How about limit new accounts?

I have read it and I see you believe that your proposed “solution” would resolve your mentioned problem.
If you carefully read what I wrote you may realise that I believe this whole thread has no merit since your solution will not resolve your mentioned problem. Also I wanted to point out that your “solution” was only narrowly examined and have not considered the wider context and consequences.

Also it usually does not matter who wrote something; I am debating the message, not the messenger.

Limiting accounts rights on our database is a common approach industry wide. You’re honestly the first one that I hear say it doesn’t go towards solving the problem. I’d love to know why you think so.

Here is my rationale:
A new account would be useless to do any real damage if sufficiently limited. Nothing a local maintainer could not fix in short order.
Creating many new accounts is equally useless, it multiplies a blunt instrument leaving you with an equally blunt instrument. You’d need 100000 accounts to do what the attacker has been doing.

What is the problem and how would you solve it?

1 Like

It is rather simple: about 30 years of experience.

(My most notorious example is Waze: new users can do nothing (including edits), and losing new user status requires a large amount of edits. It is a rather funny IRL catch-22. But there are numerous projects limiting new users to the extent that they have killed themselves due to the lack of fresh energy, while the old people lose (have lost) their motivation in the long run. Also the mood of the community erodes, become unwelcoming, and inflexible. But you don’t have to believe me at all, I am just shaing my memoirs.)

You may remember my question about specifics. Either new accounts are limited to the complete uselessness or they can do editing. If they can your suggestion will not stop bots creating whatever amount of new accounts and do whatever actions they want. Bots can create accounts by hundreds a minute, if you have not seen that it’s not because they cannot, it’s just because they haven’t tried. Other [more spam-popular] projects see that already, and they are trying more tailored approaches, usually concentrating the specific problems instead of “general solutions” (which doesn’t work well).

1 Like

That is a very valid concern. Which is why it bears repeating that we should keep above natural limits. This has been echo’d by various people in this thread. I also wrote just a couple of hours ago:

I think its a bit more nuanced. Look at the actual vandalism changesets. They have a LOT of changes, all over the world. Nothing that any natural person would make, nothing that a mapper that is only actually mapping for a couple of days (as per their account age) would make.

So were are not talking about black and whites. Instead we are talking about a normal beginning user making 100 edits in a changeset and these guys making changesets (like 140428044) that have 4000 changes over a huge area 6000km horizontal. This is not black/white, its mostly gray with a bit of black and white on the outer edges.
The limiting of a fresh user to the extend that they never actually notice will still have a huge limiting effect on spammers.

So, again, this is a valid concern. Thank you for prodding me to share my view on it.
I think the problem of limiting people to a painful amount is easy to avoid without losing the benefit that limits give. One way has been suggested in the OP (original post) with levels, and the intention clarified with the 10KM overview in my reply 157. The intention is something to agree on and maintainers can adjust limits to better suit what people actually use.

Have a nice day!

1 Like

A lot of the recent criticisms here seem to come in without the context that this thread started before the most severe parts of the recent vandalism wave, but understandably discussions merged. The arguments also seem to boil down to “that’s not a perfect approach, therefore don’t do it” rather than recognizing that defenses against abuse are always necessarily layered (see defense in depth). The existence of windows on my house does not make my doors unworthy of locks. They just need nuanced controls, which is what OP is asking for and what Mateusz is saying the operations team is working on. If anything, this thread has proven that the community is full of ideas of potential approaches that could be taken. Even if none of them is perfect, some blend of them will probably help.

This item in particular stuck out to me. Surely, if the smarter solution is to do many smaller edits, the vandals would already be doing that rather than making mass edits? To keep going with my locks analogy, it’s like saying that the best way to detect that someone has broken into my house is if my furniture is all gone. I’d personally prefer they do less damage in one go. We should lock out (and maybe have?) the largescale edits and invest in our QA tools in response, and we should have community dialog about what controls are appropriate.


In the end, it would not matter much, how many accounts were used to take the furniture out when you return home, a single one, a dozen? If I understand correctly, accounts have been made more expensive to mitigate that.

