Problem:
A spammer can do the following:
- Register an account with a spam message in the username. For example, [[User:Follow the link and win $ 1000 - example.com]]
- Use [[Special:ChangeEmail]] to change the email address associated with that account to a "victim" address.
- The victim address will be sent a mail, from Wikimedia servers and a Wikimedia sender, with text like "Someone, probably you, from IP address xxx.xxx, has changed the email address of the account "Follow the link and win $ 1000 - example.com" to this address on Wikipedia."
- Use [[Special:ChangeEmail]] to remove the address from that account.
- The victim address will be sent another mail, from Wikimedia servers and a Wikimedia sender, with text like "Someone, probably you from IP address xxx.xxx, has removed the address of the account "Follow the link and win $ 1000 - example.com" on Wikipedia"
- The spammer can then repeat steps 2-3 for further victim addresses without delay. Alternatively, the spammer can skip step 3, which will result in a slightly different message (including the next victim's email address) being sent for the second message.
Proposed solution:
Apply a rate limit to Special:ChangeEmail, as legitimate users are unlikely to need to change email addresses so frequently.
While use of TitleBlacklist and AbuseFilter to prevent creation of accounts with names appropriate for this attack can help mitigate the issue, they do not directly prevent it.
Incidents:
- [[ru:User:Vash mail pobedil, vam nachisleno 14131p. Polushite po ssilke - www.p1oob.derg.pro 1]]
- The reaction of the victims: ticket of OTRS 2018111810004051, 2018111810002535, 2018111710004697.