Feature #675

Anti-spam or captcha for issues

Added by Liang Jin almost 12 years ago. Updated over 1 year ago.

Status:NewStart date:2008-02-16
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Issues
Target version:-
Resolution:

Description

Redmine is definitely gaining big popularity! Even among spammers!

Today, I got two spam issue notes from Anonymous user (we would like to allow anonymous user to submit issue and issue notes). Anyone experiencing the same issue?

Would it make sense to add in a captcha when adding an issue? Or pass it on to an anti-spam service, like Akismet or defensio?

recaptchaplugin_add_ajax_api_support.patch Magnifier (2.1 KB) evan wheeler, 2008-07-07 17:24

redmine_environmentrb_recaptcha.diff Magnifier (826 Bytes) evan wheeler, 2008-07-07 17:24

redmine_issues_controllerrb_recaptcha.diff Magnifier (848 Bytes) evan wheeler, 2008-07-07 17:24

redmine_newrhtml_recaptcha.diff Magnifier (498 Bytes) evan wheeler, 2008-07-07 17:24


Related issues

Related to Redmine - Feature #3283: Website: Install Mollom or similar spam deterrent New 2009-05-02
Related to Redmine - Feature #1354: akismet for spam filtering New 2008-06-02
Related to Redmine - Feature #5274: Add hook allowing AuthSources to supply a CAPTCHA challenge Reopened 2010-04-08
Related to Redmine - Feature #2340: Self-registration needs captcha New 2008-12-15
Duplicated by Redmine - Feature #6897: request captcha to elimate spam bot tickets Closed 2010-11-15

History

#1 Updated by Leandro Lucarella over 11 years ago

Captchas will be useful too for other modules, like Wiki, Boards, etc.

A really cool mix between anti-spam service and captchas is reCAPTCHA. Every captcha you resolve, you help to scan books from The Internet Archive.

#2 Updated by evan wheeler over 11 years ago

We've been getting spam issues in redmine as well, and have implemented reCAPTCHA using the reCAPTCHA rails plugin. We have submitted an enhancement patch to the plugin to use the reCAPTCHA AJAX API so it will work in redmine when the tracker is changed, but it hasnt been put into the trunk yet.
I've attached our patch for the recaptcha plugin as well as patches for including it in redmine issue submission.
Just install the plugin into /vendors, apply the patches, and put your recaptcha keys in your environment.rb
Cheers

#3 Updated by evan wheeler over 11 years ago

evan wheeler wrote:

We've been getting spam issues in redmine as well, and have implemented reCAPTCHA using the reCAPTCHA rails plugin. We have submitted an enhancement patch to the plugin to use the reCAPTCHA AJAX API so it will work in redmine when the tracker is changed, but it hasnt been put into the trunk yet.
I've attached our patch for the recaptcha plugin as well as patches for including it in redmine issue submission.
Just install the plugin into /vendors, apply the patches, and put your recaptcha keys in your environment.rb
Cheers

you can find the recaptcha rails plugin here: http://ambethia.com/recaptcha/files/README_rdoc.html

#4 Updated by Derek Montgomery about 11 years ago

Any chance to have something officially implemented??
I am getting A LOT of spams those days :(

#5 Updated by James Turnbull about 11 years ago

Any chance of this getting into trunk? It'd be a great feature.

#6 Updated by Muntek Singh about 11 years ago

+1

I'd also love to see some sort of captcha (recaptcha or xkcd style) for user registration

#7 Updated by Jean-Baptiste Barth almost 11 years ago

IMHO Captcha systems are very annoying for human people, and there are smarter ways to differentiate human from bots if your site is not specifically targeted by spammers.

You should consider using a "inverse/negative captcha", which is a great solution in such a case. The principle is to have a mandatory email field which do not have an explicit name, and next to it a trap email field for spambots, which is hidden via CSS. When the trap field is filled, entry is automatically considered as spam and refused.

You can see here an implementation for Mephisto blogging system.

Any opinion about that ?

#8 Updated by Adam Knight almost 11 years ago

This is very important for public systems. Please consider this RSN.

#9 Updated by Andrew Kouznetsov over 10 years ago

+1 for implementation
Here is another variant of realisation captcha in Issues

#10 Updated by Jacob Moen over 10 years ago

Jean-Baptiste Barth wrote:

IMHO Captcha systems are very annoying for human people, and there are smarter ways to differentiate human from bots if your site is not specifically targeted by spammers.

That's your opinion.
I happen to like reCaptcha better than I like any other dirty hack.
Your suggestion seems very easy for a spam bot to work around.

I vote for reCaptcha and Akismet. :)

#11 Updated by Adam Knight over 10 years ago

What's it going to take to get traction on this? I can't turn on public use on my site until this is done, the community clearly wants it, patches have been made, so what else is needed?

#12 Updated by david austin about 10 years ago

I also believe this is a very important issue and would like to see it put into the system/s/ David www.bible.org

#13 Updated by Mitch Guthrie about 10 years ago

I want to also throw in a request to get some sort of spam filtering system in Redmine. I really don't care if it's a captcha or some other spam monitoring technique but something definitely needs to done as this is a huge issue for many.

