[Savannah-cvs] [455] copy from recipe #140, with amendments and updates

[ineiev]

Revision: 455
          
http://svn.savannah.gnu.org/viewvc/?view=rev&root=administration&revision=455
Author:   ineiev
Date:     2021-12-24 04:30:21 -0500 (Fri, 24 Dec 2021)
Log Message:
-----------
copy from recipe #140, with amendments and updates

Added Paths:
-----------
    trunk/sviki/FightingSpam.mdwn

Added: trunk/sviki/FightingSpam.mdwn
===================================================================
--- trunk/sviki/FightingSpam.mdwn                               (rev 0)
+++ trunk/sviki/FightingSpam.mdwn       2021-12-24 09:30:21 UTC (rev 455)
@@ -0,0 +1,94 @@
+Savane provides several ways to protect trackers from spam.
+
+= Preventing Spam =
+
+Note: as of 2021, Savannah gets little spam in its trackers; the spammers
+seem to concentrate on adding unused accounts that are [[automatically
+deleted a few days later|IdleAccounts]].  The measures listed in this
+section may exclude potential contributions, so you shouldn't take them
+unless the real volume of spam you get is high.
+
+Savane can run *DNS blacklists* checks on all forms submitted by non-project
+members (NB: not activated at Savannah).
+
+Apart from that, there are a few options that can allow a project admin to
+prevent many spams.
+
+Spam are usually caused by anonymous robots.
+
+* A starting point to avoid spam is first to set
+tracker *Posting Restrictions* to a tough policy:
+** On every tracker that you feel dedicated to manage the project workflow,
+without end user's interaction, like the task tracker, set _project membership_
+as the minimal level of authentication.
+** On every tracker that need input from non-members, like the support
+tracker and the bug tracker, set _logged-in user_ as the minimal authentication
+level (it means that external contributors will have to create an account).
+
+* Another idea is too use the special *Lock Discussion* field. This field,
+that can be modified only by tracker managers, is complementary to the
+Posting Restrictions. When an item is set as _Locked_, only technicians and
+managers are still be able to post further comments. While it may be used to
+end a flamewar, it will obviously reduce the number of targets available to
+spam robots if you set one (or more) automatic transition update so whenever
+an item is closed, the item get additionnally locked. Obviously, this is
+useless on trackers where only project members can post.
+
+= Automatically Checking Potential Spam =
+
+Savane allows to *automatically check posted content with SpamAssassin*. (NB:
+not activated at Savannah).
+
+Any post that Savane feels need crosschecking by SpamAssassin (depends on
+site configuration) will be delayed, temporarily flagged as spam, when
+posted until it is checked in the following minutes.  If it is found
+to be spam, no notification will ever be sent, it will stay flagged as spam.
+
+= Removing Spam, Spam Scores =
+
+=== Spam Scores ===
+
+Any logged-in user is able, when he sees content (comment or item) that he
+believes to be spam, to *flag it as spam*. This will increment the spam score
+of the item.
+
+* If the reporter is _project admin_ on which the suspected spam have been
+posted, the spam score of the content will grow of 5.  If the reporter is a
+_project member_ on which the suspected spam have been posted, the spam score
+of the content will grow of 3.  If the reporter is _not project member_ on
+which the suspected spam have been posted, the spam score of the content will
+grow of 1.
+
+Any *item with a spam score greater than 4 is considered to be spam*.
+
+All users also have their own spam scores.  When users get one of their posts
+flagged as spam (spam score > 4), their score grows by 1.  User's spam score
+is used to determine the spam score of any new post.  In other words, someone
+caught 5 times posting spam will get all further posts automatically flagged
+as spam as soon as posted.
+
+Site administrators have a specific interface that will allow them to check if
+spam reports against a user were legitimate and will be able to take necessary
+actions accordingly (like removing accounts used to post spam or to mark
+valid posts as spam).
+
+It is also possible for project admins and site admins to unflag posts, which
+means they can reset the spam score of some content if they think there is a
+mistake.
+
+=== Removing Spam ===
+
+When a post is considered to be spam (spam score > 4), it is not removed from
+the database.  We do not want to loose data in case of false positives.
+
+However, comments that are spam are not shown, only a link remains
+for checking.
+
+Likewise, when browsing items, spam isn't shown unless you
+change the corresponding display criteria.
+
+If spam is posted as an item, it is automatically set to _Locked_
+so further posts are blocked.
+
+If the site runs checks with SpamAssassin, *flagged spam will be used to
+improve Bayesian filtering*.