[moin-user] Moin in Debian Stable and anti-spam features
Paul Boddie
paul at boddie.org.uk
Wed Apr 25 06:29:31 EDT 2018
On Wednesday 25. April 2018 06.13.24 Lukasz Szybalski wrote:
> Hello,
> I have been running a moin moin setup for couple years now(
> http://lucasmanual.com/mywiki/ ) . About 5 years ago I had to block the new
> user signup due to uncontrolled amount of spam, and spam users.
>
> I was hoping to re-enable the registration process but I wanted to know
> more about current moin capabilities for stopping spammers?
> captcha? are you a robot?
I haven't seen any recent developments around this. The Debian people can
presumably say more, but they were using some kind of mail-based verification,
which Moin does also support to some degree. This isn't sufficient to prevent
spammer sign-ups, however.
> I know there is a page below but it doesn't really say or provide any
> meaningful copy/paste instructions on how to secure you site on day 1.
> https://moinmo.in/AntiSpamFeatures
I think the basic features are inadequate these days. The spam pattern
blacklisting is almost useless for public sites; textcha doesn't really cope
with spamming particularly well any more.
It is even necessary to prevent people *trying* to register new accounts, as
this can easily cause user account data to accumulate in large volumes, even
when those users won't have editing rights. Out of the box, for public sites,
the newaccount action shouldn't be enabled.
> I wanted to hear some feedback from people who run public facing moin moin
> example: "debian wiki" (https://wiki.debian.org/RecentChanges) that does
> not seem to be having any spam at all?
It wouldn't surprise me if many sites had a tightly-controlled group of
editing users and an external workflow for user registration. That ends up
being acceptable because it actually promotes higher quality content, but it
creates a burden around administering the site.
And sometimes these external workflows fail to filter out spammers, as I saw
on one occasion with the Python Wiki where, amongst the requests to edit the
wiki, a spammer managed to persuade the administrators that their request was
genuine.
I did work on some Moin extensions to mitigate spamming. One put edits in a
request queue, but even if that prevents spammers getting the satisfaction of
seeing their spams published, the feedback loop is not strong enough to
prevent them from trying anyway, burdening the administrators of the wiki.
Another extension I did but actually forgot about was one that does timing
measurements on edits to prevent automated spamming, which is something that
things like WordPress use to prevent comment spamming. Although this might be
useful, I think you'd still need a collection of other measures for it to be
effective.
My conclusion these days is that trust-based mechanisms are probably the way
forward. Like the external workflows that try and establish whether a new user
is someone people "know" in some way, there could be an approach where
existing users could approve others, and much of this could be automated.
Maybe some way of retracting editing privileges and reverting compromised
content would also be a part of such a solution.
Even though this message doesn't give any easy remedies, I hope it is still
useful.
Paul
More information about the moin-user
mailing list