Thread:Project:Support desk/$wgGroupPermissions not preventing spammers creating new pages/reply (6)

The problem here is that even the owner is not able to reproduce the problem on his own test account, but spammers do. I don't see any not well-known extension listed on Special:Version which could have some security hole to allow creating such pages.

The only way to debug this is to see what kind of URL they're using to circumvent your settings, to try to reproduce the exact steps and see where's the hole. The only way I think they could circumvent this is if you have a wiki pointing to the same database under a different URL, with different LocalSettings.php that allow creating such pages.