Feature #675
openAnti-spam or captcha for issues
0%
Description
Redmine is definitely gaining big popularity! Even among spammers!
Today, I got two spam issue notes from Anonymous user (we would like to allow anonymous user to submit issue and issue notes). Anyone experiencing the same issue?
Would it make sense to add in a captcha when adding an issue? Or pass it on to an anti-spam service, like Akismet or defensio?
Files
Related issues
Updated by Leandro Lucarella over 16 years ago
Captchas will be useful too for other modules, like Wiki, Boards, etc.
A really cool mix between anti-spam service and captchas is reCAPTCHA. Every captcha you resolve, you help to scan books from The Internet Archive.
Updated by evan wheeler over 16 years ago
- File recaptchaplugin_add_ajax_api_support.patch recaptchaplugin_add_ajax_api_support.patch added
- File redmine_environmentrb_recaptcha.diff redmine_environmentrb_recaptcha.diff added
- File redmine_issues_controllerrb_recaptcha.diff redmine_issues_controllerrb_recaptcha.diff added
- File redmine_newrhtml_recaptcha.diff redmine_newrhtml_recaptcha.diff added
We've been getting spam issues in redmine as well, and have implemented reCAPTCHA using the reCAPTCHA rails plugin. We have submitted an enhancement patch to the plugin to use the reCAPTCHA AJAX API so it will work in redmine when the tracker is changed, but it hasnt been put into the trunk yet.
I've attached our patch for the recaptcha plugin as well as patches for including it in redmine issue submission.
Just install the plugin into /vendors, apply the patches, and put your recaptcha keys in your environment.rb
Cheers
Updated by evan wheeler over 16 years ago
evan wheeler wrote:
We've been getting spam issues in redmine as well, and have implemented reCAPTCHA using the reCAPTCHA rails plugin. We have submitted an enhancement patch to the plugin to use the reCAPTCHA AJAX API so it will work in redmine when the tracker is changed, but it hasnt been put into the trunk yet.
I've attached our patch for the recaptcha plugin as well as patches for including it in redmine issue submission.
Just install the plugin into /vendors, apply the patches, and put your recaptcha keys in your environment.rb
Cheers
you can find the recaptcha rails plugin here: http://ambethia.com/recaptcha/files/README_rdoc.html
Updated by Derek Montgomery about 16 years ago
Any chance to have something officially implemented??
I am getting A LOT of spams those days :(
Updated by James Turnbull about 16 years ago
Any chance of this getting into trunk? It'd be a great feature.
Updated by Muntek Singh about 16 years ago
+1
I'd also love to see some sort of captcha (recaptcha or xkcd style) for user registration
Updated by Jean-Baptiste Barth almost 16 years ago
IMHO Captcha systems are very annoying for human people, and there are smarter ways to differentiate human from bots if your site is not specifically targeted by spammers.
You should consider using a "inverse/negative captcha", which is a great solution in such a case. The principle is to have a mandatory email field which do not have an explicit name, and next to it a trap email field for spambots, which is hidden via CSS. When the trap field is filled, entry is automatically considered as spam and refused.
You can see here an implementation for Mephisto blogging system.
Any opinion about that ?
Updated by Adam Knight almost 16 years ago
This is very important for public systems. Please consider this RSN.
Updated by Andrew Kouznetsov over 15 years ago
+1 for implementation
Here is another variant of realisation captcha in Issues
Updated by Jacob Moen over 15 years ago
Jean-Baptiste Barth wrote:
IMHO Captcha systems are very annoying for human people, and there are smarter ways to differentiate human from bots if your site is not specifically targeted by spammers.
That's your opinion.
I happen to like reCaptcha better than I like any other dirty hack.
Your suggestion seems very easy for a spam bot to work around.
I vote for reCaptcha and Akismet. :)
Updated by Adam Knight over 15 years ago
What's it going to take to get traction on this? I can't turn on public use on my site until this is done, the community clearly wants it, patches have been made, so what else is needed?
Updated by david austin about 15 years ago
I also believe this is a very important issue and would like to see it put into the system/s/ David www.bible.org
Updated by Mitch Guthrie about 15 years ago
I want to also throw in a request to get some sort of spam filtering system in Redmine. I really don't care if it's a captcha or some other spam monitoring technique but something definitely needs to done as this is a huge issue for many.
Furthermore there are more posts on redmine.org all requesting such a feature and to date I can't see that anyone from Redmine has officially responded or given a roadmap for this particular feature.
How does Redmine.org handle spam issues?
