I noticed that a semiprotected page (editing restricted to autoconfirmed users) on Wikitech was spammed by a newly-created account. It turns out the reason is because labswiki is listed in fishbowl.dblist, which is intended for wikis with editing restricted to trusted accounts.
Anti-abuse measures impacted by this are:
* $wgAutoConfirmAge = 0, meaning all accounts would be auto-confirmed
* All logged-in accounts are explicitly granted the autoconfirmed and editsemiprotected rights anyway.
* $wgAccountCreationThrottle = 0, meaning spammers can create accounts without throttle
* $wgEmailAuthentication = false, which seems to mean that anyone can set any address on their account without confirmation.
* $wmgEnableCaptcha = false, so no captchas for spam edits.
* $wmgUseSpamBlacklist = false, so no blocking of blacklisted links.
* $wgNoFollowLinks = false, allowing SEO spam to potentially work.
Positive/intended effects of labswiki being in fishbowl.dblist seem to be:
* CentralAuth, GlobalUserPage, and other "global" extensions are disabled there. From a passing comment in T72311, I suspect this was the main reason for it.
* CentralNotice is disabled there.
* OAuth is disabled there.
* Local renameuser is allowed there.
Other effects:
* $wgUseNPPatrol is disabled there.
I see two sane options to fix this:
* Explicitly apply the "positive/intended effects" to labswiki.
* Create a new "nonglobal.dblist" to apply only the "positive/intended effects", with the only current member being labswiki.