We care about content quality and have recently stepped-up our efforts to analyze Terms of Use agreement abuse patterns. One problem area we’re focused on is pure spam projects registered and then reused to sell shoes, herbal products, and home goods; or left empty for future reuse. Automated controls are key at our scale. As most of this abuse occurs for newly-registered users, but we do not want to impede legitimate project registration or established devs, starting today we will perform phone-based verification the first time a user account is used to register a project for hosting at SourceForge.
Some of the finer points of our implementation, focused on achieving results while keeping the smallest possible data footprint:
- Phone-based verification is performed using a reputable third-party provider (Nexmo).
- We store a one-way hashed (SHA1) copy of phone numbers in our database, allowing us to identify repeat offenders using multiple accounts.
- We do not store clear phone numbers in our database — numbers are used for verification only at time of first project registration.
- Nexmo maintains transaction logs containing phone numbers, available to us for diagnosis of PIN code delivery problems.
- Verification PIN codes are transmitted by SMS or voice and are good for five minutes.
We have baseline registration metrics and will evaluate the effectiveness of this control over the next few days. We’ll keep an eye out for issues during this rollout — feel free to contact us via Twitter @sfnet_ops or via ticket at https://sourceforge.net/p/
Thanks for your continued support!