POLL, please comment if you have an opinon:
Codeberg.org is being spammed by users using one-time/disposable email services and TOR connections. These spam projects with thousands of bogus issue comments, cause pain for project owners, and spam their notification email inbox. Also, Codeberg's SMTP reputation is harmed.
We consider disabling access via TOR and one-time email providers to maintain smooth operation for all users.
What do you think? Is there a better approach?
Please have your say.
I do understand the practical problems (blockers, malware detection) and understand that people might have ideological issues with 'mining'.
But requiring a proof of work is defendable to your audience, I'd say.
@berkes You say a captcha per issue? Hmm ... not sure what to think, also there are very legitimate use cases to create issues via API, for example from CI.
@codeberg technically, an API could require a proof-of-work. I'm not aware of existing libraries or implementations.
The client (including the web-version) would then need to 'mine' some hashes before submitting a request(I.e. hashcash). Acting as captcha for API and web. Costing a normal user tiny amounts of electricity and delay, but bots large amounts of resources.
And if those hashes then bring in some micropayments, its a win-win.
@codeberg to clarify: each request needs such a PoW in a header or as part of the payload.
But this sounds like a big project on its own. Maybe others have built this already? Could be in the form of a HTTP proxy even.
@berkes It would be really interesting to build hashcash using a more modern PoW like Cuckoo Cycle and actually implement it in Gitea as DoS prevention.
For APIs it's a bit tricky to require your users to implement it themselves. If Gitea has client libs, it could be done.
@codeberg how about plain rate limiting? Like one request per 5 seconds.
(instance image by мøтħer ¢røω)