0034408: Avoiding spam by adding option for Admin approval of new users - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0034408	mantisbt	security	public	2024-04-19 04:20	2024-05-04 04:46

Reporter	cas	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	N/A
Status	closed	Resolution	won't fix
Product Version	2.26.1

Summary	0034408: Avoiding spam by adding option for Admin approval of new users
Description	Given increased spam logins, there is a need to enable admin approval for new accounts. This can be easily build in into standard Mantis using a global config setting ($g_admin_approval = ON/OFF) and @ the moment of registering, keep the account disabled. In addition set the realname to "=NEW ACCOUNT=" so they can be found easily in the useradmin section. In case this is found useful, i can create easily a pull request such this can go inbto a future release.
Additional Information	Would be useful on this site too given the spam activity
Tags	No tags attached.

cas 2024-04-19 05:21 reporter ~0068833	In addition, password can only be activated after admin approval

cas 2024-04-19 05:49 reporter ~0068836	See pul request https://github.com/mantisbt/mantisbt/pull/1996

dregad 2024-04-20 20:30 developer ~0068845	@cas While I appreciate your contribution, I am unfortunately not at all convinced by the proposed solution, which I don't believe would be much help in addressing the problem. Manually checking and approving new accounts is a lot of work. FYI on mantisbt.org, we can get several dozens or even hundreds of new accounts per day, which is much more than we could possibly manage it is not always obvious to differenciate a spam account from a legit one, just by looking at username / real name (if provided) and email address Moreover, using the realname field to store some predetermined string (like `=NEW ACCOUNT=`) to identify accounts pending approval is really hackish way to do things. To do this right, an update of the user table would be needed: either a new approved flag or similar, or more complex but also more versatile, introducing some kind of status field with related enum (e.g. unverified, pending approval, active, disabled...) and possibly a workflow.

dregad 2024-04-20 20:37 developer ~0068846	FYI, we were discussing this topic internally a few weeks ago, and @vboctor proposed the idea of an anti-spam plugin which, while not ideal IMO as it would still require potentially a lot of manual work (like forums moderation), at least it can be done with some context, i.e. actual posts (issues / bugnotes). I'm thinking we probably need to build an anti-spam plugin. This would be triggered when creating an issue or a note and can trigger one of four actions: no-op (useful for channing), allow (to allow now), deny (to deny now), quarantine for review (to quarantine now). If all plugins int he chain return no-op, then issue is accepted. Allow/Deny are straight forward. Quarantine would add the inputs of the create issue / create note command + triggering user to a table. Then provide a UI for admins to triage and accept or reject. This will enable anti-spam plugin(s) to provide functionality like: If from banned IPs, reject. If language not English, quarantine. If content looks like spam or previously rejected content, reject. If user didn't submit N issues or notes that were previously accepted, then quarantine.

View Issue Details

Activities