"Login to Wikidata as QuickStatementsBot from a computer you have not recently used"
Open, HighPublic

Description

Since yesterday, I keep getting automated emails (like, once an hour) with that subject, for both QuickStatementsBot and Reinheitsgebot, two bots of mine.

There are no unusual edits from either bot. I assume it's from the fix for T182722, since the start of the emails and the fixing of the bug coincide.

How can I prevent being flooded by these mails? Can someone else turn them off? One is OK, but not machine-gunning please...
(not sure where this belongs, please fix tags accordingly)

Magnus created this task.Dec 14 2017, 12:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 14 2017, 12:55 PM
Niharika added a subscriber: Niharika.EditedDec 14 2017, 5:28 PM

@Magnus If the notifications are from a few wikis, you can turn this off in the Notification preferences. This feature was enabled by default for all wikis on the request of community members - see T174263.

Johan added a subscriber: Johan.Dec 14 2017, 7:35 PM

Maybe this should be turned off for users with the bot flag?

I started getting these emails for Legobot today at 3pm PST, so the timing is different than Magnus, but same exact symptoms. Ideally we'd hold bots to higher security standards so I'd hope there's a different solution than just disabling the feature :/

@Niharika and I discussed this in #wikimedia-commtech. She pointed out that LoginNotify will treat an IP as "old" if there is data in CheckUser tables for that address. Data is added to CU upon account creation, edits, and log entries. So if a script logs in and doesn't make any edits, that IP is not considered to be old, and upon the next login will still be seen as new. LoginNotify normally sets a cookie in browsers for this so if the device is trusted it won't warn again, but at least my script doesn't retain any cookies so that feature doesn't work.

@Magnus are your bots using normal password login or OAuth? And have they been making edits or just logging in?

@Magnus It seems it's only Wikidata you're getting notifications from? Could you turn them off in preferences?

Yes, ListeriaBot (which edits Wikipedia) does not cause those (so far), so only Wikidata.

And I would rather have someone fix this security-relevant feature than turn it off. If your anti-lock brakes make annoying noise, wouldn't you rather have them fixed than removed?

Yes, ListeriaBot (which edits Wikipedia) does not cause those (so far), so only Wikidata.

And I would rather have someone fix this security-relevant feature than turn it off. If your anti-lock brakes make annoying noise, wouldn't you rather have them fixed than removed?

Yes, I would, but given the facts here...

  1. Nothing relevant changed with LoginNotify in the recent past.
  2. There was a Kubernetes related outage two days ago which coincides with when the problem started.
  3. Not all toolforge hosted bots are affected. @MusikAnimal pointed this out yesterday on IRC that his bots were not affected.

...the probable cause is that your bot is logging in using a new IP address every time which isn't getting logged in CU tables against your bot's account.

Given all that, I'd not say this task is "high priority". We or ToolForge folks would probably get down to the cause and fix it but it won't happen immediately. I suggested you disable the notifications in the meantime if it's a huge problem to you. That's all.

I started getting similar messages at the same time for a bot for which I am the contact on enwiki. I disabled the notification itself in preferences. Possibly default changed? The k8s incident T182722: Ferm changes on the host node break networking for Kubernetes pods seems in no way related to this.

I think https://gerrit.wikimedia.org/r/#/c/398511/ will fix this issue - we need to backport it.

Mentioned in SAL (#wikimedia-operations) [2017-12-16T00:44:58Z] <demon@tin> Synchronized php-1.31.0-wmf.12/extensions/LoginNotify/includes/LoginNotify.php: T182867 (duration: 00m 57s)

@Magnus are you still getting the emails? At least for me they stopped when the above patch was deployed.

If these are logins from tool labs, its odd that LoginNotify::cacheLoginIP() isn't preventing the false positive, since it should always be basically the same IP (or at least in the same subnet)

From the debug logs it seems like no new notifications are being send out for ListeriaBot or QuickStatementsBot. Is that correct, @Magnus?

If these are logins from tool labs, its odd that LoginNotify::cacheLoginIP() isn't preventing the false positive, since it should always be basically the same IP (or at least in the same subnet)

It rotates a fair bit. I see at least 7 different subnets in the debug logs.

Vituzzu added a subscriber: Vituzzu.EditedMon, Dec 25, 4:23 PM

Same happens with my Irclogbot only at es.wiki (out of the five wiki it operates on). The bot just read abuselog from api without editing, confirming given "diagnosis" above.

Magnus added a comment.Wed, Jan 3, 4:05 PM

@Niharika I have turned off notifications as per suggesestion

@Vituzzu Is this still happening for you?

@Niharika
Looks like the same happens with my bot user sartle.wiki.bot (doesn't make any edits, only get data) on www.wikidata.org. I had added question about this to the support chart https://www.mediawiki.org/wiki/Topic:U50nm1rlhgajf7wd.

I use https://www.wikidata.org/w/api.php with wikibase-api library (https://github.com/addwiki/wikibase-api) and three servers (prod/stg/dev) with different IPs that logins to the mediawiki through API. The issue is a lot of notifications about logins from an unfamiliar device and IP. Can somebody explain how i can prevent it (except for turn off a notifications)?

But now I'm not sure that the problem is related to different IPs. Probably I'll get the notification even if i will use my bot user only from prod environment

@Niharika
Looks like the same happens with my bot user sartle.wiki.bot (doesn't make any edits, only get data) on www.wikidata.org. I had added question about this to the support chart https://www.mediawiki.org/wiki/Topic:U50nm1rlhgajf7wd.

I use https://www.wikidata.org/w/api.php with wikibase-api library (https://github.com/addwiki/wikibase-api) and three servers (prod/stg/dev) with different IPs that logins to the mediawiki through API. The issue is a lot of notifications about logins from an unfamiliar device and IP. Can somebody explain how i can prevent it (except for turn off a notifications)?

But now I'm not sure that the problem is related to different IPs. Probably I'll get the notification even if i will use my bot user only from prod environment

The probable reason is that your bot only logs in and doesn't make any edits. The IP(s) don't get recorded in the CheckUser table that way and every log in is treated as being from a "new" IP. Unfortunately I don't have a solution for you except for either turning off the notifications for this feature (you don't have to turn off notifications for everything) or making a few null edits (on different logins) from the bot on a sandbox page. That'd make sure the few rotating IPs get registered in checkuser and are no longer "new".

There is an ongoing ticket for recording logins in CheckUser and that would probably help with this problem. However, that will take some time to get built.