00:29 <whot> i've disabled wkrsemails.com fro signing up now, that seems like 99% of the recently created ones

00:48 <whot> huh, and apparently that has no effect on signups

00:57 <whot> karolherbst: ruby rails console: counting 51k users in the last 7 days from wrksemails.com...

01:04 <kode54> you typed a different domain each time

01:04 <kode54> wrks vs wkrs

01:05 <whot> yeah, first one was a typo :)

01:05 <whot> it is wrks but none of the wildcard combinations I tried seem to have any effect, they still sign up

01:08 <kode54> maybe they're signing up with one address, then immediately changing it to another?

01:08 <kode54> in which case, you'll need to log what they're registering with

01:12 <whot> I don't think so based on the admin page for the users, but I can't find the logs for this in grafana

01:12 <whot> so not 100% that's what's happening

01:47 <whot> no, judging by the grafana logs gitlab still happily allows that domain and will send confirmation emails to it

03:11 <HansDR> Hi. Can anyone tell me how to contact the admin for gitlab.freedeskopt.org? I want to submit a merge request to virglrenderer, but need to be able to fork the repository first.

03:14 <whot> HansDR: https://gitlab.freedesktop.org/freedesktop/freedesktop/-/wikis/home#how-can-i-contribute-to-an-existing-project-or-create-a-new-one

03:16 <HansDR> Thanks. That's exactly what I was looking for.

05:31 <whot> ok, found it. for some reason our domain allowlist was set to * and the deny list doesn't take effect if anything matches the allowlist. so we allowed... everything

05:32 <whot> and numbers: 30k new users since 1 may, of which 27k came from 5 domains

05:32 <whot> that number is after I ran a batch job to delete *a lot* which gitlab is still working on, so could've been a lot higher

05:33 <whot> either way, a new spam account every 30s on average

08:47 <daniels> whot: oh, thanks for figuring that out - I had been wondering why the denylist didn't do anything :\

08:59 <karolherbst> whot: I wonder when we'll reach the point of just disabling email sign ups alltogether, though maybe the bots are smart enough to do social logins....

09:17 <whot> karolherbst: it's an arms race, can't win either way

09:18 <karolherbst> yeah, fair

09:18 <whot> daniels: I was a bit nervous removing that for fear of disabling everything...

09:18 <karolherbst> maybe we should just detect if a domain has that many signups in an hour to just block it and send an email to admins?

09:18 <whot> but we're ack to the more sane 1 spam accounts per hour rather than per 30s

09:19 <karolherbst> could have a script run every hour if that's not too expensive

09:19 <whot> https://paste.centos.org/view/e48883eb that's the list of domains used to sign up since 1 may. not sure the others are worth or even easy to detect

09:20 <whot> pretty sure sarah and jennifer are part of the same script...

09:20 <whot> karolherbst: we have a bunch of scripts runnig as cronjobs already to wipe the users, so running an extra one wouldn't be that hard

09:22 <karolherbst> yeah.. then I guess that's the best we could do if it's easy to automate it

09:30 <whot> you can get the data with an admin token via the rest api/graphql (though the latter doesn't include all emails for some reason) so this could be done from the outside even

10:58 <daniels> https://cgit.freedesktop.org/wiki/www/commit/?id=9b411d43c4d8964ca2bc0e19ed2cf605b2a187f9

10:59 <daniels> I wonder if this is something we should publish more publicly?

10:59 <emersion> in a more visible place? or in a news feed of some kind? (mastodon?)

11:03 <daniels> emersion: yeah, more visible to people who don't either follow the wiki RSS or poll the page every day I guess :P

11:50 <Consolatis> <whot> either way, a new spam account every 30s on average

11:50 <Consolatis> seems the captcha works great then (while still making life worse for legit users)

11:54 <daniels> Consolatis: sarcastic criticism is one of the best motivators anyone could ask for

11:57 <Consolatis> touché. its the one thing remaining for me as somebody who has no say in the operations of the fdo gitlab instance

12:03 <Consolatis> I already mentioned in the past the whole strategy of the fdo gitlab against spam is kind of pointless IMHO. Making signup harder will also reduce the onboarding of new legit volunteers but doesn't solve the spam issue as you can just rent some clickfarm. Instead, the reason that spammers sign up should be fought against. E.g. make every non-official project / fork / gist visible to logged-in users only. Same for comments of "untrusted" users.