Furthermore there are more posts on redmine.org all requesting such a feature and to date I can't see that anyone from Redmine has officially responded or given a roadmap for this particular feature.

How does Redmine.org handle spam issues?

#14 Updated by Chris Miller about 10 years ago

Mitch Guthrie wrote:

I want to also throw in a request to get some sort of spam filtering system in Redmine. I really don't care if it's a captcha or some other spam monitoring technique but something definitely needs to done as this is a huge issue for many.

Furthermore there are more posts on redmine.org all requesting such a feature and to date I can't see that anyone from Redmine has officially responded or given a roadmap for this particular feature.

How does Redmine.org handle spam issues?

By having Wikipedia-like fascist moderators who delete any and all spam so we can pretend it's not a problem.

#15 Updated by Eric Davis about 10 years ago

It hasn't been an issue for me because I require registration to post to my Redmine.

To address the spam problem, I think this should be done by a plugin. That way it's an optional feature and you could pick whatever scheme works best (e.g reCaptcha, Akismet, simple math, reverse captcha). I'm pretty sure there is everything a plugin would need to catch spam on issue submission. Forums might need a hook to two.

#16 Updated by G N about 10 years ago

+1 for implementation as a plugin.

At least, there must be a mechanism to prevent automatic user registrations. It is very unfortunate that Redmine lacks such a mechanism by default.

I have never programmed in Ruby, otherwise I would give this a try.

#17 Updated by Christoph Kappel almost 10 years ago

Hard to believe that there still is nothing to prevent spam and Redmine seems to get more and more attention. All spam accounts on my instance seems to have firstname == lastname which is easy to sort out: I just added another validation to the user model that prevents this.

# Spam
validates_each :firstname do |record, attr, value|
  if(record.read_attribute(:lastname) == value)
    record.errors.add(attr, "and Lastname must be unique")
  end
end

A bit hacky but it does the job and is not so difficult to apply to new changesets/versions. Hopefully there will be a full blown spam protection in the future.

#18 Updated by Troex Nevelin over 9 years ago

Christoph Kappel wrote:

A bit hacky but it does the job and is not so difficult to apply to new changesets/versions. Hopefully there will be a full blown spam protection in the future.

Thanks! I hit the same problem on mine, your hack save's my time and nerves!

#19 Updated by Sebastian Skuse over 9 years ago

Are there any updates with this?

Recently we've been getting 'blogspam' (i.e. a load of links to undesirable sites) on our Redmine issues page, - about 5 - 10 a week. We like to keep issue creation open as we work on open source software, and it lowers the barriers for participation.

I did a search for a plugin but no such luck. Would it be possible to include this as an option or a plugin that can just be installed without hacking around with the source?

Thanks. Great software by the way !

#20 Updated by Jean-Claude Wippler over 9 years ago

This feature was proposed 2.5 years ago.

I'm looking for an issue tracker / wiki / forum system which lets people register without human interaction (because that's immediate in any time zone), yet has some measures in place to prevent spamming. Captcha, akismet, counting URLs in the submitted text, anything...

Captchas are not excessively annoying since each person only needs to go through them once, during registration. The current system is potentially much more annoying once spam gets in, since it affects everyone.

Redmine suits my purposes perfectly on all counts ... except for this one. For an example for how little it takes: bbPress has a simple "1+2" type signup question and Akismet filtering (both as plugins), and that's plenty to keep all the junk out. One could always implement more advanced mechanisms later, especially if it can all be done via plugins.

My Ruby fu level is way too low to create these plugins alas, but please consider bumping the priority on this issue. From the responses above it seems that a lot more people would be very grateful.

#21 Updated by Sebastian Skuse about 9 years ago

Are any Redmine developers able to comment on this? It'd be lovely to know if this is possible or planned.

I'd contribute myself, if I knew anything about Ruby, but unfortunately I do not.

Having things like "[Project - Bug #485] (New) indian generic viagra" emailed to clients doesn't look very professional!

#22 Updated by Shane StClair about 9 years ago

+1, seems pretty essential

#23 Updated by Shane StClair about 9 years ago

I took a first stab at a Redmine plugin that adds a recaptcha to the user self registration page.

http://github.com/srstclair/redmine_recaptcha

A tester would be great, as it's my first ruby/rails/redmine/git endeavor and I'm sure I left something out.

Also, the plugin currently entirely overrides the account_controller's register method. There may be a better way to do this, but it seemed like the recaptcha verification needed to be inserted in the middle of the method logic...

#24 Updated by Shane StClair about 9 years ago

Note: the plugin currently only handles user self registration and not anonymous issues. It shouldn't be too hard to apply the same method to the issue view and controller, though.

#25 Updated by Vianney Lecroart about 9 years ago

Thank you Shane StClair for your nice plugin with recaptcha. I really hope one day this thing will be in the main redmine repo (with, why not, an option).

#26 Updated by G N about 9 years ago

Thanks for this plugin. Perhaps it should also protect the "Lost Password" form as this can be abused too.

