[moin-devel] spam fighting ...

Steve McIntyre steve at einval.com
Thu Oct 18 13:16:26 EDT 2018 

On Mon, Aug 20, 2018 at 03:30:50PM +0200, Thomas Waldmann wrote:
>... the never ending story.
>
>Here are some of my recent attempts in moin-1.9 github repo (soon in
>1.9.10 release):
>
>* disabled the "newaccount" action by default.
>
>This is to avoid that for internet-exposed wikis spam bots can create
>lots of user accounts in little time.
>
>To avoid forcing the wiki admin to create accounts on the shell (or
>having to toggle the availability of the newaccount action temporarily),
>I slightly modified the superuser's "Switch user" capability (see
>"Settings" of superuser):
>
>It is now able to switch to a non-existing user (and just create a new
>user profile on the fly). So, as a superuser one only needs to give the
>new username, switch to it, fill in the user's email address and then
>the account can be claimed by the user on the login page via the "forgot
>password" functionality (then setting a password, modifying profile
>settings as needed).
>
>While this method imposes some work on someone in the superuser list, it
>is totally safe against spammers: there is no way humans or spam bots
>can create accounts without the help of a superuser.

Cool. :-)

>* safer internal default ACL: Known and All now only have read permissions.
>
>This is to avoid that you accidentally give r/w permissions to the world
>when running a wiki on the internet. I recently shot myself into the
>foot by forgetting to configure a safer default ACL (only used
>acl_rights_before, but did not lock out All/Known for writing).
>
>Sample configs: suggest to use an EditorGroup.
>
>Again, this is a bit more work for wiki admins / group members, but it
>is totally safe against spammers:
>
>- no default write permissions for All (anon users)
>- no default write permissions for Known (anyone who managed to create
>an account, see also newaccount action)
>- you can not create/modify pages without logging in AND being
>explicitly allowed by an ACL (by name or by group membership)
>
>Using e.g. an EditorGroup, the work needed to give some legitimate user
>write permissions can be distributed onto all members of some group
>(e.g. EditorGroup or AdminGroup).
>
>
>Note: not much in the original spirit of wiki (allow changes and revert
>them if they are bad), but guess there are too many idiots out there for
>this.

Well, too many idiots and too many bots. Not enough spammers have been
set on fire. :-/

>For wikis without internet exposure, the more strict new default
>settings can be undone via the wiki config, if desired.

Nod.

I'd still love you to take our patch to add email verification - I'd
hope it would be useful for lots of people.

-- 
Steve McIntyre, Cambridge, UK.                                steve at einval.com
"Arguing that you don't care about the right to privacy because you have
 nothing to hide is no different than saying you don't care about free
 speech because you have nothing to say."
   -- Edward Snowden

More information about the moin-devel mailing list