Prevent MediaWiki from being spammed

Question

My MediaWiki site is currently under the spammers attack. I get around 10 spam pages registered daily.

What I've I already done:

1. Only users with confirmed emails can create/edit pages.
2. ReCAPTCHA widget. Captcha displayed on the actions:
   1. 'edit' - triggered on every attempted page save
   2. 'create' - triggered on page creation
   3. 'addurl' - triggered on a page save that would add one or more URLs to the page
   4. 'createaccount' - triggered on creation of a new account
3. Proxy blocker
4. SpamBlacklist

What else can I do to stop the spam?

Answer 1

I had a similar issue with someone continuously making accounts, dozens to hundreds per day for years. I've had a handful of spam edits to revert, but I assume I don't see some others.

MediaWiki has a builtin script to remove users added who haven't made edits.

https://www.mediawiki.org/wiki/Manual:RemoveUnusedAccounts.php

$ php maintenance/removeUnusedAccounts.php [ --delete| --ignore-groups| --ignore-touched ]

Unfortunately a RECAPTCHA extension did not prevent these accounts from being created, nor making edits, but it may have helped to limit the rate.

Answer 2

It's counter-intuitive, but I have found this combination very effective:

1. Disable new signups or if you think that is too extreme, install SecurePages
2. Install SimpleAntiSpam
3. Install SpamBlacklist and TitleBlacklist
4. Allow anonymous edits
5. Always block the IP addresses that spam is posted from
6. Install User Merge and Delete and use that to clear out the existing spammer accounts.

#1 is the most important step. It's easy for spammers to create throwaway accounts.
A CAPTCHA makes only a small difference, not worth the extra bandwidth cost for the images. The hundreds of throwaway accounts are almost as big a problem as the spam postings.

#2 reduces the volume of spam by at least 1/3.
The only robots that get past SimpleAntiSpam are those specially designed for MediaWiki, not the ones that fill in all textareas in every web page everywhere.
Similarly if your site has SSL, SecurePages (or its predecessor HttpsLogin) thwarts some bots that don't have SSL support.

#3 will stop you getting the same spam posting (or variants of it) repeatedly. If you update the blacklist regularly that should reduce the volume of spam by another 10-20%.
And remember the spammers will run out of paying customers (you eliminate one for every domain you block links to) long before they run out of public proxies/zombies to post from.

#4 does not increase the volume of spam as much as you might expect. There's a popular MediaWiki-spamming bot that never attempts to post anonymously - it gives up when it cannot find the "create account" link.
And if you don't do this, you don't have a wiki anymore (you just have a static website using MediaWiki as a CMS.)
There is a small bonus - it makes it easier to find (and block) the spammers' IP addresses. Of course you can get the IP addresses using CheckUser or by reading the database directly, but it's much easier when the IP address is in plain sight.

#5 is the least effective measure, but it's still worth doing. Spammers do re-use IP addresses. They may be cheap but they are not infinite, and sometimes you will catch one of those runaway robots that posts a spam page every 5 minutes.

#6 doesn't prevent spam, but it allows you to clean up your user list page once you have other anti-spam measures in place.

Answer 3

I used to have a HUGE problem with spam attacks on my wiki. I used to have to go through the wiki everyday and manually delete spam posts and then block the addresses but this was a never-ending battle. Restricting editing to registered users didn't help as the spammers just got tyhemselves registered. So I finally had to shut the site down.

I started a new wiki where I have managed to block all spam.

My wiki is for a particular professional group so what I did was add in a username/password that had to be used to access the wiki directory. The username was displayed on my home page so no secrets there. BUT the password was the answer to a cryptic question selected carefully so the answer was easy for people in my professional group to answer but very hard for a spammer and certainly not something a a bot could work out. The question was selected so the answer could not be found by a Google search on any of the words - I had a mis-spelling and a non-standard abbrevaiation in the question. As it turned out about 1% of my target audience (mostly non-English speakers) found the question troo cryptic so the alternative was for them to contact me by email using a professional organisation email address (not gmail or hotmail). The answer was one word all in lowercase.

I thought I would have to change the password every so often BUT after several years there has been not a single spam message posted so I've just left the same question.

Answer 4

Maybe you can check IPs used for spamming?

Or use special questions instead of standard CAPTCHA? (for example, one of NetHack (roguelike) related sites is asking for symbol of ring/spellbok/potion - trivial for NetHack players, impossible for bots/hired spam solvers).