Page MenuHomePhabricator

Need to make a limit of count of attempts to change email address
Closed, ResolvedPublic

Description

Problem:

A spammer can do the following:

  1. Register an account with a spam message in the username. For example, [[User:Follow the link and win $ 1000 - example.com]]
  2. Use [[Special:ChangeEmail]] to change the email address associated with that account to a "victim" address.
    • The victim address will be sent a mail, from Wikimedia servers and a Wikimedia sender, with text like "Someone, probably you, from IP address xxx.xxx, has changed the email address of the account "Follow the link and win $ 1000 - example.com" to this address on Wikipedia."
  3. Use [[Special:ChangeEmail]] to remove the address from that account.
    • The victim address will be sent another mail, from Wikimedia servers and a Wikimedia sender, with text like "Someone, probably you from IP address xxx.xxx, has removed the address of the account "Follow the link and win $ 1000 - example.com" on Wikipedia"
  4. The spammer can then repeat steps 2-3 for further victim addresses without delay. Alternatively, the spammer can skip step 3, which will result in a slightly different message (including the next victim's email address) being sent for the second message.

Proposed solution:

Apply a rate limit to Special:ChangeEmail, as legitimate users are unlikely to need to change email addresses so frequently.

While use of TitleBlacklist and AbuseFilter to prevent creation of accounts with names appropriate for this attack can help mitigate the issue, they do not directly prevent it.

Incidents:

  1. [[ru:User:Vash mail pobedil, vam nachisleno 14131p. Polushite po ssilke - www.p1oob.derg.pro 1]]
  2. The reaction of the victims: ticket of OTRS 2018111810004051, 2018111810002535, 2018111710004697.

Event Timeline

Iluvatar created this task.Nov 18 2018, 8:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 18 2018, 8:46 PM
Iluvatar updated the task description. (Show Details)Nov 19 2018, 7:48 AM

Hi @Iluvatar, thanks for taking the time to report this!

I'm not sure I understand - Why do "victims" receive an email? I am a spammer. I create an account. I go to Special:ChangeEmail. Which steps happen next?

(Also see T197279 for those having access.)

Aklapper renamed this task from Need to make a limit of count of attempts to change email to Need to make a limit of count of attempts to change email address.Nov 19 2018, 10:49 AM
Iluvatar added a comment.EditedNov 19 2018, 11:06 AM

When you try to attach mail to an account, server sent to that email asking confirm the action:

Someone, probably you, from IP address xxx.xxx, has changed the email address of the account "%SPAM%" to this address on Wikipedia.
To confirm that this account really does belong to you...

And the second letter comes after you change mail to following address:

Someone, probably you from IP address xxx.xxx, has removed the address of the account "% SPAM%" on Wikipedia

There is no limit for changing mail. I was able to change the email 22 times per 3 minutes. Need to make limit 3 times per 10 minutes or 10 times per hour or something like that.

Otherwise, we will continue to receive letters from surprised random users of Internet who have become "victims" of a smart spammer.

sbassett triaged this task as Normal priority.Nov 20 2018, 7:28 PM
sbassett added a subscriber: sbassett.

I think I understand the issue here, but I'm not certain a solution would exist aside from reactively creating new AbuseFilter rules to match the new, spammy usernames. There are some existing anti-spam rules in place for AbuseFilter, including one that seems related to this issue - 499 on this list - but it's private. Perhaps you could leave a talk page note for the user who created that rule and inquire if said rule could be expanded.

Anomie added a subscriber: Anomie.Nov 20 2018, 7:51 PM

including one that seems related to this issue - 499 on this list

That rule does not seem related to this task.

This task is requesting a rate limit apply to Special:ChangeEmail. I don't think AbuseFilter does anything for that special page.

@Anomie I was thinking of a way to proactively filter spammy usernames at step 1 "Register an account [[User:Follow the link and win $ 1000 - example.com]]". Apologies if that's unhelpful here.

