mediawikispam

Prevent MediaWiki from being spammed

My MediaWiki site is currently under the spammers attack. I get around 10 spam pages registered daily.

What I've I already done:

  1. Only users with confirmed emails can create/edit pages.
  2. ReCAPTCHA widget. Captcha displayed on the actions:
    1. 'edit' - triggered on every attempted page save
    2. 'create' - triggered on page creation
    3. 'addurl' - triggered on a page save that would add one or more URLs to the page
    4. 'createaccount' - triggered on creation of a new account
  3. Proxy blocker
  4. SpamBlacklist

What else can I do to stop the spam?

Solution

  • It's counter-intuitive, but I have found this combination very effective:

    1. Disable new signups or if you think that is too extreme, install SecurePages
    2. Install SimpleAntiSpam
    3. Install SpamBlacklist and TitleBlacklist
    4. Allow anonymous edits
    5. Always block the IP addresses that spam is posted from
    6. Install User Merge and Delete and use that to clear out the existing spammer accounts.

    #1 is the most important step. It's easy for spammers to create throwaway accounts.
    A CAPTCHA makes only a small difference, not worth the extra bandwidth cost for the images. The hundreds of throwaway accounts are almost as big a problem as the spam postings.

    #2 reduces the volume of spam by at least 1/3.
    The only robots that get past SimpleAntiSpam are those specially designed for MediaWiki, not the ones that fill in all textareas in every web page everywhere.
    Similarly if your site has SSL, SecurePages (or its predecessor HttpsLogin) thwarts some bots that don't have SSL support.

    #3 will stop you getting the same spam posting (or variants of it) repeatedly. If you update the blacklist regularly that should reduce the volume of spam by another 10-20%.
    And remember the spammers will run out of paying customers (you eliminate one for every domain you block links to) long before they run out of public proxies/zombies to post from.

    #4 does not increase the volume of spam as much as you might expect. There's a popular MediaWiki-spamming bot that never attempts to post anonymously - it gives up when it cannot find the "create account" link.
    And if you don't do this, you don't have a wiki anymore (you just have a static website using MediaWiki as a CMS.)
    There is a small bonus - it makes it easier to find (and block) the spammers' IP addresses. Of course you can get the IP addresses using CheckUser or by reading the database directly, but it's much easier when the IP address is in plain sight.

    #5 is the least effective measure, but it's still worth doing. Spammers do re-use IP addresses. They may be cheap but they are not infinite, and sometimes you will catch one of those runaway robots that posts a spam page every 5 minutes.

    #6 doesn't prevent spam, but it allows you to clean up your user list page once you have other anti-spam measures in place.