phabricator account sign-ups now needs manual confirmation

Great!

Please check out:
https://phabricator.whonix.org/people/query/approval/

Hi Patrick

Sent out e-mails to all on the Login

If you would like I can take on this responsibility long term (check people/query/approval every day - send out are_you_bot_or_human e-mails ). Also If you like I can post my e-mail on the forum so there is another POC for anyone who needs phabricator approval.

1 Like

Sounds awesome!

If these are “90%” suspected spam, it may even be better not to mail them.

Relax about this. Doesn’t have to be super quick. Happy about any support on this front even if just occasionally. (The idea is to keep expectations low so this doesn’t generate any unnecessary pressure.)

Btw we could also ask them to verify their mail if that helps to find out if they are real.

1 Like

How is this going? Have there been any real users?

By the way, obviously users who post useful stuff the forums first and then confirm here they created a phabricator account, can skip being asked by e-mail if these are real.

Also users from unlikely being hacked domains such as for example someone@qubes-os could be let through without questions.

Hi Patrick

Surprisingly haven’t had anything other than bots . There have been a few that verified their e-mail through the auto-verify but they were temporary e-mail addresses (i.e sharklaser.com ) but no one has responded to any of my emails. I just ask if they could very briefly describe what they would like to report + look forward to working with you etc …

Ok

No problem. Hopefully we will get some real people. : )

1 Like

Things are going much better in regard to the bot situation. Since the 1st of March there has been only 9 account creation attempts by bots. This is down from an average of 2 a day prior to that. To top it all of there have been several real users that have created accounts. :slight_smile:

2 Likes

@Lilias

Tried 2x to send a phabricator Verify email.

Hi. This is the qmail-send program at vfemail.net.
I’m afraid I wasn’t able to deliver your message to the following addresses.
XXXXXXXXX

This is a permanent error; I’ve given up. Sorry it didn’t work out.
TLS connect failed: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

Could you briefly (in a sentence or two) give a few details on what you would like to report. Thank you

Related:

https://forums.whonix.org/t/contribute-whonix-development-help-wanted-check-out-the-open-tasks-on-our-new-issue-tracker/861/2

1 Like

@0brand

I don’t have any issues to report. @TNT_BOM_BOM asked me if I’d be able to contribute to phabricator issues, but I’m not a developer I just do user support on the irc channel.

Hi Lilias

Thats good enough for me. Your phabricator account has been approved. I just had to confirm that you were a human (not a bot) and the same user requesting the account on phabricator. If you have any problems with login please let me know.

1 Like

Use captcha (there are alot in the internet you can download and use) and email verification.

  • not appropriate to ask user what you want to report , because he might have nothing in atm hand but wanting to contribute by looking at the tickets first then later contribute.

  • not attractive for contribution, imagine lilas or any other user dont have account in the forum nor willing to contribute in the forum why they should come and say something here or register?

  • any user/contributor maybe have a patch to upload but not willing to answer what hes going to report/do …etc, there is no rational reason to answer any of that.

its horrible mechanism to get rid of bots by doing this step.

just dropping email to adrelanos looks ok BUT this should be set as an alert or tag message in phabricator when user registering NOT here. (i cant imagine how anonymous/foreign user going to know this)

I’ve since forgotten about this thread. The problem is that the actual policy that is being implemented is different from the one described in the first post in this thread.

How it works currently:

  • users can go to phabricator.whonix.org and sign up
  • phabricator doesn’t allow to restrict e-mail addresses for sign up. White list only but no black list of spammy ones.
  • @0brand sends users an e-mail and asks what they want to report.
  • In some cases @0brand can do an accelerated account approval without e-mail beforehand. (In case of unpublished known-non-spam indicators.)
  • If it’s a real user, account gets confirmed.

  • usually spambots pass e-mail verifications empty handed
  • spambots also pass captcha (there’s even commercial services for spammers where they get API access to super cheap labor solving captcha)
  • only captcha supported by phabricator is javascript depending google captcha
  • We don’t have anyone capable to improve phabricator. Just because something is available Open Source on the internet, doesn’t mean it’s feasible to combine it with existing web apps. Non-trivial.
2 Likes

I see , to that level the spammers reached just to spam our phabricator? thats just wow.

so sad , hope the contributors understand this confirmation method.

I don’t suspect a targeted attack. It’s mostly just bots that search the internet and attempt spam wherever possible.

hmm Discourse doesnt contain any captcha , only email verification why would phabricator differ in this case?

That could be answered by asking.

Why does Discource do “…” differently than Flarum, NodeBB, Elkarte …?

Or

Why does Whonix OS do things differently than Tails OS?

Answer:

Differenent projects. Differnet developers, Different way of doing things.

discourse is javascript based. Relatively new. Most spam bot code hasn’t been rewritten in javascript yet.

@phabricator

Your phabricator account has been approved. If you have any problems with login please let me know.

1 Like

@Xavier

Phabricator requires manual account approvals. Could you please give a brief overview of what you want to report along with the name that was used for account sign-up.

Please note, this is required before I can approve any account that uses a disposable email address.

1 Like

@0brand

Hi, I am sorry for using a disposable email, I’ve decided to move to a permanent email now (although I still can check a disposable one). I hope it is possible to change email in phabricator account just like here on forum (which I already did).
I’m not sure whether I really need a phabricator account right now, cause I’ve decided to make a forum post about my issue instead, it might need more discussion, I don’t know… The issue is about broken scurl wrapper original logic and its usage examples/instructions on Whonix Wiki.
I’m not a proper developer, just a regular Whonix user, just tried to go into it a little deeper, so that’s how I faced this issue. Maybe I’ll find more, maybe not, so not sure if it’s worth it to approve me. But at least I’m using Whonix on a regular basis, so maybe some day I’ll get more to report.

name that was used for account sign-up

I used the same name as here: Xavier

Xavier via Whonix Forum:

Hi, I am sorry for using a disposable email, I’ve decided to move to a permanent email now (although I still can check a disposable one). I hope it is possible to change email on phabricator account just like here on forum (which I already did).
I’m not sure whether I really need a phabricator account right now, cause I’ve decided to make a forum post about my issue instead, it might need more discussion, I don’t know… The issue is about broken scurl wrapper original logic and its usage examples/instructions on Whonix Wiki.

No worries, I just needed to confirm that you’re not a bot, and verify
that was your phabricator account. I sent an email to the address you
provided. So take a look when you get a free moment. If you have any
problems please let me know.

1 Like