Anomie updated the task description. (Show Details)Nov 20 2018, 8:05 PM

It could help, but writing filters that would catch every possible spammy username is likely to be difficult.

At minimum, there must be a throttle for ChangeEmail. Perhaps restrict it to 1 change every 5 minutes, which should be enough for any reasonable use. Then further restrict it if already done more than eg. 10 times.

We should probably restrict it not only per account, but also per triggering IP address, to avoid the creation of N spammy accounts, and then having the same user rotating between them, albeit in such case the account creation limit should have kicked in much earlier.

Such spammers can not be stopped. Of course account block useless. Right now, the spammer blocked 3 days ago sends spam (otrs 2018112110002672).

Maybe a captcha would also be useful here. Especially for busy ip ranges.

Such spammers can not be stopped. Of course account block useless. Right now, the spammer blocked 3 days ago sends spam (otrs 2018112110002672).

Are you saying that we should urgently prioritize this due to someone abusing this?

Are you saying that we should urgently prioritize this due to someone abusing this?

Yes. The abuse is doing right now, and we have no way to stop it.

Code-Review+1: Seems sane, haven't tested.

[16:37] bawolff !log deploy patch T209794

So as of right now:

  • People who have been blocked from sending emails cannot change their email
  • Users cannot change their email more than 4 times in a day [except they can always remove their email]
  • All users from a specific IP cannot change their email more than 10 times in an hour [except they can always remove their email]

Hopefully this will curtail some of the issues. I'm not sure if these limits are the best choice, but it stops the immediate problem and we can more leisurely discuss the best approach.

Bawolff added a comment.EditedNov 21 2018, 4:52 PM

So looking at the logs, I also see a lot of email changes from a chinese username too (e.g. like: 特邀您加徽信19665757在家即可零成本十尃采彡免去澳門舟车劳顿 ). [In english, translates to: Invited you to add Huixin to 19665757 at home to get a zero-cost pick-up and remove the Macau boat]

In total there was about 332,000 email changes in the last 7 days (!)

So looking at the logs, I also see a lot of email changes from a chinese username too (e.g. like: 特邀您加徽信19665757在家即可零成本十尃采彡免去澳門舟车劳顿 ).

According to Google Translate, "Invited you to add Huixin to 19665757 at home to get a zero-cost pick-up and remove the Macau boat". Not extremely clear, but adding something "to get a zero-cost pick-up" sounds pretty spammy so probably another instance of this problem.

I realized i used 'ip' as the rate limit type, where really we want 'ip-all' I think -

I realized i used 'ip' as the rate limit type, where really we want 'ip-all' I think -

I deployed updated version

Ok, looking at logstash - it definitely looks like this stuff started around noon nov 15.

Not counting the usernames with Vash mail pobedil in them, the top email changers are:

特邀您加徽信19665757在家即可零成本十尃采彡免去澳門舟车劳顿	23,692
特邀您加徽信号5136377在家即可零成本十尃采彡免去澳門舟车劳顿	319
Bugtesr	59
Bam 23765p tyt - www.tyt66.tk	8
DamirZaripovTest	7
Iluvatar	6
jrbs added a subscriber: jrbs.EditedNov 21 2018, 6:52 PM

Ok, looking at logstash - it definitely looks like this stuff started around noon nov 15.
Not counting the usernames with Vash mail pobedil in them, the top email changers are:

特邀您加徽信19665757在家即可零成本十尃采彡免去澳門舟车劳顿	23,692
特邀您加徽信号5136377在家即可零成本十尃采彡免去澳門舟车劳顿	319
Bugtesr	59
Bam 23765p tyt - www.tyt66.tk	8
DamirZaripovTest	7
Iluvatar	6

Should probably get these four locked?:

特邀您加徽信19665757在家即可零成本十尃采彡免去澳門舟车劳顿
特邀您加徽信号5136377在家即可零成本十尃采彡免去澳門舟车劳顿
Bam 23765p tyt - www.tyt66.tk

"Bugtesr" seemed a pretty suspicious username to me, too, but it is not (see below) ;)

Bugtesr (t) it's my account for test that bug (no rate limit).

jrbs added a comment.Nov 21 2018, 7:02 PM

Bugtesr (t) it's my account for test that bug (no rate limit).

