Page MenuHomePhabricator
Create Task
Maniphest T202539

20K events by a single user in the span of 20 mins
Closed, DeclinedPublic1 Estimated Story Points
Actions

Description

Running the following query in Hive results in 20,814 results, which is odd to say the least:

USE event;
SELECT * FROM citationusage
WHERE event.session_token="1d8be34f432aaad1" AND year=2018 AND month=7;

The events are all happening on the same page and the action is also the same 'extClick' (click on an external link). The code that logs these events looks OK.

The user agent isn't identified as a bot, yet so many requests are coming from this single user in a short span of time. The only explanation I currently have is that these events are generated by a bot masquerading as a user and clicking on all external links.

What do you think? Have you seen something similar with other EventLogging schemas?

This is not a single case. We see other similar cases with other session_tokens:

session_tokenevents
some session token7817
some session token6797
some session token6115
some session token5757
some session token4246
some session token4241
some session token4171
some session token4011
some session token2479
some session token2470
some session token2117
some session token1762
some session token1755
some session token1704
some session token1663
some session token1625
some session token1520
some session token1494
some session token1270

Related Objects

Event Timeline

bmansurov created this task.Aug 22 2018, 2:08 PM
Restricted Application added a project: Analytics. · View Herald TranscriptAug 22 2018, 2:08 PM
bmansurov updated the task description. (Show Details)Aug 22 2018, 2:10 PM
bmansurov edited subscribers, added: Milimetric; removed: Unknown Object (User).
bmansurov updated the task description. (Show Details)Aug 22 2018, 2:13 PM
bmansurov updated the task description. (Show Details)Aug 22 2018, 2:20 PM
Nuria added a comment.Aug 22 2018, 3:59 PM

What do you think? Have you seen something similar with other EventLogging schemas?

mmm... that session token is too short no? it should be 64 bits like: 80dr048q6b0buqrf4b44u2i11qvthbi4

We definitely have seen js-able bots in EL data and bots mostly crawl wikipedia which is what your schema is registering , now in this case your sessionToken looks wrong (if you have not abridged it).

bmansurov added a comment.Aug 22 2018, 4:25 PM

@Nuria we're using mediaWiki.user.sessionId() to get the session_token. The documentation says that this is a 64-bit integer in hex format. So I converted the above session_token (from the task description) to a number in decimal and got 2129045178431482577, which looks correct to me.

Nuria added a comment.Aug 22 2018, 8:15 PM

@bmansurov you are totally right, 16 chars in length is correct , my apologies

Nuria added a comment.Aug 22 2018, 8:19 PM
This comment was removed by Nuria.
Nuria added a comment.Aug 22 2018, 8:27 PM

Also, all crawled content by session: 1d8be34f432aaad1 is about cookies and cookie policy.

Milimetric assigned this task to Nuria.Aug 23 2018, 4:02 PM
Milimetric triaged this task as High priority.
Milimetric lowered the priority of this task from High to Medium.
Milimetric moved this task from Incoming to Operational Excellence on the Analytics board.
Milimetric moved this task from Operational Excellence to Data Quality on the Analytics board.
Milimetric added a project: Analytics-Kanban.
Milimetric moved this task from Next Up to Done on the Analytics-Kanban board.
Nuria set the point value for this task to 1.Aug 24 2018, 3:03 PM
Nuria added a comment.Aug 24 2018, 5:40 PM

Will be closing ticket as this is lawful traffic if not human.

Nuria closed this task as Resolved.Aug 24 2018, 5:41 PM
bmansurov added a comment.Aug 28 2018, 8:17 PM

@Nuria anything we can do to mark such user agents as 'bot'?

Nuria added a comment.Aug 28 2018, 8:57 PM

@bmansurov nothing easy I can think of at this time server side. This schema suffers much more than others regarding issues with bot traffic given that per definition is translating into events much of the "crawlers" clicking around. I think any filtering is going to have happen at analysis time and UAs with more than, say, 6 events per minute (1 every 10 secs) should probably be discarded.

bmansurov added a comment.Aug 28 2018, 9:01 PM

@Nuria thanks!

Nuria reopened this task as Stalled.Sep 3 2018, 11:31 PM
Nuria removed a project: Analytics-Kanban.Sep 4 2018, 3:01 PM
Nuria moved this task from Data Quality to Datasets on the Analytics board.Feb 8 2019, 6:32 PM
leila edited projects, added Research-Freezer; removed Research.Jul 11 2019, 4:12 PM
leila subscribed.Nov 20 2019, 12:29 AM

@Nuria do you expect this task to be addressed by the better bot detection approach you're implementing? If yes, I'd like to close it.

Nuria added a comment.Nov 20 2019, 3:22 AM

It will be initially deployed just for pageviews so not quite yet.

Nuria added a comment.Nov 20 2019, 3:22 AM

The heuristics would work however so we just need to think how would we plug it in this pipeline

Nuria moved this task from Datasets to Data Quality on the Analytics board.Jun 8 2020, 7:42 PM
Aklapper changed the task status from Stalled to Open.Nov 1 2020, 9:15 PM
Aklapper subscribed.

The previous comments don't explain who or what (task?) exactly this task is stalled on ("If a report is waiting for further input (e.g. from its reporter or a third party) and can currently not be acted on"). Hence resetting task status, as tasks should not be stalled (and then potentially forgotten) for years for unclear reasons...

(Smallprint, as general orientation for task management:
If work on this task is blocked by another task, then that other task should be added via Edit Related Tasks...Edit Subtasks.
If you wanted to express that nobody is currently working on this task, then the assignee should be removed and/or priority could be lowered instead.
If this task is stalled on an upstream project, then the Upstream tag should be added.
If this task is out of scope and nobody should ever work on this, or nobody else managed to reproduce the situation described here, then it should have the "Declined" status.
If the task is valid but should not appear on some team's workboard, then the team project tag should be removed while the task has another active project tag.)

Aklapper removed Nuria as the assignee of this task.Nov 26 2020, 8:15 AM

Resetting assignee (inactive account)

Aklapper added a project: Data-Engineering.Feb 9 2023, 8:19 PM
EChetty edited projects, added Data-Engineering-Planning; removed Data-Engineering.Feb 10 2023, 12:38 PM
EChetty moved this task from Backlog to Radar on the Data-Engineering-Planning board.Feb 10 2023, 12:43 PM
JArguello-WMF removed a project: Data-Engineering-Planning.Jun 29 2023, 10:02 PM
Restricted Application added a project: Data-Engineering. · View Herald TranscriptJun 29 2023, 10:02 PM
JArguello-WMF moved this task from Incoming (new tickets) to Event Platform Backlog on the Data-Engineering board.Jun 29 2023, 10:33 PM
phuedx closed this task as Declined.Aug 15 2023, 11:11 AM
phuedx subscribed.

Being bold. The CitationUsage instrument was removed in September 2020 and disabled roughly a year before per T262349#6445226.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL