[Koha-bugs] [Bug 23073] wiki.koha-community.org needs updating to a later version

Thu May 11 19:10:50 CEST 2023

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23073

--- Comment #38 from Thomas Dukleth <td-koha-bugs at agogme.com> ---
Wiki account creation bypassing the ConfirmAccount extension was possible when
email from the container was working due to a bug for which ConfirmAccount is
incompatible with the current version of MediaWiki.  Yesterday, I applied the
workaround to add to LocalSettings.php.

$wgGroupPermissions['*']['createaccount'] = false;

Broken email service for the wiki because of complications authenticating to
the SMTP server from the Docker container in addition to previous testing
configuration remaining  in LocalSettings.php meant that there were very few
spam accounts created which were actually functional.  If the accounts had been
functional, we would have found the problem shortly after the upgraded wiki
went live.

Given the similarity of spam messages and timing there may have only been one
or two spammers or spambots even with hundreds of suspicious non-working
accounts created.

There were about 20 spam accounts which had mostly just created some spam
content in the wiki user page for the account and some which created a spam
wiki page.  5 accounts before May which did not attract much notice and about
15 from 3 and 4 May which made the problem obvious.  All spam content has been
deleted and the accounts blocked.  Spam accounts were included in recent
created users with contributions,
https://wiki.koha-community.org/wiki/Special:ListUsers?username=&group=&editsOnly=1&creationSort=1&desc=1&wpsubmit=&wpFormIdentifier=mw-listusers-form&limit=50
.

Thanks to Katrin Fischer and especially David Nind for blocking a few hundred
accounts which had almost all likely never functioned but had been created
automatically until the bug in ConfirmAccount had the workaround applied and
could have been activated.  I paused after the first hundred or so such
accounts.  Suspected spam accounts were included in all recently created users,
https://wiki.koha-community.org/wiki/Special:ListUsers?username=&group=&creationSort=1&desc=1&wpsubmit=&wpFormIdentifier=mw-listusers-form&limit=50
.  We used a manual process one account at a time to block suspicious accounts.
 Legitimate accounts with contributions could be recognised but it is possible
that we inadvertently blocked a legitimate user account which had not yet been
used to create content.  David Nind proposed to write a message to the mailing
list informing anyone who might have been inadvertently affected to raise
attention to their account being improperly blocked.

The Wikimedia Foundation uses the UserCheck extension to help manage spam
account blocking but it is not working properly inside the Koha Docker
container where all users appear to have logged in from the same local IP
address instead of an external IP address.  Other extensions which had helped
in combating WikiMedia spam no longer function or do not scale better than the
manual process which we used.  Direct database manipulation to block accounts
could be possible but would need extra careful checking and the problem was
small enough to manage manually via the web user interface.  Using Docker is
nice but there are some Docker specific bugs.

-- 
You are receiving this mail because:
You are watching all bug changes.