Ah, gotcha. :) Kind of sounded like pre-testing for something like this. Glad to hear it is not!

Is https://phabricator.wikimedia.org/T211477 the same issue? The time frame seems to be the same, and it states that Wikimedia is now blacklisted by mail.ru.

Bawolff merged a task: Restricted Task.Dec 8 2018, 9:33 PM
Bawolff added subscribers: Q-bit-array, Legoktm, Oshwah and 4 others.

ugh, I spoke too soon. The users blocked from sending mail part of the patch looks to work ok, but appearently the rate limits get overridden in InitialiseSettings.php. Sorry, my bad, I should have tested this better.

Ok, rate limit added additionally to the wmf specific config file https://gerrit.wikimedia.org/r/#/c/operations/mediawiki-config/+/478440/

Note, the current rate limit is now 4 per user per day, and 10 per IP address (even if logged in) per day.

People with "noratelimit" rights can override this (On enwiki that is: Bots, AccountCreators, Crats, Stewards, Event coordinators). Maybe this should be the type of thing where the noratelimit does not apply.

Is https://phabricator.wikimedia.org/T211477 the same issue? The time frame seems to be the same, and it states that Wikimedia is now blacklisted by mail.ru.

Mail.ru has problems receiving emails from non-russian servers. Not all email reach. This problem is already more than 10 years old.

Discussion about the last incident on the forum ruwiki[1]. Mail.ru Support asked the user ([[user:Polonoid]]) to provide some data from sending server: "Full Non-Delivery Report or full log of SMTP session of sending mail to your adress".

You can write to user and send the requested information.

[1]: https://ru.wikipedia.org/wiki/ВП:Форум/Технический#Электронная_почта_на_mail.ru

Reedy closed this task as Resolved.May 28 2019, 2:45 PM
Reedy assigned this task to Bawolff.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 6 2019, 4:01 PM

Change 514764 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@REL1_27] SECURITY: rate-limit and prevent blocked users from changing email

https://gerrit.wikimedia.org/r/514764

Change 514764 merged by Reedy:
[mediawiki/core@REL1_27] SECURITY: rate-limit and prevent blocked users from changing email

https://gerrit.wikimedia.org/r/514764

Change 514775 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@REL1_30] SECURITY: rate-limit and prevent blocked users from changing email

https://gerrit.wikimedia.org/r/514775

Change 514775 merged by Reedy:
[mediawiki/core@REL1_30] SECURITY: rate-limit and prevent blocked users from changing email

https://gerrit.wikimedia.org/r/514775

Change 514755 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: rate-limit and prevent blocked users from changing email

https://gerrit.wikimedia.org/r/514755

Change 514851 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@REL1_31] SECURITY: rate-limit and prevent blocked users from changing email

https://gerrit.wikimedia.org/r/514851

Change 514851 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: rate-limit and prevent blocked users from changing email

https://gerrit.wikimedia.org/r/514851

Change 514951 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@REL1_32] SECURITY: rate-limit and prevent blocked users from changing email

https://gerrit.wikimedia.org/r/514951

stjn removed a subscriber: stjn.Jun 6 2019, 9:01 PM

Change 514951 merged by jenkins-bot:
[mediawiki/core@REL1_32] SECURITY: rate-limit and prevent blocked users from changing email

https://gerrit.wikimedia.org/r/514951

Change 514975 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@REL1_33] SECURITY: rate-limit and prevent blocked users from changing email

https://gerrit.wikimedia.org/r/514975

Change 514975 merged by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: rate-limit and prevent blocked users from changing email

https://gerrit.wikimedia.org/r/514975