info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Help Defend MDN!
13 views
Skip to first unread message
Justin Crawford
Jan 27, 2015, 12:44:16 PM1/27/15
to dev-webdev
Hello Webdevs,
MDN is under attack. Since mid-December, spammers have posted
dozens/hundreds of spammy pages per week. Some posts seem to be experiments
designed to learn MDN's vulnerabilities and identify new vectors for spammy
content.
We've implemented a number of measures, and have others filed/planned[0].
We have reviewed good spam-fighting advice from MediaWiki[1] and
StackOverflow[2], which inform our planned work.
I'm writing today to ask if anyone...
* Has ideas for combating wiki spam with minimum engineering that keep our
contribution pathways open and aren't already covered by sources above. If
you are an expert on this topic, we want to hear from you.
* Has spare engineering cycles to devote to obliterating spam on MDN. If
you do and you have deep Django skills, please reach out to me or
groovecoder in #mdndev.
Thanks,
Justin
[0] http://mzl.la/1JB5mHZ (A small number of our implemented/planned
measures are not listed because they are not public bugs.)
[1] http://www.mediawiki.org/wiki/Manual:Combating_spam
[2]
http://meta.stackexchange.com/questions/2765/how-does-stack-overflow-handle-spam/2768#2768
Justin Crawford
Product Manager, MDN
hoos...@mozilla.com
MDN is under attack. Since mid-December, spammers have posted
dozens/hundreds of spammy pages per week. Some posts seem to be experiments
designed to learn MDN's vulnerabilities and identify new vectors for spammy
content.
We've implemented a number of measures, and have others filed/planned[0].
We have reviewed good spam-fighting advice from MediaWiki[1] and
StackOverflow[2], which inform our planned work.
I'm writing today to ask if anyone...
* Has ideas for combating wiki spam with minimum engineering that keep our
contribution pathways open and aren't already covered by sources above. If
you are an expert on this topic, we want to hear from you.
* Has spare engineering cycles to devote to obliterating spam on MDN. If
you do and you have deep Django skills, please reach out to me or
groovecoder in #mdndev.
Thanks,
Justin
[0] http://mzl.la/1JB5mHZ (A small number of our implemented/planned
measures are not listed because they are not public bugs.)
[1] http://www.mediawiki.org/wiki/Manual:Combating_spam
[2]
http://meta.stackexchange.com/questions/2765/how-does-stack-overflow-handle-spam/2768#2768
Justin Crawford
Product Manager, MDN
hoos...@mozilla.com
Peter Bengtsson
Jan 27, 2015, 1:50:53 PM1/27/15
to Justin Crawford, dev-webdev
I see no mention of recaptcha in the list of bugs.
http://www.google.com/recaptcha/intro/index.html
Is that deliberate? Or, if not, that's my tip :)
I suspect that combating this would require some hid-deep comfort level
with the code and the analytics you have and not something someone can
quickly jump in and help on.
On Tue, Jan 27, 2015 at 9:44 AM, Justin Crawford <hoos...@mozilla.com>
wrote:
> _______________________________________________
> dev-webdev mailing list
> dev-w...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-webdev
>
--
Peter Bengtsson
Mozilla Web Engineering
http://www.google.com/recaptcha/intro/index.html
Is that deliberate? Or, if not, that's my tip :)
I suspect that combating this would require some hid-deep comfort level
with the code and the analytics you have and not something someone can
quickly jump in and help on.
On Tue, Jan 27, 2015 at 9:44 AM, Justin Crawford <hoos...@mozilla.com>
wrote:
> dev-webdev mailing list
> dev-w...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-webdev
>
--
Peter Bengtsson
Mozilla Web Engineering
Justin Crawford
Jan 27, 2015, 2:05:31 PM1/27/15
to Peter Bengtsson, dev-webdev
>
> I see no mention of recaptcha in the list of bugs.
> http://www.google.com/recaptcha/intro/index.html
> Is that deliberate? Or, if not, that's my tip :)
>
Discussions involving CAPTCHA always include some amount of general
> I see no mention of recaptcha in the list of bugs.
> http://www.google.com/recaptcha/intro/index.html
> Is that deliberate? Or, if not, that's my tip :)
>
accessibility concern. I know reCAPTCHA has an audible option that may
mitigate some of these. Any informed opinions on this list?
> I suspect that combating this would require some hid-deep comfort level
> with the code and the analytics you have and not something someone can
> quickly jump in and help on.
knowledge (for example, https://bugzilla.mozilla.org/show_bug.cgi?id=1124358)
and we have bugs that only require Django knowledge (
https://bugzilla.mozilla.org/show_bug.cgi?id=1119545, adding honeypots,
etc.). So I would encourage any solid developer with time and enthusiasm to
reach out!
On Tue, Jan 27, 2015 at 11:50 AM, Peter Bengtsson <pbeng...@mozilla.com>
wrote:
Peter Bengtsson
Jan 27, 2015, 2:12:16 PM1/27/15
to Justin Crawford, dev-webdev
On Tue, Jan 27, 2015 at 11:05 AM, Justin Crawford <hoos...@mozilla.com>
wrote:
> I see no mention of recaptcha in the list of bugs.
