part of an automated or farm system. A Google search of one key site resulted in 5000 page hits for Launchpad user names. There are multiple names on each page, and each name is a spam or scam account of some sort. I filed https://answers.edge.launchpad.net/launchpad/+question/93104 about it, but there will be no action until I can write a script to parse and extract the names.

It's worth checking to see if any of these accounts are being used to spam wiki.ubuntu.com as well.

I don't want to paint the bikeshed or anything, but perhaps we could refrain from making a user's links "live" until the account has a certain level of karma. This seems to be a leakage of trust, if nothing else, and karma is the closest thing to a trust metric of any sort.

Another (cheap) thing we could do to deter spammers a bit is add the "nofollow" tag to external links so it's less attractive from a SEO point of view.

To be more precise, I meant that a user's karma should determine whether links become "a href=" tags for anonymous access only. So a new user can post URLs, and maybe logged-in users can click them, but the anonymous access (including google) will just see them as a block of un-marked-up text.

bug 495516 also seems related to this

* Maris is going to take care of writing a script deleting the 5000 spammy accounts found.

* We are going to add nofollow to all external links in user content.

* We are going to not render links on person's page without karma to anonymous user.

We make two changes to address this motivation to use Launchpad for spam:

    * modify the text-to-html formatter to always render links with the rel="nofollow"
      attribute. User created links will not be indexed by Google, Yahoo, or what ever
      engine Microsoft is using this month to get an advertising business.
    * Never convert URLs to links when anonymous users are viewing profiles
      without karma.

I got hit with a bunch of links to these spam pages. To make cleanup easier on the targets, any chance that you could serve the home pages for removed users with an HTTP 403 or 404, so we could know yes you did have a spam account, but you closed it? When the page comes back as a 200 it's harder to tell a closed account from an active one.

Actually, Don has a good point, we should serve the user's page with status SUSPENDED with the HTTP status of 410 Gone.

I have a branch that introduces the concept of a probationary user. We do not allow their profile page to be indexed, nor will its content be formatted as HTML. We can change the karma requirement to for probation. Spammers will have help projects get our of probation.

I think the account issue is a separate bug because we want the status set from any launchpad application, not just the registry. Does this behaviour affect all launchpad users? I believe that launchpad admins or registry experts should have permission to see and reactivate the user to correct mistake.

It is hard to distinguish a suspend account from one that has never been activated. Deactivated accounts state they are deactivated, and the owner can reactivate it. Suspended accounts look like unused accounts, The account cannot be reactivated and if the user tries to reuse it; he is asked to send an email to an admin at feedback@launchpad,net

I think we could serve the content of SUSPENDED user home page as is now, but just set the HTTP status to 410. A browser should render the returned page but a spider will notice the status code and delete the link from the index.

According to Curtis, this is going to be cherrypicked in the beginning of the next cycle.

Fixed in launchpad devel r10062