Please make sure you are logged in while using the account creation form.

(ie. this is probably a duplicate of T393459: Warn users when they get redirected from a logged-in local page to a logged-out auth.wikimedia.org page)

In T397244#10927706, @Tgr wrote:

Please make sure you are logged in while using the account creation form.

Still having this issue and clearly make sure that I'm in logged in status.

Can you provide the approximate timestamp for one of the failed account creation attempts?

In T397244#10928842, @Tgr wrote:

Can you provide the approximate timestamp for one of the failed account creation attempts?

Just tried now and still happened, so it's around 1700 utc June 18, here's the screenshot

Hm, are you on a blocked IP that you know of?

Eh, it seems like we don't log signup failures at all :(

I just created 8 accounts in a row, so throttle exemption seems to be working in general.

It doesn't seem like your zhwiki account has noratelimit. Where is it supposed to come from?

In T397244#10929488, @Tgr wrote:

It doesn't seem like your zhwiki account has noratelimit. Where is it supposed to come from?

User:Aqurs1 has global-rollbacker and zhwiki ipblock-exempt-grantor, both of which contain noratelimit.

Oh, right. I was probably looking at zuwiki.

Could you go to https://auth.wikimedia.org/zhwiki/wiki/Special:WikimediaDebug , click on the activate button, and try to create an account one more time?

In T397244#10929584, @Tgr wrote:

Oh, right. I was probably looking at zuwiki.

Could you go to https://auth.wikimedia.org/zhwiki/wiki/Special:WikimediaDebug , click on the activate button, and try to create an account one more time?

Hello, I activated the link above, and just made a create attempt on june 19 06:23 utc, issue still happens now.

Also, it seems I'm not in a blocked ip/range.

I'm not seeing any account creation attempt in the logs. I can see the GET request where you load the account creation page (indeed while logged in) but then no POST request whatsoever.

Does the error message show up even before submitting the form? IIRC we check the throttle on POST.

In T397244#10931437, @Tgr wrote:

I'm not seeing any account creation attempt in the logs. I can see the GET request where you load the account creation page (indeed while logged in) but then no POST request whatsoever.

Does the error message show up even before submitting the form? IIRC we check the throttle on POST.

It's activated debug>go to account creation form>press create account>warning shown.
Do I need to do it again for the above step?

No, thanks, this was enough information.

Apparently the WikimediaDebug routing logic is slightly buggy -> filed as T397439: X-Wikimedia-Debug cookie not routed correctly in Kubernetes on POST requests

This does not seem to be unique to zhwiki: I am an enwiki account creator, and yet:

My IP is not blocked locally or globally. This occurred in the last few minutes. It also occurred with the https://en.wikipedia.org/wiki/Wikipedia:Request_an_account/Guide tool, which uses my OAuth credentials, at 2025-07-26 02:15:02 UTC.

Also getting the same error as mdaniels5757 on account creation on enwiki. Tried at Meta and got "There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form." Tried to exit Special:CreateAccount, log out, and go back to it, and received the same message.

@Aqurs1 thank you for your patience! The account creation was blocked by a secret filter that was set up during a past attack (private task for reference: {T163756}), but a part of the filter ended up quite generic: it disallowed some email providers, including the one used in this login attempt. We'll fix the filter to provide a non-misleading reason.

The new error message to use, per @EMill-WMF:

Email addresses using <domain> are not supported. Please choose another email provider.

We should also move the generic part of the filter out of the private mitigations repo so it can be found by codesearch etc, but that's less urgent (and I'm not sure what's a good place to move it to (T401939: Create a Wikimedia* extension for site customizations).

Now that it will have a reasonable error message, is there a justification to keep the list of banned providers non-public?

In T397244#11090876, @Tgr wrote:

We should also move the generic part of the filter out of the private mitigations repo so it can be found by codesearch etc, but that's less urgent (and I'm not sure what's a good place to move it to (T401939: Create a Wikimedia* extension for site customizations).

WikimediaEvents for now? Like we did with some of the EmailAuth config? Probably not an ideal place long-term though, for any of this code.

In T397244#11090883, @AntiCompositeNumber wrote:

Now that it will have a reasonable error message, is there a justification to keep the list of banned providers non-public?

I believe @EMill-WMF had some concerns around reputation, perceived support / admonishment, etc.