12:03 <Consolatis> then spammers can sign up all they want and they get nothing out of it

12:50 <karolherbst> daniels: I was also wondering that about the maintainer guidelines there

12:50 <karolherbst> but if we could use the xorg mastodon/whatever account for that stuff that would be great

12:51 <karolherbst> Consolatis: they just post comments on the main repos then

12:51 <karolherbst> or file issues

12:51 <Consolatis> > Same for comments of "untrusted" users.

12:51 <karolherbst> sooo...

12:51 <karolherbst> users can't file bugs anymore?

12:52 <Consolatis> sure they can, but you can only see them when logged in

12:52 <karolherbst> it's just a technical limitation of gitlab

12:52 <karolherbst> so you need to create an account and log in before you can see if the bug you just see is already being handled/fixed? sounds like inconveniencing users to me

12:52 <karolherbst> but anyway

12:53 <karolherbst> either way is bad for somebody

12:53 <daniels> ^

12:55 <karolherbst> and the root cause for this is, that people thought LLMs are a fun idea, and now we all have to deal with nonsense AI spam bots 🤷 I wished we wouldn't have to, but so is life

12:55 <Consolatis> ^ members of official projects are by definition not "untrusted" so their comments would be visible to anybody, even without login

12:55 <karolherbst> yeah, but good luck implementing it inside gitlab

12:55 <karolherbst> we don't have the time for that

12:55 <karolherbst> you are free to add those things to gitlab

12:56 <Consolatis> so gitlab does not provide any option to make comments require login to see?

12:56 <karolherbst> correct

12:57 <karolherbst> at least not afaik

12:57 <Consolatis> got it, thanks

12:57 <karolherbst> moderation is super limited in gitlab already

12:57 <karolherbst> and there are more pressing issues to deal with first regardless

17:15 <DragoonAethis> Hmmm, how about having mandatory external approval for all new accounts?

17:16 <DragoonAethis> Automated, but custom, so that bots don't know how to break it by default (it doesn't have to be good, just annoying enough for spammers not to bother)

17:16 <daniels> that’s where we are tbh

17:16 <DragoonAethis> Ah, and it's still this bad, nvm then

17:34 <dcbaker> Do we have the GraphQL API enabled?

17:35 <daniels> yep

17:36 <dcbaker> Cool, thanks

17:38 <daniels> np

21:25 <whot> Consolatis: afaict the vast majority of those users did nothing but sign up and occupy resources, only few had a profile (which we scrub anyway) so I'm not quite sure what the point of all those was.

21:25 <whot> Consolatis: maybe "create 5000 users and one with a spam link in the hope no-one notices", maybe they did try to post spam but got blocked, etc.

21:26 <whot> Consolatis: either way, aside from the user creation there is very little spam that makes it through to our users so right now we're doing the right thing. because in the end, that's what we care about the most, not having every issue/pr spammed

21:26 <whot> karolherbst: i don't think there's been any AI bots yet, so far it's been standard spam only

21:28 <whot> DragoonAethis: external approval for new accounts means someone has to weed through hundreds of "i want a new account" emails and you're likely to miss the real ones. right now we allow for creation but purge regularly those users who don't do anything

21:28 <whot> it's annoying enough to keep up with the "please allow me to fork" requests and there's only a few of those a day

22:24 <karolherbst> whot: nah.. some of the bots replied in a very "I'm a user and have some valueable contribution to this issue" way, but then just had random links in it

22:25 <karolherbst> next time I see it, I could screenshot it

22:25 <karolherbst> but a few of those really feel AI like

22:25 <karolherbst> *look

22:35 <emersion> https://gitlab.freedesktop.org/drm/misc/kernel

22:35 <emersion> should we update the description?

22:35 <emersion> "For now only for issues."

22:43 <whot> karolherbst: I deleted a few of those (they do get caught by the spam checker) and they look much like cookie-cutter. I'd expect an AI to put more effort in than that :)