[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

phabricator account sign-ups now needs manual confirmation


#1

Due to recent and ongoing spam bots targeting phabricator.whonix.org, I set to manually enable all accounts.

If you want to contribute to phabricator.whonix.org, please drop me an e-mail to adrelanos@riseup.net and I’ll enable your account.

Otherwise phabricator discussions have been exemplary and no restrictions on who can post what are needed. Anyone is still welcome to contribute there, but real persons and no advertisement bots only.

Update:


Two PDF privacy/anonymity risks (and possible Whonix suggestions)
Terminal-only contribute
#2

Anyone up to help out with the approval queue? Which ones of this list are the legitimate ones? Could you contact them by e-mail and see if they make a sensible reply what they are going to report?

https://phabricator.whonix.org/people/query/approval/


#3

Hi Patrick

Anyone up to help out with the approval queue?

Is this something only privileged users can do? I don’t have a phabricator account but if this is something I can help with please let me know.


#4

0brand:

Hi Patrick

Anyone up to help out with the approval queue?

Is this something only privileged users can do? I don’t have a phabricator account but if this is something I can help with please let me know.

Yes. Please sign up.


#5

Hi Patrick

Please sign up

Done!


#6

Great!

Please check out:
https://phabricator.whonix.org/people/query/approval/


#7

Hi Patrick

Sent out e-mails to all on the https://phabricator.whonix.org/people/query/approval/

If you would like I can take on this responsibility long term (check people/query/approval every day - send out are_you_bot_or_human e-mails ). Also If you like I can post my e-mail on the forum so there is another POC for anyone who needs phabricator approval.


#8

Sounds awesome!

If these are “90%” suspected spam, it may even be better not to mail them.

Relax about this. Doesn’t have to be super quick. Happy about any support on this front even if just occasionally. (The idea is to keep expectations low so this doesn’t generate any unnecessary pressure.)

Btw we could also ask them to verify their mail if that helps to find out if they are real.


#9

How is this going? Have there been any real users?

By the way, obviously users who post useful stuff the forums first and then confirm here they created a phabricator account, can skip being asked by e-mail if these are real.

Also users from unlikely being hacked domains such as for example someone@qubes-os could be let through without questions.


#10

Hi Patrick

Surprisingly haven’t had anything other than bots . There have been a few that verified their e-mail through the auto-verify but they were temporary e-mail addresses (i.e sharklaser.com ) but no one has responded to any of my emails. I just ask if they could very briefly describe what they would like to report + look forward to working with you etc …

Ok

No problem. Hopefully we will get some real people. : )


Two PDF privacy/anonymity risks (and possible Whonix suggestions)
#11

Things are going much better in regard to the bot situation. Since the 1st of March there has been only 9 account creation attempts by bots. This is down from an average of 2 a day prior to that. To top it all of there have been several real users that have created accounts. :slight_smile:


#12

@Lilias

Tried 2x to send a phabricator Verify email.

Hi. This is the qmail-send program at vfemail.net.
I’m afraid I wasn’t able to deliver your message to the following addresses.
XXXXXXXXX

This is a permanent error; I’ve given up. Sorry it didn’t work out.
TLS connect failed: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

Could you briefly (in a sentence or two) give a few details on what you would like to report. Thank you

Related:

https://forums.whonix.org/t/contribute-whonix-development-help-wanted-check-out-the-open-tasks-on-our-new-issue-tracker/861/2


#13

@0brand

I don’t have any issues to report. @TNT_BOM_BOM asked me if I’d be able to contribute to phabricator issues, but I’m not a developer I just do user support on the irc channel.


#14

Hi Lilias

Thats good enough for me. Your phabricator account has been approved. I just had to confirm that you were a human (not a bot) and the same user requesting the account on phabricator. If you have any problems with login please let me know.


#15

Use captcha (there are alot in the internet you can download and use) and email verification.

  • not appropriate to ask user what you want to report , because he might have nothing in atm hand but wanting to contribute by looking at the tickets first then later contribute.

  • not attractive for contribution, imagine lilas or any other user dont have account in the forum nor willing to contribute in the forum why they should come and say something here or register?

  • any user/contributor maybe have a patch to upload but not willing to answer what hes going to report/do …etc, there is no rational reason to answer any of that.

its horrible mechanism to get rid of bots by doing this step.

just dropping email to adrelanos looks ok BUT this should be set as an alert or tag message in phabricator when user registering NOT here. (i cant imagine how anonymous/foreign user going to know this)


#16

I’ve since forgotten about this thread. The problem is that the actual policy that is being implemented is different from the one described in the first post in this thread.

How it works currently:

  • users can go to phabricator.whonix.org and sign up
  • phabricator doesn’t allow to restrict e-mail addresses for sign up. White list only but no black list of spammy ones.
  • @0brand sends users an e-mail and asks what they want to report.
  • In some cases @0brand can do an accelerated account approval without e-mail beforehand. (In case of unpublished known-non-spam indicators.)
  • If it’s a real user, account gets confirmed.

  • usually spambots pass e-mail verifications empty handed
  • spambots also pass captcha (there’s even commercial services for spammers where they get API access to super cheap labor solving captcha)
  • only captcha supported by phabricator is javascript depending google captcha
  • We don’t have anyone capable to improve phabricator. Just because something is available Open Source on the internet, doesn’t mean it’s feasible to combine it with existing web apps. Non-trivial.

Contribute! Whonix Development Help Wanted! Check out the open Tasks on our new Issue Tracker!
#17

I see , to that level the spammers reached just to spam our phabricator? thats just wow.

so sad , hope the contributors understand this confirmation method.


#18

I don’t suspect a targeted attack. It’s mostly just bots that search the internet and attempt spam wherever possible.


#19

hmm Discourse doesnt contain any captcha , only email verification why would phabricator differ in this case?


#20

That could be answered by asking.

Why does Discource do “…” differently than Flarum, NodeBB, Elkarte …?

Or

Why does Whonix OS do things differently than Tails OS?

Answer:

Differenent projects. Differnet developers, Different way of doing things.