-
ave
Hey all, how do you secure your web registrations? I've used captchas before (hcaptcha, recaptcha) on our git instance and while it helped reduce spam registrations, we still got hundreds of spam registrations at times, and eventually had to shut off registrations entirely. Does anyone have a solution that is reasonably safe? I had considered rolling custom image captchas for inband registration prior to multimodal AI models being widespread but now that seems like it's not going to be as successful.
-
Kris
Invites
-
Kris
Or linking accounts to other platforms that have better tools for vetting registrations.
-
MSavoritias (fae,ve)
yep. open registration can't be fixed.
-
Kris
Captchas are indeed mostly pointless these days.
-
MSavoritias (fae,ve)
after the first few invites you have like 20-50 trusted accounts you can potentially use some kind of vetting/reputation system to invite new people so you dont manually have to do it
-
MSavoritias (fae,ve)
i think it can be done somehow in xmpp but idk specifics
-
Polarian
I was thinking about this issue myself, as I did want to become a public provider (until the legal paperwork scared me away), has anyone tried using a mailing list, and manually approving each person? or not even a mailing list just an application account... A short email conversation should be enough to detect an AI or a human, problem is if you get thousands of applications a day, you wouldn't handle the workload✎ -
Polarian
I was thinking about this issue myself, as I did want to become a public provider (until the legal paperwork scared me away), has anyone tried using a mailing list, and manually approving each person? or not even a mailing list just an email account... A short email conversation should be enough to detect an AI or a human, problem is if you get thousands of applications a day, you wouldn't handle the workload ✏
-
Polarian
its how piracy trackers keep their trackers secure, and it seems to work decently
-
Polarian
I doubt people would want to join a jitsi call and have a full on interview for an XMPP account though :P
-
Menel
Prosody has invites and can be allowed to let people be invited my members of the server. What's missing is a reputation system. But what it has as a start is a module to track invites. That's only a stub. But could (and should 🙂) be developed so an admin could see and ban a whole "tree" of invited contacts, if a spammer invites its bots etc.
-
Kris
There is an old likely defunct prosody module for that
-
Kris
Called endorse chain
-
Kris
https://gitlab.com/Warr1024/prosody-mod-endorsechain
-
Kris
If someone wants to revive it.
-
ave
Right now we have manual invites
-
ave
as in, contact staff to invite someone
-
ave
It would definitely be nice to add an invite and reputation system.
-
Polarian
How would you implement it though
-
ave
> Or linking accounts to other platforms that have better tools for vetting registrations. I considered this by putting new account registrations to manual review unless they use the big email servers, but most spam accounts we get on our git is hotmail and gmail :/
-
ave
I've also seen people generate twitter accounts enmasse. They get blocked when tweeting but work fine for oauth. I guess one could check account age.
-
MSavoritias (fae,ve)
yeah you check how many followers, posts, follows, etc. they cant fake activity going back years
-
MSavoritias (fae,ve)
unless you are targetted of course for some reason
-
Polarian
Where do you draw the line though, at this point you are almost stalknig people to vet them....
-
xa0.uk
the sensible choice is to adhere to the time-tested protocol: innocent until proven guilty