|Category:||Permissions and roles|
Spam is a big issue (not just with Redmine). On a Drupal setup I also administer, I see people signing up using lots of different names (despite the captcha and email-check), then waiting a while, then posting one or two spam messages each day. It's very hard to catch them up front because the names are not being used immediately, so there can be literally hundreds of "sleeping" user names (each one gets blocked the moment they abuse it, of course.
One solution for his would be to support first-post moderation, i.e. every first post gets held back until a moderator can decide whether it is a valid post. Once accepted, that user can then post as usual and without delay.
Redmine does not support this, but I was thinking of a work-around which might almost work in the current system (I'm running 2.0.3.stable.10244):
- allow people to sign up with email verification
- when they do, give them access to a project with further instructions
- ask them to post their question or comment to a special forum which is only visible to newly signed-up users
- one of the moderators then checks it out and if accepted, changes that person's role to a "regular" member and moves the post to the real forum, visible by anyone
Does this sound like a possible solution? I'm currently holding back a major migration to Redmine because spammer sign-up would be a major problem. Everything else in Redmine 2 is really really excellent - great feature set.
#1 Updated by Jean-Claude Wippler about 9 years ago
Here is another option which might be extremely effective for sign-up filtering: <http://www.stopforumspam.com/search>
You enter the email address of a spammer, such as firstname.lastname@example.org and it'll report how many places this email address has been signed up to in the past 48 hours. As the FAQ describes, there's an API to do this programmatically: <http://www.stopforumspam.com/faq>.
#2 Updated by Jean-Claude Wippler over 7 years ago
- Status changed from New to Resolved
Just to follow up - my current solution is to sign up people and give them no edit or posting rights at all.
Soon thereafter, and seeing some sticky forum posts, people start sending emails asking how to post.
At that point, one of the maintainers adds them to the proper group.
The other thing was to add a simple question as part of the signup process. Someone wrote a small plugin in Ruby for this.
It's a bit manual and adds some delay, depending on time zone, but it works. We used to have hundreds of spam logins (not kidding).
I've changed the issue to "resolved" for now, although RM could certainly be improved further in this area...