>> http://www.google.com/recaptcha/intro/index.html
>> Is that deliberate? Or, if not, that's my tip :)
>>
>
> Discussions involving CAPTCHA always include some amount of general
> accessibility concern. I know reCAPTCHA has an audible option that may
> mitigate some of these. Any informed opinions on this list?
>
>
Truth be told. I haven't implemented it yet.
But I want to make it clear for people who missed the announcements about
this late last year.
The new reCaptcha from Google is very different from the old one.
It's no longer (just) about reading hard-to-decipher squiggly text snippets
but now about so much more.
They measure how the mouse moves for example to tell if it's humanish. They
also use more advanced metrics on the combination of IP and user agent.
I don't have any good links but I've heard good things about it on the
twittersphere and some other places.
wrote:
> I see no mention of recaptcha in the list of bugs.
>> http://www.google.com/recaptcha/intro/index.html
>> Is that deliberate? Or, if not, that's my tip :)
>>
>
> Discussions involving CAPTCHA always include some amount of general
> accessibility concern. I know reCAPTCHA has an audible option that may
> mitigate some of these. Any informed opinions on this list?
>
>
But I want to make it clear for people who missed the announcements about
this late last year.
The new reCaptcha from Google is very different from the old one.
It's no longer (just) about reading hard-to-decipher squiggly text snippets
but now about so much more.
They measure how the mouse moves for example to tell if it's humanish. They
also use more advanced metrics on the combination of IP and user agent.
I don't have any good links but I've heard good things about it on the
twittersphere and some other places.
Justin Crawford
Jan 27, 2015, 2:14:44 PM1/27/15
to Peter Bengtsson, dev-webdev
Great, I will check out reCAPTCHA.
That being said... much of our spam right now is coming from humans.
On Tue, Jan 27, 2015 at 12:12 PM, Peter Bengtsson <pbeng...@mozilla.com>
wrote:
That being said... much of our spam right now is coming from humans.
On Tue, Jan 27, 2015 at 12:12 PM, Peter Bengtsson <pbeng...@mozilla.com>
wrote:
Wil Clouser
Jan 27, 2015, 3:53:50 PM1/27/15
to Peter Bengtsson, Justin Crawford, dev-webdev
There is a beta recaptcha (supposed to come out in 2015) which
includes two new features:
1) what they were calling "No CAPTCHA reCAPTCHA" which lets "valid
users" bypass it altogether (likely this means you're logged in to a
google account)
2) monetization, although details are light on what that would mean
I haven't seen announcements about them yet this year so maybe it's a
bit early to start planning to use them though.
Wil
On Tue, Jan 27, 2015 at 11:12 AM, Peter Bengtsson
includes two new features:
1) what they were calling "No CAPTCHA reCAPTCHA" which lets "valid
users" bypass it altogether (likely this means you're logged in to a
google account)
2) monetization, although details are light on what that would mean
I haven't seen announcements about them yet this year so maybe it's a
bit early to start planning to use them though.
Wil
On Tue, Jan 27, 2015 at 11:12 AM, Peter Bengtsson
Chris Van Wiemeersch
Jan 27, 2015, 10:56:37 PM1/27/15
to Wil Clouser, Peter Bengtsson, Justin Crawford, dev-webdev
I recommend a honey-pot CAPTCHA solution we came up with (but didn't
invent) called PotatoCaptchaâ„¢:
https://github.com/mozilla/zamboni/blob/b1c1a1c/mkt/api/serializers.py#L12-L26
The code is available is a Django library:
https://github.com/cvan/django-potato-captcha
But can be recreated in Node, or any other language, quite easily.
invent) called PotatoCaptchaâ„¢:
https://github.com/mozilla/zamboni/blob/b1c1a1c/mkt/api/serializers.py#L12-L26
The code is available is a Django library:
https://github.com/cvan/django-potato-captcha
But can be recreated in Node, or any other language, quite easily.
Schalk Neethling
Jan 27, 2015, 11:48:39 PM1/27/15
to Justin Crawford, Peter Bengtsson, dev-webdev
"Discussions involving CAPTCHA always include some amount of general
accessibility concern. I know reCAPTCHA has an audible option that may
mitigate some of these. Any informed opinions on this list?"
I completely agree, and in general this is a problem but, having looked at
accessibility concern. I know reCAPTCHA has an audible option that may
mitigate some of these. Any informed opinions on this list?"
the new Google reCaptcha No Captcha, I believe the accessibility problems
goes away (although I will test and ping Marco) as it is just simple form
fields. It seems really promising.
The Akismet solution also sounds promising and having used it for a long
time on various blogs, I have found it to be very effective in combating
spam comments. Using this on MDN will obviously not be free and the
licensing costs might be very steep but, worth a try/test.
On Tue, Jan 27, 2015 at 9:05 PM, Justin Crawford <hoos...@mozilla.com>
wrote:
> >
> > I see no mention of recaptcha in the list of bugs.
