Seems Anubis itself is not enough to defend Gerrit from out of order status …
cc: @kallisti5
Gerrit does not use anubis
Today I’ve got the following 403 error after following a link to dev.haiku-os.org from a Google search: “Access to data an honored privilege, which you don’t maintain” (Ouch! That’s harsh).
It’s easily reproducible if you search for a Trac issue via Google and open the link, e.g: first link of the “dev.haiku-os.org bfs kdl” search.
The behavior stays until you open dev.haiku-os.org manually.
The links to Trac are still not displayed correctly, instead “Making sure you’re not a bot!” text is displayed as in the example above. Can it be fixed?
1 Like
I tried it with three different search engines (Mojeek,Heexy and DuckDuckGo) as well as a direct access to the page,each time with a fresh private window,and could not reproduce the error as shown above.
The Anubis challenge comes up each time,works for a second and lets me continue to the site.
Maybe try opening the link in a private window,or try if using one of the other search engines fixes it for you.
It’s Google specific and reproduces in the a private window every time. The weird thing is that Anubis lets the request go, but then the 403 is displayed by the Trac site itself.
1 Like
Today I get that Error 403 on cgit after clicking a link to a Git commit on the Haiku homepage,and even when trying to visit the same link directly in a fresh private window.
Judging by this morning’s thoroughly be-spammed inbox, there are scams the mighty Anubis is powerless against.
Yeah that’s awful. I reached my flag quota in 2 mins.
I have disabled new user registrations for now. That should stop it, but the existing users will continue spamming. I did some manual cleanup but I don’t want to spend my week deleting these posts one by one…
2 Likes
Are they all AI bots ?
It looks like it. And even funnier thna that: I think what they’re trying to do is poisoning search engine AI bots to provide fake phone numbers for various airlines support number when people search for that. I guess the number will be either trying to scam people by asking for their credit card details, or just an over-charged number where the scammer wins a few cents with every call (and will keep people on hold as long as possible to earn more, maybe?).
So, AI fighing other AI, and our forum is their battleground…
3 Likes
I missed what exactly happened today but this sort of spam has been recurring for months, it was largely dealt with quickly by flags or moderators though…
@Starcrasher You are not trust level 3 because of the arbitrary likes requirement, I have set your level up to 3… that should give you more flags If I am not mistaken…
Edit: Sorry, I am blind… cleaned up all the spam topics
2 Likes
This morning there were several hundreds of messages, Humdinger tried to clean them up but new messages were appearing faster than he could delete them. This is more targetted than the usual slow trickle of spam we usually get.
I was deleting them one by one to also block the IPs and the users at the same time (I think it doesn’t happen if you simply delete the topics).
I doubt IP blocking is very effective against these kinds of attacks.
I have done a bulk delete of the topics, and i was going to delete the users created today with 0 posts too now… I could hold off if you’d rather try ip banning them though
EDIT: I deleted and ip banned them, even though i still think that is a bit pointless…
The IP blocking probably would need to be in a wider scale to really work, I don’t know. I didn’t check how many IPs there were. The spammer does not necessarily have hundreds of machines and IP addresses, even with one machine you can do quite a bit of damage here.
Anyway, for now the effective measure is blocking all new user registrations. But we can’t keep it like that for too long. So we’ll have to figure out something else to filter these. At worst it will be manual approval of the first post by every new user by the moderators. Not fun to do but it would surely slow down these attacks (the attacker would have to create a lot of new accounts with plausible first posts over a long time, and then later on use them all to post spam).
1 Like
It can be a bit annoying, but I would be okay with that. I already get to aprove posts the forum thinks have been written too quickly, so this should be fine aswell, even if somewhat more work.
1 Like
Bots get smarter these days, and they can bypass approval of the first post by copying an older legit post somehow, and paste that one as their first “post”. I’ve seen that happening in another forum. A way to prevent this is to make first ten posts hidden until they are approved by a moderator, and as a new user you have restrictions on how often you can post. This means more work for the moderators, and I guess bots already have a way to bypass even that.
Spammers are always one step ahead, but at least you can delay them hoping they will go for another, easier target.
A newcomer realizes that he is shadow banned for some reason and leaves the forum.
Though it’s hard to figure out a solution that is not hostile in some way.
1 Like
As I said, if the first post needs to be moderated, it would considerably slow things down. I would not wake up to 1000 spam messages unless the spammer has created 1000 users in advance and got them approved by moderators.
This means new users can’t join the forum in any meaningful way. Which seems more annoying than having to deal with spam messages from time to time. And it’s more work for the moderators as well (deleting the spam messages took me a few hours in the background while doing other things, or you can be smarter like Nephele and batch it instead of doing it one by one).
4 Likes