Hi, I had to close the GIT system at git.ispconfig.org temporarily for new users. We get a huge amount of SPAM signups at the moment, mostly from Vietnam and the Philippines, that flooded the system with fake projects, fake groups, spam links and other kinds kind of SPAM content. I'll have to clean up the server which will take some time as thousands of accounts need to be checked and verified, the antispam functions from Gitlab are not very effective. Till
And thanks to glorious GDPR, we can not even use blacklist services or common central antispam content check systems anymore in Europe to check registrations against them in the future, as we hand out the so secret IP of the spammers *lol* Or to be more correct, probably we may use blacklist services when we have a checkbox "Dear spammer, do you allow me to check your IP, email, and username against an antispam database?", and if he denies, I'll have to let him trough as users have the right to freely do their data protection decisions and such a decision may have no neegative impact on the overall function of the service. Sorry, just p... off from GDPR, so take it with a grain of salt
I think there will be a solution. The legit interest/purpose of doing blacklist lookups to ensure better service quality shall outweigh. .
Seems like you could make a case that not doing some spam prevention (blacklists ought to qualify) has an impact on the service, as evidenced by the fact that the service is right now unavailable to new users due to not having sufficient spam controls in place.
I guess it might be possible to use that argumentation in a privacy policy, but even then I need a dpo (AV contract in Germany) with the blacklist provider or antispam service as far as I know. So the trouble continues as many services either don't offer a dpo at all and/or are not located in Europe. But I'll try to find a solution. One thought that came to my mind is using the gitlab api to create new accounts instead of using the gitlab signup form, this allows me to make a completely customized signup form to e.g. bind signup at git.ispconfig.org to the existence of a howtoforge account with at least X messages or similar. This might probably distract some users from contributing, but I'll have to find a solution for the spam issue in the git tracker that really works.
Another thought, any blacklists that you download locally ought to be fine for use (of course, to be "good" they'd have to have a frequent/continual stream of updates to stay current). Start with https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt maybe.
Registrations are enabled again. We have a quite strict setup now, public user profiles do not exist anymore as they were mostly used to put spam links on, when you access a user profile, then you get redirected to the index page automatically. Same with groups, we actually never user and group features. New users are set to external and are not granted to have their own sub-repository anymore. Hopefully, this will make the git system unattractive for spammers without being a burden for regular users. It would be nice if Gitlab would have features to disable profile fields like website address, but I have not found anything in this regard yet. We still grant repositories to active developers so that they can fork our code on git.ispconfig.org and maintain their own fork, please contact me if you need a repository, I will activate it for your account manually then. If you ecounter any problems beside the inavailability of user profiles and groups, then please let me know so we can check and adjust the setup.
FWIW I ran across this: That's from https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/ and seems it would likely fit the use of checking an ip address against a blacklist. Also: I'm not an attorney, that's just my take as I read it.