> > http://www.google.com/recaptcha/intro/index.html
> > Is that deliberate? Or, if not, that's my tip :)
> >
>
> Discussions involving CAPTCHA always include some amount of general
> accessibility concern. I know reCAPTCHA has an audible option that may
> mitigate some of these. Any informed opinions on this list?
>
>
> >
> > I see no mention of recaptcha in the list of bugs.
> > http://www.google.com/recaptcha/intro/index.html
> > Is that deliberate? Or, if not, that's my tip :)
> >
>
> Discussions involving CAPTCHA always include some amount of general
> accessibility concern. I know reCAPTCHA has an audible option that may
> mitigate some of these. Any informed opinions on this list?
>
>
Schalk Neethling
Senior Front-End Engineer
Mozilla
Schalk Neethling
Jan 28, 2015, 5:41:29 AM1/28/15
to Justin Crawford, Peter Bengtsson, dev-webdev
Hey All,
I reached out to Marco, as mentioned in my previous mail, below are his
thoughts:
"Although I'm not a fan of CAPTCHAs at all, and think there should be
better, server-side mechanisms put in place to solve the problem, I am
all right with MDN using the new RECAPTCHA. It has made significant
improvements for people with visual impairments. You can read about some
testing results done by Erik Featherstone and his team here:
http://simplyaccessible.com/article/googles-no-captcha/
Also, watch these videos:
https://www.youtube.com/watch?v=X0NfBYcbe3I
https://www.youtube.com/watch?v=E42PGd2Ytl0
https://www.youtube.com/watch?v=Z55rnQ4xBgg
On the other hand, I would like to make you aware of this, too, a piece
written by Karl Groves about captcha-less security:
http://www.karlgroves.com/2012/04/03/captcha-less-security/
So if we absolutely must use a captcha, the new recaptcha is fine, for
the most part. Let's just hope that most screen reader users wanting to
contribute will use Firefox with a screen reader to do so. ;)"
I reached out to Marco, as mentioned in my previous mail, below are his
thoughts:
"Although I'm not a fan of CAPTCHAs at all, and think there should be
better, server-side mechanisms put in place to solve the problem, I am
all right with MDN using the new RECAPTCHA. It has made significant
improvements for people with visual impairments. You can read about some
testing results done by Erik Featherstone and his team here:
http://simplyaccessible.com/article/googles-no-captcha/
Also, watch these videos:
https://www.youtube.com/watch?v=X0NfBYcbe3I
https://www.youtube.com/watch?v=E42PGd2Ytl0
https://www.youtube.com/watch?v=Z55rnQ4xBgg
On the other hand, I would like to make you aware of this, too, a piece
written by Karl Groves about captcha-less security:
http://www.karlgroves.com/2012/04/03/captcha-less-security/
So if we absolutely must use a captcha, the new recaptcha is fine, for
the most part. Let's just hope that most screen reader users wanting to
contribute will use Firefox with a screen reader to do so. ;)"
Justin Crawford
Jan 29, 2015, 11:53:36 AM1/29/15
to Schalk Neethling, Peter Bengtsson, dev-webdev
Thanks Schalk (and Marco!). I filed a bug for adding reCAPTCHA; that will
be a good place for any concerns to come out.
https://bugzilla.mozilla.org/show_bug.cgi?id=1126784
On Wed, Jan 28, 2015 at 3:41 AM, Schalk Neethling <sneet...@mozilla.com>
wrote:
be a good place for any concerns to come out.
https://bugzilla.mozilla.org/show_bug.cgi?id=1126784
On Wed, Jan 28, 2015 at 3:41 AM, Schalk Neethling <sneet...@mozilla.com>
wrote:
Matthew Claypotch
Jan 29, 2015, 12:02:05 PM1/29/15
to Justin Crawford, Peter Bengtsson, dev-webdev, Schalk Neethling
reCAPTCHA is good stuff, but I recommend you don't overlook the honeypot
captcha systems cvan mentioned earlier: invisible form fields that bots
fill/modify but users can't see.
On Thu, Jan 29, 2015 at 8:53 AM, Justin Crawford <hoos...@mozilla.com>
wrote:
captcha systems cvan mentioned earlier: invisible form fields that bots
fill/modify but users can't see.
On Thu, Jan 29, 2015 at 8:53 AM, Justin Crawford <hoos...@mozilla.com>
wrote:
Justin Crawford
Jan 29, 2015, 12:22:59 PM1/29/15
to Matthew Claypotch, Peter Bengtsson, dev-webdev, Schalk Neethling
Yeah, honeypots are higher on our list than CAPTCHA. :)
https://bugzilla.mozilla.org/show_bug.cgi?id=1119532
https://bugzilla.mozilla.org/show_bug.cgi?id=1124390
On Thu, Jan 29, 2015 at 10:01 AM, Matthew Claypotch <mclay...@mozilla.com>
wrote:
https://bugzilla.mozilla.org/show_bug.cgi?id=1119532
https://bugzilla.mozilla.org/show_bug.cgi?id=1124390
On Thu, Jan 29, 2015 at 10:01 AM, Matthew Claypotch <mclay...@mozilla.com>
wrote:
0 new messages