If you are running your own GitLab CE or EE instance with public registration on you've most likely encountered some form of abuse of your own. This could range from bots or people spamming your Issue trackers, creating spam profiles, distributing malware or obscene content.
Lucky for you, you're not the first and we have some knowledge to share.
Not all of this might be a applicable to your situation, so use what works for you leave the rest.
If you know something we don't or just want to share your solution to abuse prevention solution, feel free to open an MR to add to this page!
GitLab uses Akismet Spam filter to check for spam when users create issues and reCaptcha as an added level of spam and abuse prevention.
This tooling helps respond to the symptoms of abuse, but the root of the problem remains: malicious actors register new accounts, or take over existing accounts and then use the accounts to spam and abuse instances and projects.
So, what more can you self-hosted Admins do to prevent and mitigate spam?
Hosted instances of GitLab can reduce spam by making it more difficult for bots to automate account creation or takeover. Requiring 2FA for all users is one way to prevent legitimate users from having their accounts taken over and used to create spam.
Sign-up restrictions will allow self-hosted Admins to:
Customizing your instance configuration can go a long way to discouraging and reducing spam and abuse. This includes defining how users access your instance and who can have access.
It’s also key to understand how users can report abuse from other GitLab users to GitLab self-hosted Administrators, the actions that self-hosted Admins can take against abusers and how abuse reports are managed and resolved by Admins.
For any abuse prevention feature requests and suggestions for CE and EE, please create a Feature proposal Issue from the provided templates in the GitLab Project and add the ~"Abuse Prevention" label. Feel free to us for additional input
@gitlab-com/gl-security/security-operations/trust-and-safety or if you have any questions.
Please see the Contact Us section on out Team page for details on reaching us.