Page MenuHomePhabricator

Add some basic spam protection measures to Wikibase Registry
Closed, ResolvedPublic


We're drowning in spam already.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

So far, spam seems to go exclusively to the main namespace, so perhaps it's worth restricting edits there to autoconfirmed users.

Still hundreds of spam pages at , and I don't see how to get rid of them at scale.

Addshore added a subscriber: Addshore.

As a first pass here I removed the write / edit rights from the * group.
So now at least users have to register....

T195725: Add Extension:Nuke on Wikibase bundle docker image would be great for clearing the spam
T195989: Add Extension:ConfirmEdit to the wikibase bundle would enable us to stop it in the first place.

Once locked down I'll go through and purge the spam from the DB.

Addshore claimed this task.

I added Nuke and ConfirmEdit, neither are yet in the bundle image of wikibase yet but this will do for wikibase-registry for now.
I'll work on cleaning up the spam.

Mentioned in SAL (#wikimedia-cloud) [2018-05-30T18:03:15Z] <addshore> clone and mount the ConfirmEdit extension into wikibase service and configure and restart - T194664

Thanks for working on this, @Addshore . Looking forward to see this resolved - had to cancel a demo of it due to the spam interfering.

I just deleted all spam user pages and content pages, still not blocked or deleted all of the spambot accounts yet though.

Lastly I added a new group and the real users currently on the site to the group.
These are the only users that are able to edit the main and user namespaces (where all the spam appears)

# Only trusted users can edit the main and user namespaces
# This is the main in route for spam bots....
$wgNamespaceProtection[NS_MAIN] = [ 'Trusted' ];
$wgNamespaceProtection[NS_USER] = [ 'Trusted' ];
$wgNamespaceProtection[NS_USER_TALK] = [ 'Trusted' ];

# Create a Tursted user group
$wgGroupPermissions['Trusted'] = $wgGroupPermissions['user'];

We can play around with this at a later stage if this gets in the way at all...
Maybe we should allow people with the Trusted right to give other people the Trusted right or something similar?

I also made the final change, members of the 'Trusted' group can add other users to the 'Trusted' group.

Also there is now also a captcha for page creation for users not in the group.

And I actually changed the namespace protection to allow all autoconfirmed users...

Just removed all but 3 of the spam users from the DB entirely and also removed all of the spam pages / revisions from the DB :)

Vvjjkkii renamed this task from Add some basic spam protection measures to Wikibase Registry to zzcaaaaaaa.Jul 1 2018, 1:09 AM
Vvjjkkii reopened this task as Open.
Vvjjkkii removed Addshore as the assignee of this task.
Vvjjkkii triaged this task as High priority.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
CommunityTechBot renamed this task from zzcaaaaaaa to Add some basic spam protection measures to Wikibase Registry.Jul 2 2018, 4:12 PM
CommunityTechBot closed this task as Resolved.
CommunityTechBot assigned this task to Addshore.
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot added a subscriber: Aklapper.