Difference between revisions of "The iPhone Wiki:Spam"

From The iPhone Wiki
Jump to: navigation, search
(future?)
Line 17: Line 17:
   
 
So how are we going to continue with this? Account creation is still disabled. I've been asked by someone to get a new user account, but cannot help for now. --[[User:Http|http]] 17:17, 20 June 2011 (UTC)
 
So how are we going to continue with this? Account creation is still disabled. I've been asked by someone to get a new user account, but cannot help for now. --[[User:Http|http]] 17:17, 20 June 2011 (UTC)
  +
:Ah, yes. Sorry for neglecting to update you about a situation, http. About a week or two ago, someone asked me about account creation also. While logged into my account, I was able to access the [http://theiphonewiki.com/wiki/index.php?title=Special:Userlogin&type=signup account creation page] and make an account for him, with the details he provided me. I suppose this will be how all accounts will be made in the future. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 01:07, 21 June 2011 (UTC)
   
 
===Invite System===
 
===Invite System===

Revision as of 01:07, 21 June 2011

Account signup has been blocked again due to spammers. Captcha didn't fix it

I propose one of three options, invites, account approval, or signup Thursdays. --geohot 03:47, 19 April 2011 (UTC)

I think account approval would be the best option (although the most work for everyone with sysop powers). People that want to sign up may have trouble asking current users for an invite, and it sounds like spammers would have no problem spamming the wiki on signup days. --Dialexio 04:20, 19 April 2011 (UTC)
I think it's quite strange that the Captcha didn't work. For the current spam the best way would be a regular expression that detects these new pages (all look identical) and automatically denies the page creation and immediately blocks that user. But of course they can change the text and it's not solved anymore. What about their emails? Currently you don't have to provide a valid email. What if you enable the email verification? Maybe they still get around that somehow, but I think they use something highly automated and something that works on all wikis, not just here. If we would add a verification "word" in the verification email that they would have to reenter on the page, then that would be something nonstandard that might not work for them. If they still get around that, we can approve new users (best choice of your ideas), but based on what should we decide? If we just approve every new user, we also risk to approve spammers. --http 05:00, 19 April 2011 (UTC)
Well, CAPTCHA only does so much. I propose maybe implementing a CAPTCHA that uses a GIF animation since that breaks a lot of spambots. If not that, then maybe just account approval. LiNK 05:29, 19 April 2011 (UTC)
emails already have to be verified, I'm almost wondering if people are doing it. --geohot 08:04, 19 April 2011 (UTC)
Are they (spam account emails) all from the same domain or nothing in common? May we can block users from certain domains (throwaway emails). --http 10:16, 19 April 2011 (UTC)
About the captcha could we make a problem into captcha like for example: the image will say: What is seven times eleven? (A flaw in this question is that the answer could be found via a google search, so there should be a little rewording.) Then the user would have to solve that simple math problem... I daresay that a user on a technologically advanced wiki should be able to do that math problem. Also could we make it so that instead of account approval any new user's post has to be approved? Revolution 18:42, 21 April 2011 (UTC)
This is confusing, the captcha block pages with new external links and all the spam pages use external link ([http://en.wikipedia.org/ Wikipedia]) instead of ([[wikipedia:|Wikipedia]]), so someonw has to be doing this manually or the captcha is not secure enough. For the emails, they may be using one of those 10 minute e-mail account things. So we could block email addresses from that domain just in case. They might find a way around it anyway. --Balloonhead66 21:29, 19 April 2011 (UTC)
Currently we don't need additional protection for edits or new pages, as all the automated spam we had the last weeks included a new user signup. In order to not limit existing legit users I think nothing should change for edits. But yes, new user signup will get more difficult in one way or the other. Geohot: please look at the data of all these automated spams (very few were manual spam, so filter these) and see what they have in common, like IP range, email domains, time until email approval and new spam post, IP from which the captcha was entered, user name length and chars, spam page content, etc. If they spam automated, we should be able to block/delete automated. One interesting thing is that we had one spam bot entry after geohot removed the new user signup (maybe he initally just removed the signup link and renamed the signup page later). This mediawiki is also quite an old version, maybe it has a backdoor (bug) to create new users. Please check the logs to make sure the spammers really entered the captcha. What we could also try is to reenable the signup page, but not provide a direct link to it, but just describe in words what the link is (maybe even auto-changing, like the name "signupSHSH.htm", where the SHSH is the name of the article last changed in the wiki, which every user can look up easily). --http 20:20, 21 April 2011 (UTC)
So... Any updates on what will be done regarding account creation, geohot? --Dialexio 00:55, 19 May 2011 (UTC)
Hmm... I don't know if I'm stealing someone's idea, but, what about an open invite system? Here's the idea: prospective users have to enter a valid email address into a page that sends an email with an invite code that lasts for a set amount of time, say, 7 minutes. The user then must click the "New Account" button or whatever, enter said verification code, and enter a valid email with ANOTHER verification code that only lasts for, say, 7 minutes. To even improve this, send out a reverification to ALL users every, say, 6 weeks. If an account doesn't reverify, automatically deleted. Active users will obviously reverify, and people with those 10minute email accounts get screwed. --rdqronos 01:29, 19 May 2011 (UTC)

