[Moin-user] Spam on Moin wikis and anti-spam best practices

Tue Sep 3 12:03:57 EDT 2013

On Tuesday 3. September 2013 14.41.16 Steve McIntyre wrote:
> On Tue, Sep 03, 2013 at 11:04:28AM +0200, Thomas Waldmann wrote:
> >> perhaps we need safer defaults
> >
> >I don't think we should change defaults within a stable release series.
> >
> >But we can change how example configs look like and document stuff better.

Actually, this is what I was really suggesting. Although I think that Moin 
should be more secure "out of the box", it is impossible to deliver something 
acceptable for every audience.

One of my aims with moinsetup (http://moinmo.in/ScriptMarket/moinsetup) is to 
be able to help people configure Moin for different kinds of audience. People 
should be in the habit of reviewing their configuration before exposing their 
site in whichever environment they have chosen.

> >> Really control registration: for extra control over registration,
> >> perhaps use the
> >> http://www.moinmo.in/MoinMoinPatch/VerifyAccountCreationByEmail patch
> >> to require e-mail verification of account registration.
> >
> >I wouldn't recommend this patch until someone cleans it up (see my
> >comments there), does more testing and reviews the code again.
> 
> Ah, bugger. Sorry, I hadn't seen the comments there. I'm subscribed to
> the page, but it looks like maybe my spam filter ate it or
> something.
> 
> I'm in the middle of cleaning up and re-targetting my patches against
> 1.9.7 right now anyway. I'll update the page shortly.

As another layer of defence, I think that this extension would be a valuable 
addition to Moin.

> >> Does anyone have any opinions about the above?
> >
> >Good writeup, should be supplemented with a modified default wiki/farm
> >config.

I may add this and put the writeup on the Moin Wiki.

> >One can add to regularly review logs, esp. after spam gets in. So one
> >can sometimes identify static IP addrs only used for spamming (put them
> >in moin's hosts_deny or handle via web server) and also textchas that
> >have been broken and should be replaced.
> 
> I've also added support for calling out to an external program at
> account creation time to see if a new account should be created, based
> on email/IP/account name. I've got quite a few extra scripts written
> locally to help with monitoring account signups and managing the
> blacklists too.
> 
> More helpful things here would include:
> 
>  * better support for network addressing for blacklisting (something
>    that understands CIDR rather than just .startswith)
> 
>  * support for moderation - new account holder should need to have
>    their first few edits approved by existing users

There are tricks that other systems like WordPress (and its plugins) use to 
detect and filter out spam. I have indicated an interest to look into this, 
but all this stuff takes time, and I don't currently feel that I am in a 
position to be spending my time on developing such things.

Still, increased adoption of the tools we do have available would probably 
help many people, in my opinion.

Paul