Add mention notification threshold
Closed, ResolvedPublic


Someone accidentally transcluded an entire noticeboard page, and because of that notified every single person on that page.

Might be a good idea to add a threshold on the amount of people you can notify in a single save action. Seems like a nice trick to abuse an otherwise good feature for spam.

Version: master
Severity: normal
See Also:

bzimport added a project: Notifications.Via ConduitNov 22 2014, 1:35 AM
bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz48882.
TheDJ created this task.Via LegacyMay 28 2013, 7:40 AM
bzimport added a comment.Via ConduitMay 28 2013, 5:14 PM

bsitu wrote:

There is already a threshold to the number of people to notify in a single mention save action, it is 300

TheDJ added a comment.Via ConduitMay 29 2013, 11:16 AM

300 seems rather excessive to me. I think in general 10 should be more than enough. Alternatively there should at least be a "confirm", before sending something to 300 people.

bzimport added a comment.Via ConduitMay 29 2013, 5:32 PM

bsitu wrote:

(In reply to comment #2)

300 seems rather excessive to me. I think in general 10 should be more than
enough. Alternatively there should at least be a "confirm", before sending
something to 300 people.

Thanks for the suggestion, I will discuss with the team on a more reasonable number for the threshold. Maybe we can skip mention notification by detecting if a page is transcluded.

I am not sure about a "confirm", it's just a regular talk page edit, adding extra step upon saving may confuse users.

kaldari added a comment.Via ConduitMay 29 2013, 6:06 PM

Unfortunately detecting link transclusion is quite difficult and would probably require adding some hacks to core. Plus it would disable legitimate uses like {{ping}}. I would favor lowering the threshold instead. 10 seems a bit low, but I think I could live with 50 or maybe 20. I could imagine cases were someone would legitimately want to notify an entire list of users, but hundreds at once is probably excessive (and potentially abusive).

kaldari added a comment.Via ConduitJun 7 2013, 6:28 AM

Here's an example of someone using the mention notification to ping 53 users at once:

Derk-Jan, would you consider this an abuse of the feature or a reasonable, legitimate use?

TheDJ added a comment.Via ConduitJun 9 2013, 9:28 PM

It definitely is something entirely new. It's too benign for me to call it abuse though, the qualification excessive comes to mind, but that in itself for this one case does not make it abusive, nor a pattern of excessive usage.

I do think that if it is this easy to pull everyone and nobody into your discussion, and this would start happening more often, that people might be quicker to ignore their notifications, which would erode their value.

I also see no reason, why such an excessive usage (if required on occasion), should not require the user to 'batch' his mentions for instance. Excessive use might require excessive work on the part of the author.

bzimport added a comment.Via ConduitJun 12 2013, 9:02 PM

bsitu wrote:

Before we come up with a better solution, I reduced the threshold from 300 to 100, 300 is indeed excessive

Quiddity added a comment.Via ConduitAug 21 2013, 9:14 PM

False notifications based on accidental-whole-page-transclusion, are still getting reported regularly, eg.

Just a gentle nudge. :)

Add Comment