Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect the registration against bots / Confirming users #1339

Open
nilsnolde opened this issue Jan 19, 2024 · 3 comments
Open

Protect the registration against bots / Confirming users #1339

nilsnolde opened this issue Jan 19, 2024 · 3 comments
Labels
Status: Needs discussion Additional discussion/feedback is needed Type: Feature An idea for a new feature

Comments

@nilsnolde
Copy link

I'm actually surprised this becomes a problem only now for us: we have a bunch of bots registering on our Engelsystem. They should be pretty harmless, I doubt any of those idiots out there wants to bomb OSS conferences.

Still, maybe it'd be a good idea to add some form of protection to the registration site, such as a captcha, email confirmation or others.. If it helps, mediawiki has an extension written in PHP: https://github.com/wikimedia/mediawiki-extensions-ConfirmEdit.
@nilsnolde
Copy link
Author

Or how do others protect their Engelsystem from bots registering?

@MyIgel
Copy link
Member

MyIgel commented Jan 27, 2024

Up to today i haven't heard of problems regarding bots that register accounts. Do you know if its some more specialized "attack" or generic "create a user and have a look what sticks"?
The generally more helpful way would be to implement email confirmation and deletion of accounts that are not confirmed (which is a goal to be implemented soon(TM)).

If they are "generic" bots something like adding another "hidden" form that gets filled out by bots but can't be seen by humans might be an option too. The basic point hereby is: Nowadays most captchas that have to be solved by users are even easier solved by bots so if its a targeted attack we are screwed anyway but if its "by chance" / "random" we might get away by using pretty "dumb" counter measures.

@MyIgel MyIgel added Status: Needs discussion Additional discussion/feedback is needed Type: Feature An idea for a new feature labels Jan 27, 2024
@nilsnolde
Copy link
Author

From what I saw when I opened this, it was the “generic” kind, not very targeted. I guess more like “hey there is a registration form, let’s do that” and that was it. That’s why I’m thinking it’s pretty harmless, but could of course lead to bogging down the server if it’s done at scale.

Agreed, that email confirmation & removing unconfirmed accounts after some grace period goes a long way too. However, that QuestyCaptcha from Mediawiki seems quite effective, esp for conferences where you can expect registering people to have some context knowledge to set up the right questions, and expect bots to not use serious ML😄 I think Wikipedia had their share of learning over the years, but of course that doesn’t make it “2023 proof” necessarily. We’re running it with the QuestyCaptcha as well, and I can’t see any obvious bot accounts there.

I’ll observe over the next weeks and report back.

@MyIgel MyIgel changed the title Protecting the registration form Protect the registration against bots / Confirming users Feb 18, 2024
@keunes keunes mentioned this issue Feb 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Needs discussion Additional discussion/feedback is needed Type: Feature An idea for a new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MyIgel @nilsnolde