Page MenuHomePhabricator
Create Task
Maniphest T212667

Create mitigations for account creation spam attack [public task]
Closed, ResolvedPublic
Actions

Description

At this time we have a rogue external bot creating 10000 of accounts an hour, primarily at mediawikiwiki If we could see if we lower the throttle to one account per IP address to see if this reduces the impact. If there was a means to even turn off API creations for mediawikiwiki that would be helpful.

We have a temporary abusefilter in place that is inhibiting much account creation
https://meta.wikimedia.org/wiki/Special:AbuseFilter/195
though we are not able to write a really sweet filter for the usernames in use. We have edged back to a somewhat conservative filter that has a bit of leakage, though looks to be allowing the good accounts through.

I have a message about the abuse filter at https://meta.wikimedia.org/w/index.php?title=Stewards%27_noticeboard

Details

SubjectRepoBranchLines +/-
Revert "Temporary make account creation limits more restrictive"operations/mediawiki-configmaster+1 -3
Temporary make account creation limits more restrictiveoperations/mediawiki-configmaster+3 -1
Amend mediawiki AbuseFilter configurationoperations/mediawiki-configmaster+6 -3
Temporary remove AbuseFilter autoshutoff for mediawikiwikioperations/mediawiki-configmaster+3 -0
Customize query in gerrit

Related Objects

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Billinghurst updated the task description. (Show Details)Dec 28 2018, 2:31 PM
Nemo_bis subscribed.EditedDec 28 2018, 2:32 PM

Without checking what IP addresses are being used, there is no reason to think this would help anything. From the looks of it, they have thousands of IP addresses to use for this.
https://grafana.wikimedia.org/d/000000004/authentication-metrics?orgId=1&from=1545955201000&to=1546041540000&var-entrypoint=*

A simple sysop-level range block may be more effective, and as a local administrator I would vastly prefer it.

Update: here are some example IP addresses, courtesy Billinghurst and abusefilter blocks:
https://www.mediawiki.org/w/index.php?title=Special:Log&offset=20181228134634&limit=200&type=block&user=

Krenair subscribed.Dec 28 2018, 2:38 PM
fgiunchedi subscribed.Dec 28 2018, 2:40 PM
Stashbot subscribed.Dec 28 2018, 3:28 PM

Mentioned in SAL (#wikimedia-operations) [2018-12-28T15:28:05Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: Attempt to adjust captcha settings for T212667 (duration: 00m 46s)

Bawolff subscribed.Dec 28 2018, 3:29 PM
In T212667#4845229, @Stashbot wrote:

Mentioned in SAL (#wikimedia-operations) [2018-12-28T15:28:05Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: Attempt to adjust captcha settings for T212667 (duration: 00m 46s)

So it appears that the spammer is making many wrong guesses at captchas, before hitting the right one. So i tried to adjust captcha settings to be more strict. I'm not sure if that will really help anything though. Thought it was worth a shot.

Masti subscribed.Dec 28 2018, 3:31 PM
Urbanecm subscribed.Dec 28 2018, 3:32 PM
Stryn subscribed.Dec 28 2018, 3:59 PM
MarcoAurelio subscribed.Dec 28 2018, 5:00 PM

The bot keeps trying hard at https://www.mediawiki.org/w/index.php?title=Special:AbuseLog. We should watch the filter so it doesn't get autothrottled and disabled for too many hits in a short timespan.

Mainframe98 subscribed.Dec 28 2018, 5:31 PM
Stashbot added a comment.Dec 28 2018, 6:02 PM

Mentioned in SAL (#wikimedia-operations) [2018-12-28T18:02:04Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: T212667 - adjust account creation (duration: 00m 47s)

Paladox subscribed.Dec 28 2018, 6:03 PM
gerritbot subscribed.Dec 28 2018, 6:05 PM

Change 481528 had a related patch set uploaded (by MarcoAurelio; owner: MarcoAurelio):
[operations/mediawiki-config@master] Temporary remove AbuseFilter autoshutoff for mediawikiwiki

https://gerrit.wikimedia.org/r/481528

gerritbot added a project: Patch-For-Review.Dec 28 2018, 6:05 PM
gerritbot added a comment.Dec 28 2018, 6:09 PM

