[Koha-devel] Wiki - SPAM accounts and pages need deleting

Thu May 11 19:19:48 CEST 2023

Wiki account creation bypassing the ConfirmAccount extension was possible
when email from the container was working due to a bug for which
ConfirmAccount is incompatible with the current version of MediaWiki. 
Yesterday, I applied the workaround to add to LocalSettings.php which
allows ConfirmAccount to work with the current version of MediaWiki.

$wgGroupPermissions['*']['createaccount'] = false;

Broken email service for the wiki because of complications authenticating
to the SMTP server from the Docker container in addition to previous
testing configuration remaining  in LocalSettings.php meant that there
were very few spam accounts created which were actually functional.  If
the accounts had been functional, we would have found the problem shortly
after the upgraded wiki went live.

Given the similarity of spam messages and timing there may have only been
one or two spammers or spambots even with hundreds of suspicious
non-working accounts created.

There were about 20 spam accounts which had mostly just created some spam
content in the wiki user page for the account and some which created a
spam wiki page.  5 accounts before May which did not attract much notice
and about 15 from 3 and 4 May which made the problem obvious.  All spam
content has been deleted and the accounts blocked.  Spam accounts were
included in recent created users with contributions,
https://wiki.koha-community.org/wiki/Special:ListUsers?username=&group=&editsOnly=1&creationSort=1&desc=1&wpsubmit=&wpFormIdentifier=mw-listusers-form&limit=50
.

Thanks to Katrin Fischer and especially David Nind for blocking a few
hundred accounts which had almost all likely never functioned but had been
created automatically until the bug in ConfirmAccount had the workaround
applied and could have been activated.  I paused after the first hundred
or so such accounts.  Suspected spam accounts were included in all
recently created users,
https://wiki.koha-community.org/wiki/Special:ListUsers?username=&group=&creationSort=1&desc=1&wpsubmit=&wpFormIdentifier=mw-listusers-form&limit=50
.  We used a manual process one account at a time to block suspicious
accounts.  Legitimate accounts with contributions could be recognised but
it is possible that we inadvertently blocked a legitimate user account
which had not yet been used to create content.  David Nind proposed to
write a message to the mailing list informing anyone who might have been
inadvertently affected to raise attention to their account being
improperly blocked.

The Wikimedia Foundation uses the UserCheck extension to help manage spam
account blocking but it is not working properly inside the Koha Docker
container where all users appear to have logged in from the same local IP
address instead of an external IP address.  Other extensions which had
helped in combating WikiMedia spam no longer function or do not scale
better than the manual process which we used.  Direct database
manipulation to block accounts could be possible but would need extra
careful checking and the problem was small enough to manage manually via
the web user interface.  Using Docker is nice but there are some Docker
specific bugs.

Thomas Dukleth
Agogme
109 E 9th Street, 3D
New York, NY  10003
USA
http://www.agogme.com
+1 212-674-3783