Topic on Project:Support desk

MediaWiki is a spam target unless it is set up properly.

B d m p (talkcontribs)

I made a new site and it immediately got taken over by spam. It was quite a hassle to delete all the spam and all the users. Not to mention that it was very unclear how to do this.

I am wondering why the captcha is not enabled by default. It seems to me that the by default the OpenID extension, mass delete extension and the BlockandNuke extension should be enabled.

Finding, installing, figuring out how to use them tool several days of work.

Why is the default version of Media Wiki so vulnerable to spam? How can we make it so users who are not that savvy do not get completely overrun?

Thank you.

Glaisher (talkcontribs)

Spammers try to spam anywhere they can find on the Internet. It's not only Mediawiki wikis that are vulnerable to spam. They spam blogs, forums, wikis, guestbooks, email addresses, mailing lists and any other web forms which they find. See Manual:Combating spam for details about how to deal with spam.

B d m p (talkcontribs)

Yes, this is true. That is why spam combating measure should be enabled by default.

Understanding and effectively combating spam with the information on Manual:Combating spam is a very difficult task. I have been trying for days to make my site function properly by using the information on that page, and I am getting no where. I have installed almost all the extensions on that page.

I was able to delete all the spam pages, but I have thousands of spam bot accounts I can't delete (BlockandNuke extension is not working). Also, I enabled OpenID to stop spam bot account creation because the extension that enables the captcha doesn't actually stop the bots, but if I disable the non-OpenID accounts, then users can't make user names when creating an account with OpenID. So, now I have a catch-22, and if I enable account creation, I get spam bots. If I disable it, real uses can't make accounts with OpenID.

This is a huge mess that could have been prevented if strict spam prevention measures were enabled by default. (talkcontribs)


So what would help would be having the information on how to set up a wiki in such a way that it is secure (spamwise) more reachable.

It would help to adjust the content of the original main page (this standard welcome text) to something, which also includes a link to Manual:Combating spam.

B d m p (talkcontribs)

That would be a step in the right direction, but I think it should have spam filters on by default or be in lock down mode with an explanation, so admins can configure it before they get attacked by spam. (talkcontribs)

As for the spam filters, there are extensions, which are coming with MediaWiki by default and which you can configure as you like (SpamBlacklist, TitleBlacklist, ConfirmEdit or so). All you have to do is to configure them. It does not really make sense to activate them preconfiguredly in some way as then spammers would just adapt to that one preconfiguration, which would make it useless.

When you set up MediaWiki there is an option to make it an "open wiki", "closed wiki" and so on. These texts tell something about who can edit the wiki in each case. However, I do not know the exact texts right now. Maybe a recommendation at that place would make sense.

Atcovi (talkcontribs)

Note: At Meta Wikimedia, there is a bot that automatically blocks users for specific spam userpage. You may check that out, or you can talk to User:Jasper Deng, who created that bot at Meta.

This post was posted by Atcovi, but signed as Goldenburg111. (talkcontribs)

Setting p a bot needs a rather good understanding of the MediaWiki internals, maybe a PC with some scripting language and other funky stuff. This is by no means something, that a beginner should be advised to try; it won't work, he will fail, demotivation and so on. I would start configuring the extensions, which come with the release tarball.

PiRSquared17 (talkcontribs)

That's just an abusefilter. (talkcontribs)

...which can be used with Extension:AbuseFilter. However, that is advanced - compared to just using the extensions provided with the tarball. The easiest solution is deactivating registration and making registration compulsory for editing. That is two lines in LocalSettings.php - and the installer even offers you to set them with a single click (I think the option was called "closed wiki").

MarkAHershberger (talkcontribs)

Right. And maybe that should be the default to get people to be more aware of what they need to do if they're going to set up a wiki.

LiturgicaNotata (talkcontribs)

I've had the same problem, and I found it also very difficult to work my way through the CombatingSpam-page. But I'm glad to say that my wiki is spamfree since last october! I've installed some extensions I don't use or didn't set up properly, but I think the two extensions that did the trick were ConfirmEdit with QuestyCaptcha and SimpleAntiSpam. I have to say though that my wiki is very specialised and in German, so I could come up with some really specialised questions in German. And I see this can't be the solution for every kind of wiki: A non-specialised wiki like, let's say, wikipedia can't come up with that kind of specialised questions.

Ciencia Al Poder (talkcontribs)
Lwangaman (talkcontribs)

I am trying to create a wiki, and in order to avoid spam (as happened in a past attempt a few years ago, I had tried creating a wiki which was overrun by spambots and I eventually gave up), this time I created a closed wiki where only registered users who are approved can post content. Well guess what: I was overrun by spam again. If not even a closed wiki is protected from spam then I say, there must be some weaknesses in the wiki software that spambots can take advantage of?

Ciencia Al Poder (talkcontribs)

Sometimes weakness are caused by sysadmins that install new MediaWiki versions but leave an old installation with public access on the internet at a different path

Lwangaman (talkcontribs)

this isn't the case here, it was a new mediawiki installation, clean from scratch. It had nothing to do with the previous attempt I mentioned. I'm seeing the "actor" table is full of "actor_name" values that begin with "en>" or "it>", but if I try the rollbackEdit.php script for any of these usernames I get the error message "invalid username". Is that because the rollbackEdit script won't accept a username that contains the ">" character, or perhaps because the "actor_user" field has a NULL value for each one of these?

Ciencia Al Poder (talkcontribs)

Those names that begin with en> or it> are the result of imported revisions... This means the "spam" actually was imported from another wiki by you or another sysop (the only user group able to import dumps by default) by using Special:Import or importDump.php

The rollbackEdit thing may be a bug worth reporting

Reply to "MediaWiki is a spam target unless it is set up properly."