[sword-devel] CrossWire wiki vandalism?

DM Smith dmsmith555 at yahoo.com
Thu Jan 8 07:16:13 MST 2009 

On Jan 8, 2009, at 1:22 AM, Eeli Kaikkonen wrote:

> Quoting DM Smith <dmsmith555 at yahoo.com>:
>
>> I have learned more about wikis and fighting spam than I ever  
>> wanted to;)
>
> I have recently learned (read), to my surprise, that "captchas" are  
> not a final solution. Spammers have already used human resources -  
> in cheap developing countries, of course - to break them. Image  
> recognition have become better and better and is ready to break  
> visual traps. Captchas may be very annoying. Last time I used one I  
> got furious because I couldn't be sure what was there and I had to  
> retry several times. If it's used in every edit it surely may block  
> some spam but it also prevents valid edits because it raises the bar  
> too high. The idea of a wiki should be that it's easy and fast.
>
> I have one CrossWire-specific trick in mind, but I don't know if  
> it's too much work and how it could be implemented. There could be a  
> small quiz, for example 4 questions with 4 multiple choices. The  
> answers could be found in our FAQ. If the questions and choices are  
> put there in random order it would prevent any non-human cracking,  
> and the quiz would ensure that the user is determined enough to know  
> something about us.

I'll keep this in mind. My strategy is to be minimally invasive. If I  
can find a better method than captchas I'll replace it. There is a  
math version of the captcha, which might be better than what I have in  
place. BTW, I don't know php and at this point I am not interested in  
learning php. There are more interesting things for me to do.

Chris, Peter and I watch edits daily, acting as an informal editorial  
board. We catch spam generally within a few hours. So the value of  
captchas is that it further minimizes junk from being seen by others  
and the also work we have to do to keep it clean.


>
>
>> New as of today:
>> 3) A user agent string is necessary to view the wiki. Without it a  
>> 503,
>> forbidden will be generated.
>
> I hope this gives also a message telling the reason. Otherwise some  
> valid users may be blocked without they knowing why.

I agree, but I don't have it in place yet.

>
>
>> I've installed reCaptcha, which gives the user a choice of visual and
>> auditory captchas. I chose this one based on a much earlier thread  
>> that
>> expressed the concern that it be friendly to handicapped users. The
>> default implementation requires captcha for the following:
>> 4) Creation of new accounts.
>
> This is fair, but see above.

I think most of the new accounts are automated as the account name  
have a well defined pattern of "AbcdeFghijk".

You are welcomed to try it out. When you get to the login screen,  
click on the new account creation link to see reCaptcha. When it comes  
up, it gives two hard to read words, but has a button to generate new  
ones (which I generally click about 3 times before I can read  both  
words), a toggle to flip between text and audio. I don't have an mp3  
codec on my machine so I haven't tried it.



>
>
>> 5) Adding an external URL to a page. (Let me know if this gets in the
>> way. I can turn it off.)
>
> Have the spammers put external urls there? Most of the wiki spam I  
> have seen has been incomprehensible gibberish. Also, if creation of  
> new accounts is already protected, I don't know how this helps any  
> more. If spammers can create accounts they can create links, too.

Yes spammers have been putting in external urls to drug and porn  
sites. Lately, perhaps for the last year or so, most, maybe all, of  
the spam edits have been to insert gibberish.

This is the only default that I'm not sure I like. A few of our active  
wiki writers add external links on a regular basis. These are very  
constructive and I don't want to discourage them.

To turn it off just takes a couple of minutes.


>
>
>> 6) Failed login attempts (purpose is to foil automated password  
>> cracking).
>
> Fair enough.
>
>> If necessary I can add captcha to every edit and to every page  
>> creation.
>
> Please, never! I'll stop using wiki at that phase.

These are available captcha hooks. I don't like them. I don't see us  
needing them, as we keep on top of the edits.

In Christ,
	DM

More information about the sword-devel mailing list