[SAC] another ongoing spam storm

Sandro Santilli strk at keybit.net
Mon May 2 23:39:45 PDT 2016


On Mon, May 02, 2016 at 09:02:40PM -0400, Alex M wrote:

> Is it all Trac instances or specific ones?

Authenticated session from the offending accounts occurred
in postgis and ubuntugis. Edits were only in PostGIS due to
your blocking UbuntuGIS before.

> The trac-admin command line turns out to be pretty good for this,
> including killing sessions.

I'm using a possibly dangerous but effective script that from
a list of known spammers removes anything authored by them.
I guess it could be improved to limit the deletion within a certain
amount of time. The script is in /var/www/trac/emergency_clean.sql
and put under a local git repo.

> Examples:
> See the sessions
> trac-admin /osgeo/trac/ubuntugis/ session list
> Make a list of users from the results and pipe it to the session delete
> trac-admin /osgeo/trac/ubuntugis/ session delete baduser1 baduser2
> Look up the permissions (Save a copy so you can tell what to put back later)
> trac-admin /osgeo/trac/ubuntugis/ permission list
> Lockout everyone but admins from making edits
> trac-admin /osgeo/trac/ubuntugis/ permission delete authenticated '*'

Thanks, this is useful.
The script additionally (but with manual edit) lets you get a list of
the first 10 characters in wiki edits to verify they are all spam.

> Take the list of badusers and pass it to Martin to remove from LDAP (we
> could come up with a better way to do this). It would be nice to
> actually dump those records first so we can look for patterns in IP,
> email etc.

+1 for dumping them first.
Or having a way to put them "on hold" (ie: disallow logging in while
still keeping them in the db), but it may be harder due to the
different ways services might be querying the db for who has
permissions.

--strk;


More information about the Sac mailing list