[GRASS-dev] Re: impending wiki spam bombing

Hamish hamish_nospam at yahoo.com
Tue Oct 2 03:18:35 EDT 2007 

Hamish wrote:
> > > over the weekend there were 56 new spambot accounts opened in the
> > > wiki
..
> > oops I counted wrong, make that 68 new accounts to ban.
Martin Landa:
> hm, too bad. Not sure how to avoid this situation. To allow creating
> new accounts only for sysops is maybe too restrictive...

We tried this for the GpsDrive wiki. IMO (as a wiki admin there
validating accounts) it IS too restrictive and a big mistake. It means
that just the usual core contributors contribute, the casual contributors
(ie potential future core contributors) don't bother. We were forced to
do it to stop the spamming though. :-/ I will push for captcha +
reopening it there if we find a good solution here. (both use MediaWiki)


Markus:
> Would it help to enable a captcha?

Yes. It would help solve our current problem of creation of fake accounts.

Markus:
> What about  http://www.mediawiki.org/wiki/Extension:ConfirmEdit  ?

Looks good! For ConfirmEdit I wouldn't like to turn on the captcha for
"all edits" as that would be too much of a burden, but apparently you can
do it for all edits which include external URLs and for new accounts,
which is an ok compromise.

And it seems those are the ConfirmEdit defaults already:
  $wgCaptchaTriggers['edit']          = false; 
  $wgCaptchaTriggers['create']        = false; 
  $wgCaptchaTriggers['addurl']        = true; 
  $wgCaptchaTriggers['createaccount'] = true;
  $wgCaptchaTriggers['badlogin']      = true;



Here is another MediaWiki captcha plugin to look at:
  http://recaptcha.net/plugins/mediawiki/


The official MediaWiki page uses a couple of plugins:  ("Other" section)
  http://www.mediawiki.org/wiki/Special:Version
  (ConfirmEdit, Newuserlog, and SpamBlacklist)

as does Wikipedia:
  http://en.wikipedia.org/wiki/Special:Version


Here is the MediaWiki Combating_spam man page:
  http://www.mediawiki.org/wiki/Manual:Combating_spam



Google found this page which mentions a MediaWiki plugin called "Bad
Behavior":
  http://meredith.wolfwater.com/wordpress/index.php/2006/01/04/wiki-spam-begone/
  http://www.bad-behavior.ioerror.us/2007/01/27/bad-behavior-2010/
  http://www.homelandstupidity.us/software/bad-behavior/installing-and-using-bad-behavior/on-mediawiki/

(shrug)

Markus:
> * Martin and me have updated Mediawiki to 1.6.10-SVN.

thanks guys.

> * I have removed all above mentioned bad users from the DB (they all
>   subscribe from the *same* email address for verification - how to
>   block that?).

(still 21 new ones today.. grrr) tricks in the mailer or /etc/ are
probably too invasive, it really needs to be stopped by the wiki software
somehow. Maybe some PHP hack? Unless there is an easy to edit email domain
blacklist for that, by hardcoding a solution we just solve today's
problem, not tomorrow's.

> * I have added that if "User-Agent" is empty, the user will be rejected
>   (let me know if you have problems with that).

I guess someone will one day complain, or worse go away without
complaining. no idea what the spambot pretends to be. The spam accounts
keep coming in today, so I guess that didn't stop it. :(

> * Bonus: thumbnail creation now works :) using something like
>     [[Image:wxgrass-gis-manager-layer.png|350px]]

nice to gain something positive out of this.




So can we try installing ConfirmEdit on the currently installed MediaWiki?


thanks for spending the time on this,
Hamish

More information about the grass-dev mailing list