Trac is nice and simple and clean and “suits me well” for now. I was able to quickly add custom fields and use them on the front page of my tracker. And it supports the ability for anyone to anonymously add a new ticket, which is the Holy Grail of getting feedback. But getting feedback includes getting spammed. I was getting a few spam tickets every minute, making things unusable. How to fix?
TracSpam to the rescue. It’s built in to trac, but it required some tweaking…
- Install trac
- Add this to trac.ini to make sure TracSpam is completely enabled, and restart apache (required). I would remove any other tracspamfilter lines.
[components] tracspamfilter.* = enabled - Log in as admin.
- From the Admin -> Permissions page, add the TICKET_CREATE action to the anonymous subject. Crazy, but I’ve gotten spam captured pretty well enough to make this work.
- Select Spam Filtering -> Capture, and make sure [x] Enabled is checked, and captcha type is Recaptcha.
- Go to Google reCAPTCHA and get some keys for your site. Add them on the Capture admin page (and save them somewhere else).
- Select Spam Filtering -> Configuration, and enable “logging” purged after 1 day – this should probably be called “monitoring” – you’ll now get feedback on the Spam Filtering -> Monitoring page.
- Take a look at the karma settings on Spam Filtering -> Configuration.
Here’s what I found to be important:
No matter what I did, I could not seem to be able to get the recaptcha to display when adding tickets.
Eventually I was able to test things out because for some reason, I discovered that the BlogSpam service was marking me as spam.
So I set BlogSpam karma high enough to force my anonymous tickets to be marked as spam.
I set CaptchaSystem karma slightly higher than BlogSpam to get me past it on a bad score.
I used a clean machine with no cookies to try to create an anonymous ticket. No Recaptcha was displayed when entering the ticket.
After hitting Submit, the BlogSpam score marked it as spam, and THEN trac displayed the recaptcha.
I entered the recaptcha correctly, and the ticket was added.So it appears that a ticket is created anonymously, then the spam score is generated, then if it’s spam, the recaptcha is displayed, then spam is recalced, then the ticket is added or rejected. Even if the recaptcha is done correctly, the ticket will be rejected if the karma doesn’t increase enough.
- With this information, you should now be able to tweak Spam Filtering -> Configuration to get the job done. It may take some monitoring to see what kind of scores you are seeing. You also want to create some anonymous test tickets from some “good” IPs and make sure they get through.
- I would lean heavily on the Akismet score – if Akismet says it’s spam, I mark it as spam even if recaptcha succeeds. And why not make them fill out the recaptcha to find out? Ha, die spammer die.
- Don’t give too much karma to the SessionFilterStrategy. If you browse twice from the same site, you’re in a trac session, which means you’ll get a third of the karma from this one. Keep it low.
- I ended up setting the recaptcha score high enough to make up for 3 other filter failures, but not 4.
- Note that if you want to clear out the monitoring page, and you have tons of spam entries like I did, rework the url to show more tickets per page:
(yourtracsite)/admin/spamfilter/monitor?num=500
So far so good. It’s so nice to crush spam, isn’t it!? 
Projects
Still going strong, 250 spam attempts every day, all rejected as spam, and no false positives yet.
UPDATE: two spam tickets snuck through. Very manageable with my script to remove blocks of tickets.
UPDATE: after a month or so, Bayesian filtering is now updated and completely stopping ALL SPAM, YAY. I haven’t had much in the way of real new tickets yet. To be continued.
Thanks a lot for these infos. It helped me a lot to tune my trac spam filter.
UPDATE: I upgraded to trac 1.0.1 and lost TracSpamFilter functionality. See the latest blog post for what I did to fix it up.