So how are we going to continue with this? Account creation is still disabled. I've been asked by someone to get a new user account, but cannot help for now. --http 17:17, 20 June 2011 (UTC)

Ah, yes. Sorry for neglecting to update you about a situation, http. About a week or two ago, someone asked me about account creation also. While logged into my account, I was able to access the account creation page and make an account for him, with the details he provided me. I suppose this will be how all accounts will be made in the future. --Dialexio 01:07, 21 June 2011 (UTC)

Invite System

How do we combat this recent spamming of this wiki? I suggest a possible invite system or similar? --Srts 02:24, 9 November 2009 (UTC)

I have already blocked account signup, they must have had this account for a while. --geohot 02:29, 9 November 2009 (UTC)
Well if they don't stop, we can't have account creation disabled forever, defeats the purpose of the wiki. People like him are sad. Great work to all the sysops et all. keeping disruption to a minimal :D --Srts 02:34, 9 November 2009 (UTC)
Yea thanks a lot guys for putting up with this. We'll give a bit of time, and if they continue, we'll figure something out. This kid keep trying to reset my password for hosting and the wiki. Too bad he doesn't have a life. --geohot 03:10, 9 November 2009 (UTC)
An invite system might not be a bad idea actually Will Strafach 03:16, 9 November 2009 (UTC)
feel free to post their IP addresses, lol --posixninja 04:08, 9 November 2009 (UTC)
Well, if you need an extra admin to block them (and delete spam pages), I volunteer. --Dranfi
Congrats, you're an admin --geohot 13:22, 9 November 2009 (UTC)

IP ranges, approval system

How many different IPs are we dealing with? Is it within a specific range? For the time being, it may be possible to blacklist an entire subnet if they are all coming from the same place. But if a botnet is doing this, may be more difficult. Is it possible for MediaWiki to require admin approval of an edit prior to it being commited? Not well versed with MediaWiki administration, just thossing out some ideas. --tsuehpsyde 17:29, 9 November 2009 (UTC)

It is not within a specific range. On my wiki, people post almost the exact same stuff as IP's and I get from 64.*.*.* al the way to 96.*.*.* I think it is a botnet --Balloonhead66 23:13, 16 March 2011 (UTC)
We could figure out where they come from and do the same to them. Secondly, we could create a filter that unless your part of a specific group you cannot do more than this many edits in this amount of time. We could try making a period where the admins have to approve the users. Lastly, we could make it so that in the first 12 hours of a user account that user could not edit pages so it would give time for the sysops to ban the users. Revolution 00:02, 10 November 2009 (UTC)
That might not be a good idea as we could get you butts sued. --Balloonhead66
Why don't we just do this Apple-style and have a group of moderators approve of every comment, page edit or revision? I would love to be a part of such group.
The extension for mediawiki FlaggedRevs is 1.14 and above. This wiki is running 1.12 :( --Balloonhead66 23:13, 16 March 2011 (UTC)

Does this wiki currently take advantage of IP banning capability or would that just be subverted anyways? --Iemit737 03:48, 6 April 2011 (UTC)

The wiki does indeed employ IP banning. The spambots are getting around it, though. --Dialexio 04:13, 6 April 2011 (UTC)
IP bans are largely useless anyways as -Most Internet users have dynamic IP's and they could simply use a proxy anyways (It's relatively easy to create a VPN once you know where the option is in your OS). They'll also probably block innocent users. --Ryccardo 14:54, 6 April 2011 (UTC)

limitations, whitelistings

If the ones you refer to as 'they' are the pois0nhack group then 'they' don't really seem to pose much of a threat in my opinion. I agree that for the time being we could impose some kind of 12/24 hr posting limitation (maybe no more than +-300 char changes?), but no more than that since this is, after all, a public wiki. Sorry if I'm intruding on some kind of admin/mod meeting, just figured I should have my say. --adriaaan 00:27, 10 November 2009 (UTC)

