We haf returned! (New Spam Thread)

callforjudgement · Post Post #545 (isolation #0) » Wed Nov 29, 2017 2:52 pm

There's been a large amount of page creation spam on the MafiaScum Wiki recently.

Here's a (probably non-exhaustive) list of accounts responsible:

https://wiki.mafiascum.net/index.php?ti ... tions/ADAM
https://wiki.mafiascum.net/index.php?ti ... atondon123
https://wiki.mafiascum.net/index.php?ti ... /Nehaknsl7
https://wiki.mafiascum.net/index.php?ti ... ikejack456
https://wiki.mafiascum.net/index.php?ti ... ons/Abhhii
https://wiki.mafiascum.net/index.php?ti ... ns/Sahilss
https://wiki.mafiascum.net/index.php?ti ... /Ankit1234
https://wiki.mafiascum.net/index.php?ti ... Devidewill

They've created a very large number of pages which all need deleting by a wiki admin. It'll be worth looking for any other accounts that are being used for this, too. (I strongly suspect that they're all the same person, possibly editing from compromised IPs rather than their own computer.)

I'm an admin on a non-Mafia-related wiki that's been attacked by the same spammer. (I'm pretty sure that it's a human who solves the CAPTCHAs, at least, which would explain how they managed to register an account on this wiki despite the account creation process being done on the forum). Here's a spam filter rule that seemed to help against the attack in question in the past (I haven't checked whether it would help against the latest attack):

Code: Select all

old_size = 0 & article_text rlike "1[^0-9]8[0-9][0-9][^0-9][0-9][0-9][0-9][^0-9][0-9][0-9][0-9][0-9]"

callforjudgement · Post Post #549 (isolation #1) » Fri Dec 22, 2017 6:25 pm

The spam situation on the wiki is now completely out of control; there are some spambots that have been posting junk new pages for weeks.

I've been {{blockme}} tagging all the spambots I can find; all the pages they created (now likely into the thousands) will need to be deleted too. Note that some {{deleteme}} tags have gone unseen for weeks: the last spam cleanup appears to have been by Kison on 6 December 2017, but there's now been enough spam buildup since that deleting it all would take hours.

I'd recommend that the site staff appoint a new wiki admin to help clean this up. I'd also recommend installing some anti-spam extensions if you haven't yet; something to mass-delete page creations by a user, and an enhanced spam filter such as AbuseFilter that can be used to prevent the page creations via regex match.

callforjudgement · Post Post #551 (isolation #2) » Sat Dec 23, 2017 8:18 am

Hundreds of spam pages deleted. I did some searches to make sure I didn't miss any ("number" is a good search term, that's in the title of basically every spam page) and cleaned up a few stragglers; I've also checked the entire length of Recent Changes expanded to its maximum size.

This particular spam attack appears to be using humans to bypass the CAPTCHA (we've used some really unusual CAPTCHA solutions on other wikis and it's still been solved). Perhaps requiring posts on the forum before posting would work, but I fear that it would instead tend to lead the spammers to post junk posts in Queue just to get round the restriction. Some solutions that have seemed to help on other wikis: requiring edits to existing pages before new pages can be created (e.g. Wikipedia requires ten, but even one seems to work); and a regex-based title blacklist (searching for 10 digits preceded or succeeded by "number" is unlikely to have many if any false positives, and would match almost all (all?) the spam pattern we've seen. The former can be done with a configuration change (set "autoconfirmed" to 1 edit and 0 days, then remove the ability for non-autoconfirmed users to make pages). The latter can, AFAIK, only be done with the help of an extension; my preferred extension for that is AbuseFilter, as it's incredibly flexible and can be configured to implement more or less any spam-fighting rule you'd want.

(Just for some context, I'm currently an admin on some fairly small wikis, and was an admin at Wikipedia for a while, so I'm fairly experienced with this sort of spamfighting. I'll have to remember to check Recent Changes more often, though.)

callforjudgement · Post Post #553 (isolation #3) » Sat Dec 23, 2017 11:44 am

Hmm, something seems wrong with how it's installed, I get an Internal Server Error trying to do anything with it. (For example, the "check syntax" button on the filter creation screen.)

callforjudgement · Post Post #555 (isolation #4) » Sat Dec 23, 2017 12:11 pm

OK, I've added an Abuse Filter rule that, out of the ~400 or so edits I tested it against (via batch testing, not individually), should stop all the spam we've seen so far and yet have no influence on legitimate changes.

I've only set the rule to prevent the edits, not to apply any further consequences, so that if I've made a mistake and there are false positives, the worst that will happen is that the edit won't go through; there won't be any automatic blocks or the like applied yet.

If the rule turns out to be successful, I can expand it to block users if they appear to be spamming as their first edit.