Preventing spam on trac

Note: There is a HOW-TO written up to show users how to deploy the information in this article.

The Exaile website and project uses trac to manage the homepage wiki, and ticket system. Trac is a great product, but a lot of users end up getting spam at some point.

We solved this problem for a while by installing two spam filtering plugins, and installing Trac's Account Manager Plugin. This requires a user to register for the site before they can post tickets and/or make comments on existing tickets (the default behavior for trac is to allow anyone at all post).

Spam bots and otherwise started getting around this anyway.

One of the Jokosher developers is a user of Exaile, and he found out about our dilemma. He told us how they managed to stop spam.

They simply added a field to their registration form that says "What is the name of our audio editor?". The answer is so obvious. Jokosher is the name. It's in the domain name of the site. It's in the logo at the top of the page.

They claim this stopped spam all together, even better than an image captcha. The idea is that even if a bot can't get around the registration, spammers will employ human spammers for special exceptions. An image captcha doesn't prevent spam from these people at all... they can see the answer right in front of their eyes. However, it's probably not cost effective to make them look around for something a legit user would already know.

I made some changes to Trac's Account Manager. I added a field that says "What is Adam's IRC nickname". My nickname is in several obvious places on the website, not to mention, there's a two click way to get into the IRC channel via CGI::IRC. In future releases of Exaile, a keyword will be available in the Exaile about dialog which will be required to register.

I've written up a howto on modifying the plugin.

Note: I only just deployed this on our site. I'll keep you updated on how it works out.