Change 481528 merged by jenkins-bot:
[operations/mediawiki-config@master] Temporary remove AbuseFilter autoshutoff for mediawikiwiki

https://gerrit.wikimedia.org/r/481528

Stashbot added a comment.Dec 28 2018, 6:14 PM

Mentioned in SAL (#wikimedia-operations) [2018-12-28T18:14:50Z] <bawolff@deploy1001> Synchronized wmf-config/InitialiseSettings.php: 97446843a27 T212667 - Temp increase abusefilter emergency cutoff on mw.org to deal with spam attack (duration: 00m 46s)

Reedy removed a project: Patch-For-Review.Dec 28 2018, 6:53 PM
MZMcBride subscribed.Dec 28 2018, 8:20 PM
Kizule subscribed.Dec 28 2018, 8:39 PM

Should this be Security?

Peachey88 subscribed.Dec 29 2018, 1:24 AM
Billinghurst added a subscriber: Leaderboard.Dec 29 2018, 6:19 AM

@Leaderboard

Billinghurst added a subscriber: WhatamIdoing.Dec 29 2018, 6:47 AM

@WhatamIdoing

Peachey88 added a comment.Dec 29 2018, 6:59 AM

@Billinghurst To add subscribers to tasks in the future, I recommend going "Add Action" (above the comment box) -> "Change Subscribers", Instead of creating a whole comment.

Stashbot added a comment.Dec 29 2018, 12:34 PM

Mentioned in SAL (#wikimedia-operations) [2018-12-29T12:34:57Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: T212667 - make spam mitigation global (duration: 00m 49s)

gerritbot added a comment.Dec 29 2018, 12:43 PM

Change 481543 had a related patch set uploaded (by MarcoAurelio; owner: MarcoAurelio):
[operations/mediawiki-config@master] Amend mediawiki AbuseFilter configuration

https://gerrit.wikimedia.org/r/481543

gerritbot added a project: Patch-For-Review.Dec 29 2018, 12:43 PM
MarcoAurelio added a comment.Dec 29 2018, 1:02 PM
In T212667#4845640, @gerritbot wrote:

Change 481543 had a related patch set uploaded (by MarcoAurelio; owner: MarcoAurelio):
[operations/mediawiki-config@master] Amend mediawiki AbuseFilter configuration

https://gerrit.wikimedia.org/r/481543

This patch sets the same AF configuration used at Meta-Wiki. To be merged when it is safe to re-throttle filters again.

Stashbot added a comment.Dec 29 2018, 1:30 PM

Mentioned in SAL (#wikimedia-operations) [2018-12-29T13:30:23Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: T212667 - adjust spam block (duration: 00m 44s)

Daimona subscribed.Dec 29 2018, 1:36 PM
Bawolff renamed this task from Emergency measure: Set wgAccountCreationThrottle => 2 to Create mitigations for account creation spam attack [public task].Dec 29 2018, 2:03 PM
Bawolff added a project: Security-Team.
1997kB subscribed.Dec 29 2018, 2:11 PM
gerritbot added a comment.Dec 29 2018, 2:18 PM

Change 481546 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[operations/mediawiki-config@master] Temporary increase account creation

https://gerrit.wikimedia.org/r/481546

gerritbot added a comment.Dec 29 2018, 2:27 PM

Change 481546 merged by jenkins-bot:
[operations/mediawiki-config@master] Temporary make account creation limits more restrictive

https://gerrit.wikimedia.org/r/481546

Stashbot added a comment.Dec 29 2018, 2:30 PM

Mentioned in SAL (#wikimedia-operations) [2018-12-29T14:30:23Z] <bawolff@deploy1001> Synchronized wmf-config/InitialiseSettings.php: T212667 fe72284c Adjust account throttle limits (duration: 00m 46s)

gerritbot added a comment.Dec 29 2018, 2:51 PM

Change 481543 merged by jenkins-bot:
[operations/mediawiki-config@master] Amend mediawiki AbuseFilter configuration

https://gerrit.wikimedia.org/r/481543

Stashbot added a comment.Dec 29 2018, 2:53 PM

Mentioned in SAL (#wikimedia-operations) [2018-12-29T14:53:50Z] <bawolff@deploy1001> Synchronized wmf-config/InitialiseSettings.php: T212667 218371fd35 - Adjust mw.org abusefilter emergency shutoff threshold down to 0.3 (duration: 00m 46s)

