user sign up/registration process is being used to spam people

How is this really a problem?

I mean this can't be really consider spam, really. And blacking out a SMTP server on that basis is kind of bullyish. It's like forcing down "captcha" in user registrations all over the world.

"Francis J. Lacoste" <email address hidden> writes:

> How is this really a problem?
>
> I mean this can't be really consider spam, really.

... sorry what? Launchpad is being (ab)used to send unsolicited emails
in bulk[1]. That's pretty much the dictionary definition of spam, no?

> And blacking out a SMTP server on that basis is kind of bullyish.

I didn't say we'd been 'blacked out' or even 'black listed' and
certainly not on that basis alone. I said it's contributing to us to
getting a bad reputation, i.e. that and other things (like #341927) is
causing us to have problems delivering mail to the larger providers.

> It's like forcing down "captcha" in user registrations all over the
> world.

I'm not trying to force captchas on anyone. All I'm suggesting is that
having a web form that sends email to any given address with no checking
that the person using the web form is a human, a) probably isn't the
best plan and b) is actively causing us problems right now.

I'm honestly stunned that this is at all controversial.

--
James

[1] From a single Feedback Loop (aol.com), I've seen at least 10 reports
    in a day of people reporting the registration email as spam.

By a concidence?, I received 20 bogus 'Launchpad: complete your registration.' yesterday night.

So I see what you mean. I see two things we could do to hinder the use of bots on that page:

1) Check the referer on the POST to be the actual form. I bots don't fake sane referer by default, that would stop a few of them.

2) Use a nonce on the form, so that the bots would need to fetch the form and support cookies to register.

I think 2 is probably more robust than 1, but the former is a lot cheaper.

What do you think?

3) In combination with #1 and/or #2, limit the number of "Complete your registration" messages sent to any e-mail address to ~2 per day and ~4 per month. (For bonus points, count <email address hidden> and <email address hidden> as a single e-mail address.)

4) Use a text-only (e.g. math) captcha. This would be no problem for Launchpad's target user base, i.e. software developers, but would make it (even more) important for shop.canonical.com to stop requiring every customer to have a Launchpad account.

I don't think we are being targetted. I think the bulk of this is the bots that crawl around submitting any form they can trying to get comments containing their spam links posted somewhere/anywhere. Low hit rate, but if you have a horde of zombies that doesn't matter...

Neither of Francis' suggestions defend against these. All but the dumbest will handle cookies and referer headers.

Matthew's suggestions work. Number 4 would be easy to implement. This will also stop the bots from registering in the first place and creating bogus bug comments for an extra win. It would be trivially deflatable by a bot author, but that will only be a problem if someone actively targets us (which is rather pointless given our user base and use of nofollow etc.).

btw. For our purposes as a provider, spam is whatever users report as spam. It has nothing to do with the content or if they actually requested it or not. We have similar issues whenever users start getting email they didn't think they signed up for.

Since this bug report is public, I've made public bug 78039, which is where I made suggestion #3 a couple of years ago.

I think the math captcha is a good solution.

Let's do it!

Would probably make sense to fix bug 88827 at the same time.

Curtis has agreed to do this. Thank you!

mpt's suggestion #3 is excellent and we should do that. His #4 suggestion can be easily defeated, but will the bots go through that effort? We should also rate limit the number of requested registrations allowed per IP or domain.

http://recaptcha.net/ is a nice idea.

@Francis: well, for one thing, if your email address is already registered and validated with Launchpad, why are we ever sending them a "complete your registration" email? If we can eliminate that, maybe we can solve a big part of the problem without resorting to ineffective usability nightmares like captcha?

Any captcha we use will need to have an audio work-around for accessibility. A simple math-based captcha would need the corresponding audio prompts, which means it's not as simple any more.

Why math-based captcha needs audio prompt? Is something like "Enter result of 2 plus 7 into following entry box" something which visual impaired cannot do?

So login will happily send you as many confirmations as you request, each with a different token. If you're trying to log in more than once it's probably because you haven't gotten the confirmation message. We really need to rate limit that. A simple approach would be if we already see you in the pending set, we would direct you to answers or feedback for more help. (And perhaps not send you another confirmation, or rate limit it.)

@Łukasz Czyżykowski You are correct as long as we verify the text is recognizable by a screen reader. I was confusing myself. Thanks for the reminder.

An error was encountered:
Traceback (most recent call last):
  File "pqm/bin/pqm", line 81, in do_read_mode
    sender, msg, sig, 1, logger, options.keyring)
  File "/home/pqm/pqm/pqm/__init__.py", line 75, in verify_sig
    raise PQMException(sender, "Failed to verify signature: %s" % e._value)
PQMException: 'Failed to verify signature: gpgv exited with error code 2'

r 9666

Bug 452491 tracks the similar problem on the forgotten password form.

This was addressed in c-i-p by using recaptcha.