Redmine

Captchas will be useful too for other modules, like Wiki, Boards, etc.

A really cool mix between anti-spam service and captchas is reCAPTCHA. Every captcha you resolve, you help to scan books from The Internet Archive.

evan wheeler wrote:

We've been getting spam issues in redmine as well, and have implemented reCAPTCHA using the reCAPTCHA rails plugin. We have submitted an enhancement patch to the plugin to use the reCAPTCHA AJAX API so it will work in redmine when the tracker is changed, but it hasnt been put into the trunk yet.
I've attached our patch for the recaptcha plugin as well as patches for including it in redmine issue submission.
Just install the plugin into /vendors, apply the patches, and put your recaptcha keys in your environment.rb
Cheers

you can find the recaptcha rails plugin here: http://ambethia.com/recaptcha/files/README_rdoc.html

Any chance to have something officially implemented??
I am getting A LOT of spams those days :(

Any chance of this getting into trunk? It'd be a great feature.

+1

I'd also love to see some sort of captcha (recaptcha or xkcd style) for user registration

IMHO Captcha systems are very annoying for human people, and there are smarter ways to differentiate human from bots if your site is not specifically targeted by spammers.

You should consider using a "inverse/negative captcha", which is a great solution in such a case. The principle is to have a mandatory email field which do not have an explicit name, and next to it a trap email field for spambots, which is hidden via CSS. When the trap field is filled, entry is automatically considered as spam and refused.

You can see here an implementation for Mephisto blogging system.

Any opinion about that ?

This is very important for public systems. Please consider this RSN.

+1 for implementation
Here is another variant of realisation captcha in Issues

Jean-Baptiste Barth wrote:

IMHO Captcha systems are very annoying for human people, and there are smarter ways to differentiate human from bots if your site is not specifically targeted by spammers.

That's your opinion.
I happen to like reCaptcha better than I like any other dirty hack.
Your suggestion seems very easy for a spam bot to work around.

I vote for reCaptcha and Akismet. :)

What's it going to take to get traction on this? I can't turn on public use on my site until this is done, the community clearly wants it, patches have been made, so what else is needed?

I also believe this is a very important issue and would like to see it put into the system/s/ David www.bible.org

I want to also throw in a request to get some sort of spam filtering system in Redmine. I really don't care if it's a captcha or some other spam monitoring technique but something definitely needs to done as this is a huge issue for many.

Furthermore there are more posts on redmine.org all requesting such a feature and to date I can't see that anyone from Redmine has officially responded or given a roadmap for this particular feature.

How does Redmine.org handle spam issues?

Mitch Guthrie wrote:

I want to also throw in a request to get some sort of spam filtering system in Redmine. I really don't care if it's a captcha or some other spam monitoring technique but something definitely needs to done as this is a huge issue for many.

Furthermore there are more posts on redmine.org all requesting such a feature and to date I can't see that anyone from Redmine has officially responded or given a roadmap for this particular feature.

How does Redmine.org handle spam issues?

By having Wikipedia-like fascist moderators who delete any and all spam so we can pretend it's not a problem.

It hasn't been an issue for me because I require registration to post to my Redmine.

To address the spam problem, I think this should be done by a plugin. That way it's an optional feature and you could pick whatever scheme works best (e.g reCaptcha, Akismet, simple math, reverse captcha). I'm pretty sure there is everything a plugin would need to catch spam on issue submission. Forums might need a hook to two.

+1 for implementation as a plugin.

At least, there must be a mechanism to prevent automatic user registrations. It is very unfortunate that Redmine lacks such a mechanism by default.

I have never programmed in Ruby, otherwise I would give this a try.

Hard to believe that there still is nothing to prevent spam and Redmine seems to get more and more attention. All spam accounts on my instance seems to have firstname == lastname which is easy to sort out: I just added another validation to the user model that prevents this.

# Spam
validates_each :firstname do |record, attr, value|
  if(record.read_attribute(:lastname) == value)
    record.errors.add(attr, "and Lastname must be unique")
  end
end

A bit hacky but it does the job and is not so difficult to apply to new changesets/versions. Hopefully there will be a full blown spam protection in the future.

Christoph Kappel wrote:

A bit hacky but it does the job and is not so difficult to apply to new changesets/versions. Hopefully there will be a full blown spam protection in the future.

Thanks! I hit the same problem on mine, your hack save's my time and nerves!

Are there any updates with this?

Recently we've been getting 'blogspam' (i.e. a load of links to undesirable sites) on our Redmine issues page, - about 5 - 10 a week. We like to keep issue creation open as we work on open source software, and it lowers the barriers for participation.

I did a search for a plugin but no such luck. Would it be possible to include this as an option or a plugin that can just be installed without hacking around with the source?

Thanks. Great software by the way !

This feature was proposed 2.5 years ago.

I'm looking for an issue tracker / wiki / forum system which lets people register without human interaction (because that's immediate in any time zone), yet has some measures in place to prevent spamming. Captcha, akismet, counting URLs in the submitted text, anything...

Captchas are not excessively annoying since each person only needs to go through them once, during registration. The current system is potentially much more annoying once spam gets in, since it affects everyone.

