[moin-user] Moin in Debian Stable and anti-spam features

Wed Apr 25 06:29:31 EDT 2018

On Wednesday 25. April 2018 06.13.24 Lukasz Szybalski wrote:
> Hello,
> I have been running a moin moin setup for couple years now(
> http://lucasmanual.com/mywiki/ ) . About 5 years ago I had to block the new
> user signup due to uncontrolled amount of spam, and spam users.
> 
> I was hoping to re-enable the registration process but I wanted to know
> more about current moin capabilities for stopping spammers?
> captcha? are you a robot?

I haven't seen any recent developments around this. The Debian people can 
presumably say more, but they were using some kind of mail-based verification, 
which Moin does also support to some degree. This isn't sufficient to prevent 
spammer sign-ups, however.

> I know there is a page below but it doesn't really say or provide any
> meaningful copy/paste instructions on how to secure you site on day 1.
> https://moinmo.in/AntiSpamFeatures

I think the basic features are inadequate these days. The spam pattern 
blacklisting is almost useless for public sites; textcha doesn't really cope 
with spamming particularly well any more.

It is even necessary to prevent people *trying* to register new accounts, as 
this can easily cause user account data to accumulate in large volumes, even 
when those users won't have editing rights. Out of the box, for public sites, 
the newaccount action shouldn't be enabled.

> I wanted to hear some feedback from people who run public facing moin moin
> example: "debian wiki"  (https://wiki.debian.org/RecentChanges) that does
> not seem to be having any spam at all?

It wouldn't surprise me if many sites had a tightly-controlled group of 
editing users and an external workflow for user registration. That ends up 
being acceptable because it actually promotes higher quality content, but it 
creates a burden around administering the site.

And sometimes these external workflows fail to filter out spammers, as I saw 
on one occasion with the Python Wiki where, amongst the requests to edit the 
wiki, a spammer managed to persuade the administrators that their request was 
genuine.

I did work on some Moin extensions to mitigate spamming. One put edits in a 
request queue, but even if that prevents spammers getting the satisfaction of 
seeing their spams published, the feedback loop is not strong enough to 
prevent them from trying anyway, burdening the administrators of the wiki.

Another extension I did but actually forgot about was one that does timing 
measurements on edits to prevent automated spamming, which is something that 
things like WordPress use to prevent comment spamming. Although this might be 
useful, I think you'd still need a collection of other measures for it to be 
effective.

My conclusion these days is that trust-based mechanisms are probably the way 
forward. Like the external workflows that try and establish whether a new user 
is someone people "know" in some way, there could be an approach where 
existing users could approve others, and much of this could be automated. 
Maybe some way of retracting editing privileges and reverting compromised 
content would also be a part of such a solution.

Even though this message doesn't give any easy remedies, I hope it is still 
useful.

Paul