In T397244#11090876, @Tgr wrote:

The new error message to use, per @EMill-WMF:

Email addresses using <domain> are not supported. Please choose another email provider.

We should also move the generic part of the filter out of the private mitigations repo so it can be found by codesearch etc, but that's less urgent (and I'm not sure what's a good place to move it to (T401939: Create a Wikimedia* extension for site customizations).

Please note we also have an public email blacklist at https://meta.wikimedia.org/wiki/Email_blacklist so anything not sensitive should be moved there.

In addition SpamBlacklist supports custom blacklist file - we should also use that too for private blacklisting. (if this is done the meta email blacklist page should be updated to describe the existence of private blacklist entries and the contact point for managing such entries.) The current message is English only and should not be a permanent solution.

(It's probably moot now, but thinking out loud, I wonder if this was also the cause of T388599: Unable to create account?)

In T397244#11090876, @Tgr wrote:

The new error message to use, per @EMill-WMF:

Email addresses using <domain> are not supported. Please choose another email provider.

In T409518#11353752, @Tgr wrote:

Yeah probably the same issue, but I don't think it was ever fixed.

Could someone with access please, at a minimum, implement the changed error message above? Or, even better, use the SpamBlacklist extension, which already contains all needed functionality and messages (either by adding the addresses to https://meta.wikimedia.org/wiki/Email_blacklist, or by adding an appropriate $wgBlacklistSettings = [ 'email' => ... ] setting, which will allow a private list of forbidden email addresses to be used. Both SpamBlacklist options provide a reasonable error message, which is even internationalized (MediaWiki:Spam-blacklisted-email-signup).

Change #1230462 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] WikimediaCustomizations: Set WMCBadEmailDomainsFile

https://gerrit.wikimedia.org/r/1230462

Change #1230463 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/WikimediaCustomizations@master] [WIP] Add BadEmailDomainChecker

https://gerrit.wikimedia.org/r/1230463

Change #1230462 merged by jenkins-bot:

[operations/mediawiki-config@master] WikimediaCustomizations: Set WMCBadEmailDomainsFile

https://gerrit.wikimedia.org/r/1230462

Mentioned in SAL (#wikimedia-operations) [2026-02-02T21:05:24Z] <kemayo@deploy2002> Started scap sync-world: Backport for [[gerrit:1235392|Edit check: turn off the tone a/b test on frwiki, jawiki, ptwiki (T411914)]], [[gerrit:1235111|Enable suggestions BetaFeature on beta wikis (T415504)]], [[gerrit:1230462|WikimediaCustomizations: Set WMCBadEmailDomainsFile (T397244)]], [[gerrit:1235491|filebackend: Clean up removed config params for multi-write backends (T328872)]]

Mentioned in SAL (#wikimedia-operations) [2026-02-02T21:07:21Z] <kemayo@deploy2002> tgr, func, kemayo, esanders: Backport for [[gerrit:1235392|Edit check: turn off the tone a/b test on frwiki, jawiki, ptwiki (T411914)]], [[gerrit:1235111|Enable suggestions BetaFeature on beta wikis (T415504)]], [[gerrit:1230462|WikimediaCustomizations: Set WMCBadEmailDomainsFile (T397244)]], [[gerrit:1235491|filebackend: Clean up removed config params for multi-write backends (T328872)]] synced to

Mentioned in SAL (#wikimedia-operations) [2026-02-02T21:16:18Z] <kemayo@deploy2002> Finished scap sync-world: Backport for [[gerrit:1235392|Edit check: turn off the tone a/b test on frwiki, jawiki, ptwiki (T411914)]], [[gerrit:1235111|Enable suggestions BetaFeature on beta wikis (T415504)]], [[gerrit:1230462|WikimediaCustomizations: Set WMCBadEmailDomainsFile (T397244)]], [[gerrit:1235491|filebackend: Clean up removed config params for multi-write backends (T328872)]] (duration: 10

Change #1230463 merged by jenkins-bot:

[mediawiki/extensions/WikimediaCustomizations@master] Add BadEmailDomainChecker

https://gerrit.wikimedia.org/r/1230463

This will need one more deployment to remove the old private mitigation code (otherwise both versions run, and which message the user gets is basically random). This can be done after the new code is deployed with wmf.15.

Mentioned in SAL (#wikimedia-operations) [2026-03-09T21:01:49Z] <tgr_> removed private code for T397244