For gitlab.com we use the external Spam Check endpoint to hook up to a system run by the Security department.
Table of Contents
[TOC]
Configured in the Spam and Anti-bot Protection section of https://gitlab.com/admin/application_settings/reporting. It can be turned off quickly with the Enable Spam Check via external API endpoint checkbox in the event it causes troubles.
Configuration of the rules in the spamcheck service itself is the responsibility of the Security department; as far as gitlab.com is concerned, it is a blackbox service that we interact with via gRPC or web calls, and on-call SREs do not need to concern themselves any further with the implementation under most normal circumstances.
At this writing, Akismet is also configured, and the GitLab code base will take the most restrictive (DENY) from both services. Therefore, an issue being considered spam might be because of Akismet or the Security-run service. This configuration may also change in time; check the current settings to be sure.
The main GitLab Rails code-base logs the verdict from all sources along with some metadata. These logs can be most easily located by searching for the json.spamcheck field existing.
The spamcheck side can be observed here
More metrics to come to prometheus/grafana in future
- Security documentation: https://gitlab.com/gitlab-com/gl-security/runbooks/-/blob/master/automation/spamcheck.md