Stashbot added a comment.Dec 30 2018, 2:07 AM

Mentioned in SAL (#wikimedia-operations) [2018-12-30T02:07:32Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: fine-tune antispam measure T212667 (duration: 00m 47s)

Whatamidoing-WMF edited subscribers, added: Whatamidoing-WMF; removed: WhatamIdoing.Dec 30 2018, 12:04 PM
Jdforrester-WMF subscribed.Jan 1 2019, 2:18 PM
Framawiki subscribed.Jan 1 2019, 4:02 PM
Quiddity subscribed.Jan 3 2019, 8:48 PM
Stashbot added a comment.Jan 4 2019, 3:42 PM

Mentioned in SAL (#wikimedia-operations) [2019-01-04T15:42:14Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: T212667 - More aggressive anti-spam measures for account creation on kowiki (duration: 00m 48s)

Nemo_bis mentioned this in T141490: Deploy improved FancyCaptcha.Jan 11 2019, 4:15 PM
Framawiki moved this task from Backlog to Analysis / under discussion on the Wikimedia-Site-requests board.Jan 24 2019, 8:20 PM
Framawiki added a comment.Feb 13 2019, 9:10 PM

What the status of this problem? Can the account creation throttle be reset to the old value?

Framawiki added a comment.Feb 23 2019, 8:02 PM
In T212667#4952472, @Framawiki wrote:

What the status of this problem? Can the account creation throttle be reset to the old value?

Hi, I still see users that ask questions about this limit change. Would it be possible to have more information?

Benoit_Rochon subscribed.Feb 27 2019, 12:56 AM

Value should be back to six due to the International Francophone Contribution Month coming soon.

Base subscribed.Mar 2 2019, 7:03 PM
Framawiki added a comment.Mar 10 2019, 9:52 AM

Can someone tell us what is the status of the private task? Perhaps @Aklapper @MarcoAurelio ?

Aklapper added a comment.Mar 10 2019, 11:10 AM

@Framawiki: Can someone please tell me first which specific "private task" you refer to? :)

Framawiki added a comment.Mar 10 2019, 12:15 PM
In T212667#5013598, @Aklapper wrote:

@Framawiki: Can someone please tell me first which specific "private task" you refer to? :)

IDK the number, I suppose there is a private task as the title of this one contains [public task] :)

Billinghurst added a comment.Mar 10 2019, 1:19 PM

There are some links above which have custom policy, though I am unaware of any private tasks that were mentioned at that time.

In T212667#5013614, @Framawiki wrote:
In T212667#5013598, @Aklapper wrote:

@Framawiki: Can someone please tell me first which specific "private task" you refer to? :)

IDK the number, I suppose there is a private task as the title of this one contains [public task] :)

Aklapper added a comment.Mar 10 2019, 7:30 PM
In T212667#5013614, @Framawiki wrote:

I suppose there is a private task as the title of this one contains [public task] :)

I don't :)

Framawiki added a comment.May 8 2019, 6:28 PM
In T212667#4952472, @Framawiki wrote:

What the status of this problem? Can the account creation throttle be reset to the old value?

Ping @Bawolff

Urbanecm added a comment.May 8 2019, 6:54 PM
In T212667#4986982, @Benoit_Rochon wrote:

Value should be back to six due to the International Francophone Contribution Month coming soon.

Even if it isn't, you can request a custom throttle rule, see https://meta.wikimedia.org/wiki/Mass_account_creation.

Maintenance_bot removed a project: Patch-For-Review.May 22 2019, 1:40 PM
Urbanecm added a comment.May 27 2019, 4:45 PM

Ping? When will the temporary changes be reverted?

