Currently I am dealing with 1-3 failed account creations a day due to our spam checking tool, basset.
Basset is the tool which sits in the account system creation path and tries to check to see if an account is semi-valid or not. This was written by Patrick Uiterwijk about 4 to 5 years ago to deal with a large increase of spam accounts from a group who were paying people to get past other spam tools versus using scripts. We came up with various heuristics and tools to make for a general 'oh you are using a one-time-email system.. no account for you' and other checks.
However it is almost a full time job to keep up with all the various spam groups methods for creating fake accounts for whatever they want. I haven't put much time into since 2018 and the heuristics that basset is using to judge whether a person has a valid account or not are way out of date. The spam groups have also gotten more sophisticated in creating accounts so we are more likely to allow a spammer in than a 'ham'-mer.
I am not sure what to do.. I do not know how hard it would be to pull basset out of the system and I do not have the time to update/fix/improve Patrick's code on this. So I figured it would be good to get some feedback on this.
On Fri, May 15, 2020 at 1:58 PM Stephen John Smoogen smooge@gmail.com wrote:
Currently I am dealing with 1-3 failed account creations a day due to our spam checking tool, basset.
Basset is the tool which sits in the account system creation path and tries to check to see if an account is semi-valid or not. This was written by Patrick Uiterwijk about 4 to 5 years ago to deal with a large increase of spam accounts from a group who were paying people to get past other spam tools versus using scripts. We came up with various heuristics and tools to make for a general 'oh you are using a one-time-email system.. no account for you' and other checks.
However it is almost a full time job to keep up with all the various spam groups methods for creating fake accounts for whatever they want. I haven't put much time into since 2018 and the heuristics that basset is using to judge whether a person has a valid account or not are way out of date. The spam groups have also gotten more sophisticated in creating accounts so we are more likely to allow a spammer in than a 'ham'-mer.
I am not sure what to do.. I do not know how hard it would be to pull basset out of the system and I do not have the time to update/fix/improve Patrick's code on this. So I figured it would be good to get some feedback on this.
Disabling it is very simple. Just remove all the config lines at https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/fas_ser... .
An alternative could be to just increase the required spam-score from Basset to *very* high numbers (in the thousands), so it never sees someone as spam. That last one would mean it also doesn't need changes in the other apps that might be integrated with it, and it would still get all the useful info.
-- Stephen J Smoogen.
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro...
On Fri, 15 May 2020 at 08:34, Patrick Uiterwijk puiterwijk@redhat.com wrote:
On Fri, May 15, 2020 at 1:58 PM Stephen John Smoogen smooge@gmail.com wrote:
Currently I am dealing with 1-3 failed account creations a day due to
our spam checking tool, basset.
Basset is the tool which sits in the account system creation path and
tries to check to see if an account is semi-valid or not. This was written by Patrick Uiterwijk about 4 to 5 years ago to deal with a large increase of spam accounts from a group who were paying people to get past other spam tools versus using scripts. We came up with various heuristics and tools to make for a general 'oh you are using a one-time-email system.. no account for you' and other checks.
However it is almost a full time job to keep up with all the various
spam groups methods for creating fake accounts for whatever they want. I haven't put much time into since 2018 and the heuristics that basset is using to judge whether a person has a valid account or not are way out of date. The spam groups have also gotten more sophisticated in creating accounts so we are more likely to allow a spammer in than a 'ham'-mer.
I am not sure what to do.. I do not know how hard it would be to pull
basset out of the system and I do not have the time to update/fix/improve Patrick's code on this. So I figured it would be good to get some feedback on this.
Disabling it is very simple. Just remove all the config lines at
https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/fas_ser... .
An alternative could be to just increase the required spam-score from Basset to *very* high numbers (in the thousands), so it never sees someone as spam. That last one would mean it also doesn't need changes in the other apps that might be integrated with it, and it would still get all the useful info.
That is probably the better plan. The tool has been very useful.. it is just needing someone to do the tuning work or to expand it to do that learning itself. I do not have that time, and I would prefer that people knew that versus expecting to improve by itself.
I am not sure what to do.. I do not know how hard it would be to pull basset out of the system and I do not have the time to update/fix/improve Patrick's code on this. So I figured it would be good to get some feedback on this.
So, I guess the new AAA system doesn't have to integrate with Basset after all, right?
On Fri, May 15, 2020 at 07:08:43PM +0200, Aurelien Bompard wrote:
I am not sure what to do.. I do not know how hard it would be to pull basset out of the system and I do not have the time to update/fix/improve Patrick's code on this. So I figured it would be good to get some feedback on this.
So, I guess the new AAA system doesn't have to integrate with Basset after all, right?
Well, I think we were hoping to not keep "maintaining" basset moving forward, but I guess we could revisit this.
If we don't integrate with basset, ideally for me, it would just be reistant to invalid users. Note that just requiring people to answer/something in email isn't enough, we had people automate that part just fine. ;( Not sure what the best way forward is there...
kevin
On Fri, May 15, 2020 at 09:32:21AM -0400, Stephen John Smoogen wrote:
On Fri, 15 May 2020 at 08:34, Patrick Uiterwijk puiterwijk@redhat.com wrote:
...snip...
An alternative could be to just increase the required spam-score from Basset to *very* high numbers (in the thousands), so it never sees someone as spam. That last one would mean it also doesn't need changes in the other apps that might be integrated with it, and it would still get all the useful info.
That is probably the better plan. The tool has been very useful.. it is just needing someone to do the tuning work or to expand it to do that learning itself. I do not have that time, and I would prefer that people knew that versus expecting to improve by itself.
Yeah, the timesink is mostly 'spamcheck_manual' people. If we could adjust things so those just got passed I think it would go a long way to reducing this.
kevin
infrastructure@lists.fedoraproject.org