Page MenuHomePhabricator

Deploy countermeasures to stop ongoing spambot attack at es.wikiquote 2019-08-20 [public task]
Closed, ResolvedPublic

Description

https://es.wikiquote.org/wiki/Especial:CambiosRecientes is being, again, a target of spambot registration. Community complains at the Café.

Note: in fact, es.wikiquote is one of the projects on a sustained attack since a couple of months ago.

Logs prove a sustained spamming problem as well.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 20 2019, 12:24 PM

Proposal:

  • restrict account creation on es.wikiquote to one per day and IP.
  • add es.wikiquote to the var mentioned at: T227416#5319331.

I'll make a patch.

Change 531169 had a related patch set uploaded (by MarcoAurelio; owner: MarcoAurelio):
[operations/mediawiki-config@master] Restrict account creation on es.wikiquote to 1 day/IP

https://gerrit.wikimedia.org/r/531169

Change 531171 had a related patch set uploaded (by MarcoAurelio; owner: MarcoAurelio):
[operations/mediawiki-config@master] Enable DNS blacklist for es.wikiquote

https://gerrit.wikimedia.org/r/531171

sbassett added a subscriber: sbassett.EditedAug 20 2019, 3:34 PM

@MarcoAurelio - +1'd both of these. I should be able to security-deploy these sometime today. Re: it being a "dead" project, is it time to consider a project closure request?

Change 531169 merged by jenkins-bot:
[operations/mediawiki-config@master] Restrict account creation on es.wikiquote to 1 day/IP

https://gerrit.wikimedia.org/r/531169

For a shorter-term and easier-to-implement solution, I'd suggest a (global?) AbuseFilter with the following rule: action === 'createaccount' & accountname rlike "[A-Z][a-z]+[A-Z][a-z]+[0-9]". If global, it could be used as tracking. If local, I wouldn't think twice about making it disallow or even block. According to the link in the description, 234/500 accounts would be caught.

Mentioned in SAL (#wikimedia-operations) [2019-08-20T15:59:45Z] <urbanecm@deploy1001> Synchronized wmf-config/InitialiseSettings.php: 5ab38dc: Restrict account creation on es.wikiquote to 1 day/IP (T230796) (duration: 01m 00s)

Change 531171 merged by jenkins-bot:
[operations/mediawiki-config@master] Enable DNS blacklist for es.wikiquote

https://gerrit.wikimedia.org/r/531171

Mentioned in SAL (#wikimedia-operations) [2019-08-20T16:08:05Z] <urbanecm@deploy1001> Synchronized wmf-config/InitialiseSettings.php: fa903b7: Enable DNS blacklist for es.wikiquote (T230796) (duration: 00m 55s)

@MarcoAurelio: Deployed. Hope it helps!

sbassett triaged this task as Normal priority.Aug 20 2019, 4:23 PM

@MarcoAurelio - +1'd both of these. I should be able to security-deploy these sometime today. Re: it being a "dead" project, is it time to consider a project closure request?

@sbassett Thanks for the reviews. My choice of 'dead' was wrong now that I think about it. I meant dead in the sense that it doesn't seem to have frequent legit account creations of newbies. The project has low activity and has content, which bars project closure pursuant the current wording of the closing projects policy.

@MarcoAurelio: Deployed. Hope it helps!

Thanks! I'm certainly not seeing further spambot registration for now. I intend to raise the account creation limit up to 4 in the next days.

For a shorter-term and easier-to-implement solution, I'd suggest a (global?) AbuseFilter with the following rule: action === 'createaccount' & accountname rlike "[A-Z][a-z]+[A-Z][a-z]+[0-9]". If global, it could be used as tracking. If local, I wouldn't think twice about making it disallow or even block. According to the link in the description, 234/500 accounts would be caught.

This might be a solution for a brief period of time before it gets autothrottled by the system in cases of heavy spambot activity like the ones we had. It is also problematic per T152394. Thanks.

For a shorter-term and easier-to-implement solution, I'd suggest a (global?) AbuseFilter with the following rule: action === 'createaccount' & accountname rlike "[A-Z][a-z]+[A-Z][a-z]+[0-9]". If global, it could be used as tracking. If local, I wouldn't think twice about making it disallow or even block. According to the link in the description, 234/500 accounts would be caught.

This might be a solution for a brief period of time before it gets autothrottled by the system in cases of heavy spambot activity like the ones we had. It is also problematic per T152394. Thanks.

At worst, we can raise the throttle at any time.

Four weeks later: Is more work needed here / is there a reason to keep this task open?

MarcoAurelio closed this task as Resolved.Mon, Sep 16, 9:55 AM
MarcoAurelio claimed this task.

It's all good. Measures still in place at community request, and no issues reported.

Restricted Application added a project: User-MarcoAurelio. · View Herald TranscriptMon, Sep 16, 9:55 AM