Description
Is it possible for you to see if it they are using the email/IP and ban that email/IP from creating new accounts forever?
Here are some instances which I suspect to be from the same user:
-
the same user has likely been using the same technique at: https://github.com/sky8964/home/pulls and created 20+ such spams posts there:
- ghost341 UID 78239213 https://github.com/sky8964/home/pull/26 Note how this allows the user to create multiple undeletable "mentioned this issue" links on all issues of a this repository, and I can't apply my desired interaction limits there. I wonder if there is a way to fight that. Edit: someone also did the reverse attack: https://cirosantilli.com/china-dictatorship#bot-issue-mention-attack
- ghost181 UID 77916904 https://github.com/sky8964/home/pull/25
- ghost448 UID 77916904 https://github.com/sky8964/home/pull/24
- sun-xiaochuan UID 77494186 https://github.com/sky8964/home/pull/6
- hccfg UID 77396170 https://github.com/sky8964/home/pull/2
- tyugh UID 77336468 https://github.com/sky8964/home/pull/1
-
ghost563 UID 78134405 created You can't translate Tibetan because Google Translate doesn't have a "Tibetan" option. #190
And it has happened in other China repos too, possibly by the same user or group: vtuber-issues/home#575
BTW, this user also created #189 with the same title "You can't translate Tibetan because Google Translate doesn't have a "Tibetan" option." but the issue was somehow deleted? Wait, how is that possible? I thought users could not delete their own issues! https://webapps.stackexchange.com/questions/124031/how-can-i-delete-my-posted-issue-on-githubThe creation action appears on API, but I don't see any deletion. And I'm sure I didn't accidentally delete because you can see a message for that as admin. Was it a spam filter someone reported it?
- ghost181 UID 78139475 commented at "在拿枪的敌人被消灭以后,不拿枪的敌人依然存在,他们必然要和我们作拼死的斗争,我们决不可以轻视这些敌人" #172 and deleted the comment. TODO that comment referenced all issues with #, and according to my tests, the reference notices in other issues are not deleted when the comment is deleted, so why does it not show on all issues?
- kiwano-sakura UID 77907081 created Give you a suggestion (by https://www.pixiv.net/user/980067) #187
- lu-benwei-official UID 77527654 created 绞你妈的屄 老子把你妈绞在树上 傻屄东西 肏你妈的屄 你他妈给老子吃屎 你妈了个臭屄 傻屄东西你他妈杀四个人你叫 叫你妈个屄土东西 你个弱智 老子把你妈干翻 把你妈干在地上叫我爸爸 跪下来舔我包皮 傻屄东西 你只有一句话 只有肏你妈妈 啊 你只有肏你妈 还有别的话吗你妈了个臭屄 说话说你妈个屄我 傻屄东西 傻屄 你妈屄你是什么弱智东西啊 你闭嘴好不好 你除了肏你妈 还有什么 还有什么 你除了肏你妈还有什么 你妈被我奸杀你不知道吗兄弟 你知道你妈被我奸杀了吗 Fuck your mother's cunt #180
- kill-ciro-santilli UID 76736790 created 反日中国製品使用悪質不潔肥満豚Ciro Santilli https://www.pixiv.net/artworks/86079907 #177
- jsshc UID 76162350 created 宮野裕史です、人を殺します! #165
I've just enabled the "Limit to existing users" on the repository which I will now see if it helps (the user has already come on multiple separate days) I also recommend allowing increased times on those interactions to help with this use case:
- Add a permanent/forever option for "Temporary interaction limits" isaacs/github#1901
- Configurable new user time on "Temporary interaction limits > Limit to existing users" isaacs/github#1902
Request on the private GitHub tracker: https://support.github.com/ticket/personal/0/1000570
Just imagine if someone were to make a similar mentioned this issue attack on GitHub repos of the largest Chinese tech companies:
- https://github.com/Tencent
- https://github.com/Huawei
- https://github.com/alibaba
- https://github.com/baidu
All you would need would be:
seq nissues | xargs -n1 printf 'org/repo#%d\n' | xsel -b
Longest possible comment is only 65536 chars, and the above for example has about 6k, so you could attack about 10 repos at a time.
I don't know how to get the number of issues from the API https://stackoverflow.com/questions/33374778/how-can-i-get-the-number-of-github-issues-using-the-github-api but it can be done manually quickly I guess.
Edit: after 2 weeks, they said in the private tracker that they can't block IP addresses (which I understand, obviously because people change IP addresses, and because Tor exists so it won't matter). They did not say if they can block emails from signing up or not, which is the part that truly matters. I give up asking further for now, I cannot get that information out of support.
Thanks for taking the time to respond to us. At this time, we won't be able to assist with blocking the IP addresses.
Spammers, bring it on.