Redmine suits my purposes perfectly on all counts ... except for this one. For an example for how little it takes: bbPress has a simple "1+2" type signup question and Akismet filtering (both as plugins), and that's plenty to keep all the junk out. One could always implement more advanced mechanisms later, especially if it can all be done via plugins.

My Ruby fu level is way too low to create these plugins alas, but please consider bumping the priority on this issue. From the responses above it seems that a lot more people would be very grateful.

Are any Redmine developers able to comment on this? It'd be lovely to know if this is possible or planned.

I'd contribute myself, if I knew anything about Ruby, but unfortunately I do not.

Having things like "[Project - Bug #485] (New) indian generic viagra" emailed to clients doesn't look very professional!

+1, seems pretty essential

I took a first stab at a Redmine plugin that adds a recaptcha to the user self registration page.

http://github.com/srstclair/redmine_recaptcha

A tester would be great, as it's my first ruby/rails/redmine/git endeavor and I'm sure I left something out.

Also, the plugin currently entirely overrides the account_controller's register method. There may be a better way to do this, but it seemed like the recaptcha verification needed to be inserted in the middle of the method logic...

Note: the plugin currently only handles user self registration and not anonymous issues. It shouldn't be too hard to apply the same method to the issue view and controller, though.

Thank you Shane StClair for your nice plugin with recaptcha. I really hope one day this thing will be in the main redmine repo (with, why not, an option).

Thanks for this plugin. Perhaps it should also protect the "Lost Password" form as this can be abused too.

I could not make it work with current trunk, anybody had more success?

I also support adding a capthca as we get a lot of anonymous spam ticket posts

Nearly three years onwards, with no resolution of this "New" issue.

Could someone with the appropriate fu-level please flag this issue as rejected, abandoned, shelved, or somethin' ?

+1. This is the only issue I have with this software. We need it to be open, but get a fair bit of spam through it.

Jean-Claude Wippler wrote:

Nearly three years onwards, with no resolution of this "New" issue.

Could someone with the appropriate fu-level please flag this issue as rejected, abandoned, shelved, or somethin' ?

+1. This is the only issue I have with this software. We need it to be open, but get a fair bit of spam through it.

I wonder how much spam this forum itself gets, see #6991 for an example which hasn't been cleaned up for a month.

It would seem to me that keeping spam out instead of having to clean it up afterwards is less work, in the long run. Not to mention the time to deal with discussions like these.

Having said that, my sympathies go to Jean-Philippe - apart from one other contributor working on SCM systems, he appears to be the only one working on Redmine. I hadn't realized until now that it's essentially a one-man show.

The plugin redmine_recaptcha works great on redmine 1.1.0. http://github.com/srstclair/redmine_recaptcha

I just had to replace in the file vendor/plugins/recaptcha/lib/recaptcha/client_helper.rb, line 39:

return html.html_safe
by
return html

But some captchas are tough to solve.

Christophe Bourcier wrote:

I just had to replace in the file vendor/plugins/recaptcha/lib/recaptcha/client_helper.rb, line 39:

return html.html_safe
by
return html

Thanks Christophe! I haven't been able to test this fix, but I updated the plugin with this fix. Hopefully that resolves the issues that people have been having with newer versions.

https://github.com/srstclair/redmine_recaptcha

Update: confirmed compatibility with current trunk (1.1.1.devel.4802) and moved reCAPTCHA key settings to Administration/Plugins/Configure.

http://www.redmine.org/plugins/redmine_recaptcha

Christophe's fix needs to be done in ambethia's recaptcha (helper) plugin.

Someone already made the pull request: https://github.com/ambethia/recaptcha/pull/31

Guys. I'm getting no less than 3 spam issues/replies to issues per hour! around 72 per day. I don't know ror, but I'm willing to patch, follow instructions, and break anything to get a captcha in there if I'm given the steps! HELP!

You might try this fork of my captcha plugin:

https://github.com/egroeper/redmine_recaptcha

From the commit comments it looks like he added captchas to anonymous issues, but I haven't experimented with it. If it works for you, please report back and I'll try to incorporate his changes.

Afraid not. It broke my redmine issue page (titles aren't appearing). Wonder how to uninstall it? Adding or replying to issues didn't introduce a captcha either :( Now I'm getting around 12 spams/hour. This is driving me nuts :(

Try ruby script/plugin remove redmine_recaptcha from the Redmine directory.

Please add my voice to that. I was very happy with redmine until I realized no less than 3 spam accounts registered within the past 24 hours, and aside from setting signup to manual activation couldn't find a feature to stop them.

Seriously, any tool with anonymous contributions (issues, comments, even user pages) that doesn't contain anti-spam filters should be considered fundamentally broken.

Please, please, please add (re)captcha support to Redmine as built-in. It drastically reduces automated spammer signup.

And while I'm at it: please add Akismet support as built-in as well. It does marvels at filtering nonense entries.

Anything new about this issue?

Post moderated by Mischa The Evil, 02-02-2017; awaiting deletion.

I guess the above spam comment means "+1" :)

https://github.com/yaccz/redmine-spam-users might be useful once you have too much spam accounts to deal with manually.

+1