I noticed that a semiprotected page (editing restricted to autoconfirmed users) on Wikitech was spammed by a newly-created account. It turns out the reason is because labswiki is listed in fishbowl.dblist, which is intended for wikis with editing restricted to trusted accounts.
Anti-abuse measures impacted by this are:
- $wgAutoConfirmAge = 0, meaning all accounts would be auto-confirmed
- All logged-in accounts are explicitly granted the autoconfirmed and editsemiprotected rights anyway.
- $wgAccountCreationThrottle = 0, meaning spammers can create accounts without throttle
- $wgEmailAuthentication = false, which seems to mean that anyone can set any address on their account without confirmation.
- $wmgEnableCaptcha = false, so no captchas for spam edits.
- $wmgUseSpamBlacklist = false, so no blocking of blacklisted links.
- $wgNoFollowLinks = false, allowing SEO spam to potentially work.
Positive/intended effects of labswiki being in fishbowl.dblist seem to be:
- CentralAuth, GlobalUserPage, and other "global" extensions are disabled there. From a passing comment in T72311, I suspect this was the main reason for it.
- CentralNotice is disabled there.
- OAuth is disabled there.
- Local renameuser is allowed there.
- $wgUseNPPatrol is disabled there.
I see two sane options to fix this:
- Explicitly apply the "positive/intended effects" to labswiki.
- Create a new "nonglobal.dblist" to apply only the "positive/intended effects", with the only current member being labswiki.