Updated by Chris Miller about 15 years ago
Mitch Guthrie wrote:
I want to also throw in a request to get some sort of spam filtering system in Redmine. I really don't care if it's a captcha or some other spam monitoring technique but something definitely needs to done as this is a huge issue for many.
Furthermore there are more posts on redmine.org all requesting such a feature and to date I can't see that anyone from Redmine has officially responded or given a roadmap for this particular feature.
How does Redmine.org handle spam issues?
By having Wikipedia-like fascist moderators who delete any and all spam so we can pretend it's not a problem.
Updated by Eric Davis about 15 years ago
It hasn't been an issue for me because I require registration to post to my Redmine.
To address the spam problem, I think this should be done by a plugin. That way it's an optional feature and you could pick whatever scheme works best (e.g reCaptcha, Akismet, simple math, reverse captcha). I'm pretty sure there is everything a plugin would need to catch spam on issue submission. Forums might need a hook to two.
Updated by G N about 15 years ago
+1 for implementation as a plugin.
At least, there must be a mechanism to prevent automatic user registrations. It is very unfortunate that Redmine lacks such a mechanism by default.
I have never programmed in Ruby, otherwise I would give this a try.
Updated by Christoph Kappel almost 15 years ago
Hard to believe that there still is nothing to prevent spam and Redmine seems to get more and more attention. All spam accounts on my instance seems to have firstname == lastname which is easy to sort out: I just added another validation to the user model that prevents this.
# Spam
validates_each :firstname do |record, attr, value|
if(record.read_attribute(:lastname) == value)
record.errors.add(attr, "and Lastname must be unique")
end
end
A bit hacky but it does the job and is not so difficult to apply to new changesets/versions. Hopefully there will be a full blown spam protection in the future.
Updated by Troex Nevelin over 14 years ago
Christoph Kappel wrote:
A bit hacky but it does the job and is not so difficult to apply to new changesets/versions. Hopefully there will be a full blown spam protection in the future.
Thanks! I hit the same problem on mine, your hack save's my time and nerves!
Updated by Sebastian Skuse over 14 years ago
Are there any updates with this?
Recently we've been getting 'blogspam' (i.e. a load of links to undesirable sites) on our Redmine issues page, - about 5 - 10 a week. We like to keep issue creation open as we work on open source software, and it lowers the barriers for participation.
I did a search for a plugin but no such luck. Would it be possible to include this as an option or a plugin that can just be installed without hacking around with the source?
Thanks. Great software by the way !
Updated by Jean-Claude Wippler over 14 years ago
This feature was proposed 2.5 years ago.
I'm looking for an issue tracker / wiki / forum system which lets people register without human interaction (because that's immediate in any time zone), yet has some measures in place to prevent spamming. Captcha, akismet, counting URLs in the submitted text, anything...
Captchas are not excessively annoying since each person only needs to go through them once, during registration. The current system is potentially much more annoying once spam gets in, since it affects everyone.
Redmine suits my purposes perfectly on all counts ... except for this one. For an example for how little it takes: bbPress has a simple "1+2" type signup question and Akismet filtering (both as plugins), and that's plenty to keep all the junk out. One could always implement more advanced mechanisms later, especially if it can all be done via plugins.
My Ruby fu level is way too low to create these plugins alas, but please consider bumping the priority on this issue. From the responses above it seems that a lot more people would be very grateful.
Updated by Sebastian Skuse over 14 years ago
Are any Redmine developers able to comment on this? It'd be lovely to know if this is possible or planned.
I'd contribute myself, if I knew anything about Ruby, but unfortunately I do not.
Having things like "[Project - Bug #485] (New) indian generic viagra" emailed to clients doesn't look very professional!
Updated by Shane StClair about 14 years ago
I took a first stab at a Redmine plugin that adds a recaptcha to the user self registration page.
http://github.com/srstclair/redmine_recaptcha
A tester would be great, as it's my first ruby/rails/redmine/git endeavor and I'm sure I left something out.
Also, the plugin currently entirely overrides the account_controller's register method. There may be a better way to do this, but it seemed like the recaptcha verification needed to be inserted in the middle of the method logic...
Updated by Shane StClair about 14 years ago
Note: the plugin currently only handles user self registration and not anonymous issues. It shouldn't be too hard to apply the same method to the issue view and controller, though.
Updated by Vianney Lecroart about 14 years ago
Thank you Shane StClair for your nice plugin with recaptcha. I really hope one day this thing will be in the main redmine repo (with, why not, an option).
Updated by G N about 14 years ago
Thanks for this plugin. Perhaps it should also protect the "Lost Password" form as this can be abused too.
