[sword-devel] CrossWire wiki vandalism?

Eeli Kaikkonen eekaikko at mail.student.oulu.fi
Wed Jan 7 23:22:44 MST 2009

Quoting DM Smith <dmsmith555 at yahoo.com>:

> I have learned more about wikis and fighting spam than I ever wanted to;)

I have recently learned (read), to my surprise, that "captchas" are  
not a final solution. Spammers have already used human resources - in  
cheap developing countries, of course - to break them. Image  
recognition have become better and better and is ready to break visual  
traps. Captchas may be very annoying. Last time I used one I got  
furious because I couldn't be sure what was there and I had to retry  
several times. If it's used in every edit it surely may block some  
spam but it also prevents valid edits because it raises the bar too  
high. The idea of a wiki should be that it's easy and fast.

I have one CrossWire-specific trick in mind, but I don't know if it's  
too much work and how it could be implemented. There could be a small  
quiz, for example 4 questions with 4 multiple choices. The answers  
could be found in our FAQ. If the questions and choices are put there  
in random order it would prevent any non-human cracking, and the quiz  
would ensure that the user is determined enough to know something  
about us.

> New as of today:
> 3) A user agent string is necessary to view the wiki. Without it a 503,
> forbidden will be generated.

I hope this gives also a message telling the reason. Otherwise some  
valid users may be blocked without they knowing why.

> I've installed reCaptcha, which gives the user a choice of visual and
> auditory captchas. I chose this one based on a much earlier thread that
> expressed the concern that it be friendly to handicapped users. The
> default implementation requires captcha for the following:
> 4) Creation of new accounts.

This is fair, but see above.

> 5) Adding an external URL to a page. (Let me know if this gets in the
> way. I can turn it off.)

Have the spammers put external urls there? Most of the wiki spam I  
have seen has been incomprehensible gibberish. Also, if creation of  
new accounts is already protected, I don't know how this helps any  
more. If spammers can create accounts they can create links, too.

> 6) Failed login attempts (purpose is to foil automated password cracking).

Fair enough.

> If necessary I can add captcha to every edit and to every page creation.

Please, never! I'll stop using wiki at that phase.

--Eeli Kaikkonen

More information about the sword-devel mailing list