1 Like

@SomeoneElse Again saidThat | OpenStreetMap

Already blocked! :grinning:

There is more than one account :frowning:

Yep, we’re already across them

In the last few days I can see:

 Emerald Path
(8 rows)

(and there was one more later that night)

(1 row)
1 Like

Taking one of those as an example, you can see how the account was used for “legitimate edits” previously before vandalism this evening:

changesets=> select id,num_changes,created_at from osm_changeset where user_name = 'Emerald Path';
    id     | num_changes |     created_at      
 138547353 |          40 | 2023-07-15 14:33:59
 138547405 |          15 | 2023-07-15 14:34:43
 138547443 |           9 | 2023-07-15 14:35:37
 141360798 |           1 | 2023-09-16 22:33:34
 141361157 |           0 | 2023-09-16 22:54:12
 141361391 |         182 | 2023-09-16 23:03:26
 141361396 |         147 | 2023-09-16 23:03:44
 141361403 |         153 | 2023-09-16 23:04:01
 141361410 |         284 | 2023-09-16 23:04:18
 141361412 |         505 | 2023-09-16 23:04:36
(10 rows)
1 Like

It does. But now you must pay for lock mounting and tenants from now on must always carry a key in a pocket, while thieves still can freely enter your house through window. You could invent difficulties to fair users while not preventing evil users from do damage.
Users should earn reputation. Protected objects should be edited by users with proven reputation only. Important objects should be protected, especially objects with names rendered in tile maps on a large scales.

I tried to push something like that in topic Earning trust as Newbie but failed.

Still, I do not think consumers should have the say.

World is not “black or white”. Locking doors is still very important. While everybody can walk through doors, only few will be physically able to enter through a window. So doors are improving security of your house greatly. Mild inconvenience of carrying the keys reduces the number of people that can stole something from 100% to maybe 5%. Isn’t it worth it?
The same goes with cybersecurity. While we are unable to prevent all attacks or acts of vandalism we can make it as difficult as possible, so only few people can vandalise. It does improve the security of our data.

1 Like

So in the Netherlands there is someone who has been opening dozens of anonymous notes filled with long angry tirades, insults and even threats because we aren’t removing the private footways in their neighbourhood. They have been doing this for well over a week by now, and are no showing a sign of stopping. no matter how much people try to explain or reason with them.
See: Note: 3902872 | OpenStreetMap

This is possible because anonymous people are able to continuously spam notes. A limit on anonymous notes would help, or maybe even disabling them alltogether. Though of course the latter is a tad extreme, and I don’t know how possible the first is. So I’d like to hear what others think about this idea.

A select few of the notes in question (all google translated to English from Dutch)
image image image image image image

Also see this thread that started 3 years ago about the same neighbourhood and recently became active again Mapper beroept zich op uitspraak van Raad van State.Gaat dat OSM aan?

1 Like
  1. note comments by anonymous were disabled already due to a dedicated troll spamming single letter comments on repeat (mostly in Eastern Europe/Western Asia)

  2. I am using OpenStreetMap_cleanup_scripts/ at master - OpenStreetMap_cleanup_scripts - to deal with some trolls/vandals/test edits. Maybe there are some phrases (like one in top-left note?) that appear repeatedly and never in valid notes? Allowing notes to be closed (and reviewed after closure by human, still faster than catching it manually).

If you send me via PM some repeated insults that never ever will appear in useful notes then I can add to what I am closing semi-automatically (see Notes submitted or commented on by Mateusz Konieczny - bot account | OpenStreetMap for what is closed, notes after closure are reviewed)


Thanks for the offer. I’ll try to see if I can find some words when I have the time and will PM these to you.

Personally, I’m not convinced that anonymous notes (any anonymous notes, not just angry tirades or spam) are a net benefit to the project. At best even well-meaning ones can only be a “prompt for a local mapper to survey”, since we can’t take an anonymous contribution on trust.


in Poland some were very valuable. For example:

  • pointed out vandalism
  • revealed seriously outdated info, fixable with aerial imagery and/or other sources
  • in the end someone joined as a mapper

(but overall benefits may be small or none or negative, but best case scenario is better than that)