#27 Updated by Derek Montgomery almost 9 years ago

I could not make it work with current trunk, anybody had more success?

#28 Updated by david austin almost 9 years ago

I also support adding a capthca as we get a lot of anonymous spam ticket posts

#29 Updated by Jean-Claude Wippler almost 9 years ago

Nearly three years onwards, with no resolution of this "New" issue.

Could someone with the appropriate fu-level please flag this issue as rejected, abandoned, shelved, or somethin' ?

#30 Updated by Sebastian Skuse almost 9 years ago

+1. This is the only issue I have with this software. We need it to be open, but get a fair bit of spam through it.

Jean-Claude Wippler wrote:

Nearly three years onwards, with no resolution of this "New" issue.

Could someone with the appropriate fu-level please flag this issue as rejected, abandoned, shelved, or somethin' ?

#31 Updated by Jean-Claude Wippler almost 9 years ago

+1. This is the only issue I have with this software. We need it to be open, but get a fair bit of spam through it.

I wonder how much spam this forum itself gets, see #6991 for an example which hasn't been cleaned up for a month.

It would seem to me that keeping spam out instead of having to clean it up afterwards is less work, in the long run. Not to mention the time to deal with discussions like these.

Having said that, my sympathies go to Jean-Philippe - apart from one other contributor working on SCM systems, he appears to be the only one working on Redmine. I hadn't realized until now that it's essentially a one-man show.

#32 Updated by Christophe Bourcier almost 9 years ago

The plugin redmine_recaptcha works great on redmine 1.1.0. http://github.com/srstclair/redmine_recaptcha

I just had to replace in the file vendor/plugins/recaptcha/lib/recaptcha/client_helper.rb, line 39:

return html.html_safe
by
return html

But some captchas are tough to solve.

#33 Updated by Shane StClair almost 9 years ago

Christophe Bourcier wrote:

I just had to replace in the file vendor/plugins/recaptcha/lib/recaptcha/client_helper.rb, line 39:

return html.html_safe
by
return html

Thanks Christophe! I haven't been able to test this fix, but I updated the plugin with this fix. Hopefully that resolves the issues that people have been having with newer versions.

https://github.com/srstclair/redmine_recaptcha

#34 Updated by Shane StClair almost 9 years ago

Update: confirmed compatibility with current trunk (1.1.1.devel.4802) and moved reCAPTCHA key settings to Administration/Plugins/Configure.

http://www.redmine.org/plugins/redmine_recaptcha

#35 Updated by Ted P almost 9 years ago

Christophe's fix needs to be done in ambethia's recaptcha (helper) plugin.

Someone already made the pull request: https://github.com/ambethia/recaptcha/pull/31

#36 Updated by Ashraf Amayreh over 7 years ago

Guys. I'm getting no less than 3 spam issues/replies to issues per hour! around 72 per day. I don't know ror, but I'm willing to patch, follow instructions, and break anything to get a captcha in there if I'm given the steps! HELP!

#37 Updated by Shane StClair over 7 years ago

You might try this fork of my captcha plugin:

https://github.com/egroeper/redmine_recaptcha

From the commit comments it looks like he added captchas to anonymous issues, but I haven't experimented with it. If it works for you, please report back and I'll try to incorporate his changes.

#38 Updated by Ashraf Amayreh over 7 years ago

Afraid not. It broke my redmine issue page (titles aren't appearing). Wonder how to uninstall it? Adding or replying to issues didn't introduce a captcha either :( Now I'm getting around 12 spams/hour. This is driving me nuts :(

#39 Updated by Shane StClair over 7 years ago

Try ruby script/plugin remove redmine_recaptcha from the Redmine directory.

#40 Updated by Tom Vogt over 7 years ago

Please add my voice to that. I was very happy with redmine until I realized no less than 3 spam accounts registered within the past 24 hours, and aside from setting signup to manual activation couldn't find a feature to stop them.

Seriously, any tool with anonymous contributions (issues, comments, even user pages) that doesn't contain anti-spam filters should be considered fundamentally broken.

#41 Updated by Jean-Claude Wippler over 7 years ago

Please, please, please add (re)captcha support to Redmine as built-in. It drastically reduces automated spammer signup.

And while I'm at it: please add Akismet support as built-in as well. It does marvels at filtering nonense entries.

#42 Updated by Ismael Morales Alcaide about 7 years ago

Anything new about this issue?

#43 Updated by Toshi MARUYAMA over 6 years ago

  • Related to Feature #2340: Self-registration needs captcha added

#44 Updated by kittybe11 kittybe11 almost 3 years ago

Post moderated by Mischa The Evil, 02-02-2017; awaiting deletion.

#45 Updated by Robert Pollak almost 3 years ago

I guess the above spam comment means "+1" :)

#46 Updated by yac yac over 2 years ago

https://github.com/yaccz/redmine-spam-users might be useful once you have too much spam accounts to deal with manually.

#47 Updated by Anonymous over 1 year ago

+1

Also available in: Atom PDF