I am in favor of a 12hr limit for new users, but since it's a public wiki, during this time, contributions would have to be approved by sysops. --Untagged
Personally I think it would be good to have it so that all edits by new users a thrown into a moderation pool, then once a good amount of worthwhile contributions, that user can be "whitelisted".
Maybe we could extend the Twitter-Service to display more information (i.e. "Main Page (-2,439) http://u.nu/5x2t3 " instead of "Main Page - http://u.nu/5x2t3"). That could allow fast detection (and reversal) of vandalism attempts because large edits by "unknown" would be easy to spot. May also add the username and/or the commit message, but then we'd have to check for anything Twitter might interpret or block. --CleanAir 13:58, 12 November 2009 (UTC)

Captcha

Can we add a Captcha to the logon process? I don't think all these recent spam pages are done manually. --http 06:29, 15 March 2011 (UTC)

Good idea http, add a Captcha to the logon process and the sign up process for some time --Whiteshinyapple 09:53, 16 March 2011 (UTC).
Uhm better idea http, add a Captcha when making new pages. Having to fill in a captcha at every login seems to be a pain in the ass :/ the only thing the spam is doing is making new pages, (at least as far as i see.) --IMaximusX
What I meant was for the registration process (new user), not for every login. Only geohot could implement that. --http 17:37, 16 March 2011 (UTC)
Recaptcha might work. I requires 1.8+, but only works on the sign in, edits with a new external link (anon only), and passwork cracking. --Balloonhead66 23:13, 16 March 2011 (UTC)
http im pretty sure they already have accounts, :p --IMaximusX

We have all these options but have any of them actually been implemented? Somebodys got to do something, The spam is getting out of control. --Grisolp 03:38, 9 April 2011 (UTC)

As http said, it's up to geohot to add a CAPTCHA for account creation. IP banning is in use, but it appears futile. --Dialexio 03:52, 9 April 2011 (UTC)

The spam bots are taking overhand. We will continue to clean it manually, but I suggest to add a Captcha to the new user signup process. That should be sufficient. But you might need to update mediawiki. See [1]. -- http 11:35, 1 April 2011 (UTC)

I can help to clean up the mess as well since I'm from a different timezone (UTC+8). -- nannoid 11:51, 1 April 2011 (UTC)
What does time zone have to do with it? --Balloonhead66 00:00, 6 April 2011 (UTC)
This is out of control. The captcha needs to be in place soon or eventually the recent changes will be flooded and me and the other monitors of it won't be able to keep track of it. --Balloonhead66 00:00, 6 April 2011 (UTC)

Recaptcha added, SONY sucks ass. --geohot 03:55, 14 April 2011 (UTC)

Sweet! Thanks for the reCAPTCHA addition; the (job) spam was getting tiresome. And... yeah, Sony really needs to lose its dictator mindset and treat consumers better. :\ --Dialexio 04:31, 14 April 2011 (UTC)
Thanks. And great you got back from this trial stuff without bigger damage. Signup reCAPTCHA seems to be a good way to handle the spam. The spam that came afterwards was probably from accounts created earlier. We still have 1106 existing accounts (including the already blocked ones) with the typical syntax of the spam bot accounts. Hopefully not many of those are sleeping for this purpose. I assume the automatic spam will get much lower after a few days. We'll see. -- http 22:58, 14 April 2011 (UTC)
Shit. User Gilbberg that was used from this spam bot was created new. It was not in the wiki user list I created an hour earlier. So the spam bot either knows how to read the reCAPTCHA or there sits someone entering these captchas for every spam that gets created in a semi-automated way. This means we need something better or something non-standard. Ideas? -- http 23:15, 14 April 2011 (UTC)
I cannot see when user accounts were created, as I don't have access to the database. But shortly after geohot added the reCAPTCHA to the new user signup process, I created a list of all users and saved this list. I can confirm that all spam accounts since then (Gilbberg, Giacnen, Frengra, Sarmaiz, Lyneelay, Hiruail, Zimemoor, Albuend, Audpep, Furmayt) were created after that. This means that they must use a semi-automated way to spam (or found a way around the reCAPTCHA). New ideas wanted. -- http 08:26, 16 April 2011 (UTC)
Why don't we add a captcha to the new page / editing submission? Once per session or whatever. Also captcha on signin. It's OTT but there aren't many alternatives =/ --blackthund3r 13:25, 16 April 2011 (UTC)