Updated by Derek Montgomery about 14 years ago
I could not make it work with current trunk, anybody had more success?
Updated by david austin almost 14 years ago
I also support adding a capthca as we get a lot of anonymous spam ticket posts
Updated by Jean-Claude Wippler almost 14 years ago
Nearly three years onwards, with no resolution of this "New" issue.
Could someone with the appropriate fu-level please flag this issue as rejected, abandoned, shelved, or somethin' ?
Updated by Sebastian Skuse almost 14 years ago
+1. This is the only issue I have with this software. We need it to be open, but get a fair bit of spam through it.
Jean-Claude Wippler wrote:
Nearly three years onwards, with no resolution of this "New" issue.
Could someone with the appropriate fu-level please flag this issue as rejected, abandoned, shelved, or somethin' ?
Updated by Jean-Claude Wippler almost 14 years ago
+1. This is the only issue I have with this software. We need it to be open, but get a fair bit of spam through it.
I wonder how much spam this forum itself gets, see #6991 for an example which hasn't been cleaned up for a month.
It would seem to me that keeping spam out instead of having to clean it up afterwards is less work, in the long run. Not to mention the time to deal with discussions like these.
Having said that, my sympathies go to Jean-Philippe - apart from one other contributor working on SCM systems, he appears to be the only one working on Redmine. I hadn't realized until now that it's essentially a one-man show.
Updated by Christophe Bourcier almost 14 years ago
The plugin redmine_recaptcha works great on redmine 1.1.0. http://github.com/srstclair/redmine_recaptcha
I just had to replace in the file vendor/plugins/recaptcha/lib/recaptcha/client_helper.rb, line 39:
return html.html_safe
by
return html
But some captchas are tough to solve.
Updated by Shane StClair almost 14 years ago
Christophe Bourcier wrote:
I just had to replace in the file vendor/plugins/recaptcha/lib/recaptcha/client_helper.rb, line 39:
return html.html_safe
by
return html
Thanks Christophe! I haven't been able to test this fix, but I updated the plugin with this fix. Hopefully that resolves the issues that people have been having with newer versions.
Updated by Shane StClair almost 14 years ago
Update: confirmed compatibility with current trunk (1.1.1.devel.4802) and moved reCAPTCHA key settings to Administration/Plugins/Configure.
Updated by Ted P almost 14 years ago
Christophe's fix needs to be done in ambethia's recaptcha (helper) plugin.
Someone already made the pull request: https://github.com/ambethia/recaptcha/pull/31
Updated by Ashraf Amayreh over 12 years ago
Guys. I'm getting no less than 3 spam issues/replies to issues per hour! around 72 per day. I don't know ror, but I'm willing to patch, follow instructions, and break anything to get a captcha in there if I'm given the steps! HELP!
Updated by Shane StClair over 12 years ago
You might try this fork of my captcha plugin:
https://github.com/egroeper/redmine_recaptcha
From the commit comments it looks like he added captchas to anonymous issues, but I haven't experimented with it. If it works for you, please report back and I'll try to incorporate his changes.
Updated by Ashraf Amayreh over 12 years ago
Afraid not. It broke my redmine issue page (titles aren't appearing). Wonder how to uninstall it? Adding or replying to issues didn't introduce a captcha either :( Now I'm getting around 12 spams/hour. This is driving me nuts :(
Updated by Shane StClair over 12 years ago
Try ruby script/plugin remove redmine_recaptcha
from the Redmine directory.
Updated by Tom Vogt over 12 years ago
Please add my voice to that. I was very happy with redmine until I realized no less than 3 spam accounts registered within the past 24 hours, and aside from setting signup to manual activation couldn't find a feature to stop them.
Seriously, any tool with anonymous contributions (issues, comments, even user pages) that doesn't contain anti-spam filters should be considered fundamentally broken.
Updated by Jean-Claude Wippler over 12 years ago
Please, please, please add (re)captcha support to Redmine as built-in. It drastically reduces automated spammer signup.
And while I'm at it: please add Akismet support as built-in as well. It does marvels at filtering nonense entries.
Updated by Ismael Morales Alcaide about 12 years ago
Anything new about this issue?
Updated by Toshi MARUYAMA over 11 years ago
- Related to Feature #2340: Self-registration needs captcha added
Updated by kittybe11 kittybe11 almost 8 years ago
Post moderated by Mischa The Evil, 02-02-2017; awaiting deletion.
Updated by Robert Pollak almost 8 years ago
I guess the above spam comment means "+1" :)
Updated by yac yac over 7 years ago
https://github.com/yaccz/redmine-spam-users might be useful once you have too much spam accounts to deal with manually.