[MLB-WIRELESS] wiki and spam

Tue Mar 16 23:48:11 EST 2010

Hi,

Random pastings from my postings on the coders list ...

Based on what we've seen so far, my guess is that spammers:

* are not members
* don't give us any optional information (address, phone)
* don't use anything advanced (adv & subscribed)
* don't have any nodes

SELECT * FROM `users` WHERE memberNo=0 AND address = '' AND phone = '' 
AND adv IS NULL and subscribed IS NULL AND users.username NOT IN (SELECT 
owner from nodes) ORDER BY `users`.`last_seen`  DESC

So if we want a permanent solution to the spam problem, we need to 
somehow restrict wiki access to accounts fitting the criteria.

Right now only 835 of the 4000 account fit these criteria - we can 
reduce this further by looking at email domain names.

One idea would be to introduce a captcha for these accounts. However, in 
the past I've actually got into email discussions with the spammers ... 
and they seem to be real people (in 3rd-world countries) rather than 
scripts. One even (in chinese) said he understood and would stop!

So I'm not convinced a captcha would give results, but it can't hurt too 
much to try.

However, this doesn't stop people creating accounts in the first place.

....

Interestingly, only 100 of our 600+ hotmail users(the most popular 
domain) have a node and 77 of those haven't been seen for over a year:
select users.username, users.name, users.last_seen from users INNER JOIN 
nodes ON nodes.owner=users.username WHERE SUBSTRING_INDEX(email,'@',-1) 
="hotmail.com" AND users.last_seen < '2009-1-29'

So given current spam levels, I'd probably add hotmail.com to the 
email-blacklist.conf too.

Still thinking.

Regards,

Tom

Steven Haigh wrote:
> On 16/03/2010, at 11:34 PM, <mw at freenet.net.au> <mw at freenet.net.au> wrote:
> 
>> Since the issue has been raised and complained about several times, I guess
>> it is high time that someone put up a hand to chip in and fix it.
>>
>> Before that can be done, there are a couple of obvious questions that need
>> to be asked:
>>
>> 1.  what is it based on - I assume it is some open source solution that's
>> been somehow integrated to the MW site, so what is the original source?
> 
> I believe Tyson wrote it from scratch. It's a flat file based wiki that was custom written.
> 
>> 2.  where is the admin for it (if any)?  Again, the assumption is that there
>> is some kind of admin interface where access security can be set for
>> individual users, grant and revoke read/write rights etc.
> 
> I guess Tyson would be the admin? or writer? Everyone in the melbwireless group on the server has access to change it - however I don't think anyone is really up to scratch on how it all works.
> 
>> There are two possible solutions to this problem the way I see it:
>>
>> a. shut down write access to the wiki to only users who have been vetted -
>> e.g financial members or similar
> 
> This would need more discussion - as you wouldn't want to exclude just about everyone - as that takes away the usefulness of a wiki - however I think the issue is more a fact that people can automate signups to the web site and then spam away.
> 
>> b. add captcha test on account sign-up
> 
> Might help - but as far as I know, most have been broken at some stage... It will still be better than it is now however...
> 
>> the latter probably has limited value if a real human is even involved in
>> creation of user access accounts - dunno if that is the case here though...?
> 
> I think this was fully automated to eliminate the overhead of someone actually having to do it.
> 
>> Anyhow, if someone can give up some access details and background info, then
>> if nobody else fesses up to having any skills in this sort of thing, then
>> let me at it.  I have about as much spare time as the next giy (as in
>> 'bugger all' ;-) so let me at it!
>>
>> Cheers,  Mike.
>>
>>
> 