Xaosflux subscribed.Jun 1 2019, 8:24 PM
JJMC89 subscribed.Jun 1 2019, 9:42 PM
stwalkerster subscribed.Jun 2 2019, 12:03 PM
AfroThundr3007730 subscribed.Jun 3 2019, 8:05 PM
JJMC89 mentioned this in T225984: Allow defining account creation limits for specific groups (e.g. extended-confirmed accounts).Jun 18 2019, 7:14 AM
JJMC89 added a subscriber: sbassett.Jun 21 2019, 10:27 PM

@sbassett Does your comment apply to all projects or just enwiki? In other words, should fe72284c5920 be reverted or a patch made for just enwiki?

sbassett added a comment.EditedJun 22 2019, 3:32 AM

@JJMC89 - Given how this was done and @Bawolff's note about it only being a temporary mitigation to be reverted after a week (back when it was implemented on December 29th, 2018), I believe fe72284c5920 should be reverted. As for changing wgAccountCreationThrottle from 6 to 10 - the rate of 6 has been in place for quite a long time, it seems: 015f5b7131ee (I'm sure it actually predates this commit, somewhere in svn.) I have no idea what the wisdom was behind that change (long before my time), but IMO I'd think it better to be cautious and limit such a change to enwiki only, for now, if it were decided that a rate of 6 wasn't sufficient within the account creator rights discussion.

sbassett triaged this task as Medium priority.Jun 22 2019, 3:33 AM
gerritbot added a comment.Jun 22 2019, 3:35 AM

Change 518350 had a related patch set uploaded (by JJMC89; owner: JJMC89):
[operations/mediawiki-config@master] Revert "Temporary make account creation limits more restrictive"

https://gerrit.wikimedia.org/r/518350

gerritbot added a project: Patch-For-Review.Jun 22 2019, 3:35 AM
JJMC89 added a comment.Jun 22 2019, 3:40 AM
In T212667#5275522, @sbassett wrote:

@JJMC89 - Given how this was done and @Bawolff's note about it only being a temporary mitigation to be reverted after a week (back when it was implemented on December 29th, 2018), I believe fe72284c5920 should be reverted.

I've created a patch to revert it; however, I can't deploy and am not available during SWAT.

sbassett added a subscriber: Reedy.EditedJun 22 2019, 3:44 AM

@JJMC89 - The weekly security deployment window is Monday 21:00–23:00 UTC. If it can wait until then (I'd guess it could?) @Reedy or I can deploy it.

JJMC89 added a comment.Jun 22 2019, 3:47 AM
In T212667#5275527, @sbassett wrote:

@JJMC89 - The weekly security deployment window is Monday 21:00–23:00 UTC. If it can wait until then (I'd guess it could?) @Reedy or I can deploy it.

That works. It's not urgent.

Aklapper added a comment.Jun 24 2019, 12:28 PM
In T212667#5275522, @sbassett wrote:

As for changing wgAccountCreationThrottle from 6 to 10 - the rate of 6 has been in place for quite a long time, it seems: 015f5b7131ee (I'm sure it actually predates this commit, somewhere in svn.) I have no idea what the wisdom was behind that change (long before my time), but IMO I'd think it better to be cautious and limit such a change to enwiki only, for now, if it were decided that a rate of 6 wasn't sufficient within the account creator rights discussion.

That's covered in T225984: Allow defining account creation limits for specific groups (e.g. extended-confirmed accounts) instead.

gerritbot added a comment.Jun 24 2019, 9:17 PM

Change 518350 merged by jenkins-bot:
[operations/mediawiki-config@master] Revert "Temporary make account creation limits more restrictive"

https://gerrit.wikimedia.org/r/518350

sbassett closed this task as Resolved.Jun 24 2019, 9:36 PM
sbassett claimed this task.

https://gerrit.wikimedia.org/r/518350 has been deployed, reverting https://gerrit.wikimedia.org/r/481546. I'm going to resolve this task for now since I don't believe there's any outstanding issues left to address.

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jul 22 2019, 1:47 PM
Maintenance_bot removed a project: Patch-For-Review.Jul 22 2019, 2:10 PM
Xaosflux mentioned this in T230521: Users are unable to create more than 2 accounts per day.Aug 15 2019, 3:59 AM
OhKayeSierra subscribed.Aug 15 2019, 7:14 AM
Tgr mentioned this in T241921: Fix Wikimedia captchas.Jan 5 2020, 8:12 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL