[Twisted-Python] Status of trac upgrade

exarkun at twistedmatrix.com exarkun at twistedmatrix.com
Wed Jun 18 18:43:45 MDT 2014


On 18 Jun, 10:59 pm, twisted-python at 2xlp.com wrote:
>
>On May 29, 2014, at 9:13 AM, Hynek Schlawack wrote:
>>So what *is* the status?  The current state is really hardly bearable; 
>>the spam is taking completely over. :(  Wasn’t there a successful dry 
>>run at the PyCon sprints?
>
>I recently had a similar problem.  I didn't realize a "one click 
>install" on my shared provider for a private SVN repo created a public 
>trac instance.  there were nearly 1MM spam tickets in a 700MB sqlite 
>database
>
>I ended up killing all tickets; but was able to use a raw sqlite3 
>connection on the db file to get in there and analyze the tickets ( and 
>delete them )
>
>Trac 1.0 has a spam filter -- http://trac.edgewall.org/wiki/SpamFilter
>
>Once upon a time, there was a mod_security plugin called ScallyWhack 
>that was dedicated to Trac spam.  It was officially supported by 
>mod_security and still has a reserved rules range. unfortunately, it's 
>disappeared off the net.
>
>I had to take my trac instance offline while working.  my install was 
>"known" to a few dozen botnets, and they kept hitting it.  everything 
>would lock up.  if you can find any mod_security integration, I would 
>strongly suggest using it -- because you can have the rules trigger an 
>integration with fail_2_ban and just keep ip addresses/ranges from ever 
>touching trac.

This is a nice thought but I think it's entirely misguided.

Overcoming simplistic, automated obstacles is what spammers have been 
learning how to do extremely well for several decades now.  If you 
choose to participate in this arms race with them, you can win by put in 
slightly more effort than them - from now until forever.

Considering the Twisted project apparently lacks even the ability to put 
a slight bit of effort even once (at least, not without gathering its 
strength to do so for two or three months first), this doesn't strike me 
as likely to happen.

Also, Apache isn't used anywhere on twistedmatrix.com so it would be 
rather difficult to deploy anything based on mod_security anyway.

Jean-Paul



More information about the Twisted-Python mailing list