防止 MediaWiki 被垃圾邮件发送
我的 MediaWiki 网站目前正受到垃圾邮件发送者的攻击。我每天都会收到大约 10 个垃圾邮件页面。
我已经做了什么:
- 只有确认电子邮件的用户才能创建/编辑页面。
- ReCAPTCHA 小部件。 验证码显示在操作上:
- “编辑”- 在每次尝试保存页面时触发
- 'create' - 在页面创建时触发
- 'addurl' - 在页面保存时触发,向页面添加一个或多个网址
- “createaccount” - 创建新帐户时触发
- 代理拦截器
- SpamBlacklist
我还能采取什么措施来阻止垃圾邮件?
My MediaWiki site is currently under the spammers attack. I get around 10 spam pages registered daily.
What I've I already done:
- Only users with confirmed emails can create/edit pages.
- ReCAPTCHA widget.
Captcha displayed on the actions:- 'edit' - triggered on every attempted page save
- 'create' - triggered on page creation
- 'addurl' - triggered on a page save that would add one or more URLs to the page
- 'createaccount' - triggered on creation of a new account
- Proxy blocker
- SpamBlacklist
What else can I do to stop the spam?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
这是违反直觉的,但我发现这种组合非常有效:
#1 是最重要的一步。垃圾邮件发送者很容易创建一次性帐户。
验证码只会产生很小的差异,不值得为图像付出额外的带宽成本。
数百个一次性帐户几乎与垃圾邮件帖子一样严重。
#2 减少垃圾邮件数量至少 1/3。
唯一能够通过 SimpleAntiSpam 的机器人是专门为 MediaWiki 设计的机器人,而不是那些填充每个网页中所有
文本区域的机器人。同样,如果您的网站具有 SSL,SecurePages(或其前身 HttpsLogin)会阻止某些机器人没有 SSL 支持。
#3 将阻止您重复收到相同的垃圾邮件(或其变体)。如果您定期更新黑名单,垃圾邮件数量应该会再减少 10-20%。
请记住,垃圾邮件发送者早在用完可发帖的公共代理/僵尸之前就已经耗尽了付费客户(您每阻止链接到一个域就消除一个付费客户)。
#4 垃圾邮件数量的增加并没有您想象的那么多。有一个流行的 MediaWiki 垃圾邮件机器人,它从不尝试匿名发帖 - 当它找不到“创建帐户”链接时,它就会放弃。
如果您不这样做,您就不再拥有 wiki(您只有一个使用 MediaWiki 作为 CMS 的静态网站。)
还有一个小好处 - 它可以更轻松地查找(并阻止)垃圾邮件发送者的 IP 地址。当然,您可以使用 CheckUser 或直接读取数据库来获取 IP 地址,但当 IP 地址显而易见时,会容易得多。
#5 是最不有效的措施,但仍然值得做。垃圾邮件发送者确实会重复使用 IP 地址。它们可能很便宜,但它们并不是无限的,有时您会发现其中一个失控的机器人每 5 分钟发布一个垃圾邮件页面。
#6 不能防止垃圾邮件,但它允许您在采取其他反垃圾邮件措施后清理用户列表页面。
It's counter-intuitive, but I have found this combination very effective:
#1 is the most important step. It's easy for spammers to create throwaway accounts.
A CAPTCHA makes only a small difference, not worth the extra bandwidth cost for the images.
The hundreds of throwaway accounts are almost as big a problem as the spam postings.
#2 reduces the volume of spam by at least 1/3.
The only robots that get past SimpleAntiSpam are those specially designed for MediaWiki, not the ones that fill in all
textareas in every web page everywhere.Similarly if your site has SSL, SecurePages (or its predecessor HttpsLogin) thwarts some bots that don't have SSL support.
#3 will stop you getting the same spam posting (or variants of it) repeatedly. If you update the blacklist regularly that should reduce the volume of spam by another 10-20%.
And remember the spammers will run out of paying customers (you eliminate one for every domain you block links to) long before they run out of public proxies/zombies to post from.
#4 does not increase the volume of spam as much as you might expect. There's a popular MediaWiki-spamming bot that never attempts to post anonymously - it gives up when it cannot find the "create account" link.
And if you don't do this, you don't have a wiki anymore (you just have a static website using MediaWiki as a CMS.)
There is a small bonus - it makes it easier to find (and block) the spammers' IP addresses. Of course you can get the IP addresses using CheckUser or by reading the database directly, but it's much easier when the IP address is in plain sight.
#5 is the least effective measure, but it's still worth doing. Spammers do re-use IP addresses. They may be cheap but they are not infinite, and sometimes you will catch one of those runaway robots that posts a spam page every 5 minutes.
#6 doesn't prevent spam, but it allows you to clean up your user list page once you have other anti-spam measures in place.
也许您可以检查用于发送垃圾邮件的 IP?
或者使用特殊问题代替标准验证码? (例如,NetHack(roguelike)相关网站之一要求提供戒指/咒语/药水的符号 - 对于 NetHack 玩家来说微不足道,对于机器人/雇用的垃圾邮件解决者来说则不可能)。
Maybe you can check IPs used for spamming?
Or use special questions instead of standard CAPTCHA? (for example, one of NetHack (roguelike) related sites is asking for symbol of ring/spellbok/potion - trivial for NetHack players, impossible for bots/hired spam solvers).
我的维基曾经遇到过垃圾邮件攻击的大问题。我以前必须每天浏览维基并手动删除垃圾邮件帖子,然后屏蔽地址,但这是一场永无休止的战斗。限制注册用户的编辑并没有帮助,因为垃圾邮件发送者只是自己注册了。所以最后我不得不关闭这个网站。
我创建了一个新的维基,在那里我成功地阻止了所有垃圾邮件。
我的 wiki 是针对特定专业团体的,因此我所做的就是添加必须用于访问 wiki 目录的用户名/密码。用户名显示在我的主页上,所以那里没有秘密。但密码是精心挑选的一个神秘问题的答案,因此这个答案对于我的专业团队中的人来说很容易回答,但对于垃圾邮件发送者来说却很难,而且当然不是机器人可以解决的问题。选择这个问题是为了通过谷歌搜索任何单词都找不到答案——我的问题中有拼写错误和非标准缩写。事实证明,大约 1% 的目标受众(主要是非英语人士)发现这个问题很神秘,因此他们可以使用专业组织的电子邮件地址(而不是 gmail 或 hotmail)通过电子邮件与我联系。答案是一个全小写的单词。
我以为我必须经常更改密码,但几年后没有发布任何垃圾邮件,所以我只是留下了同样的问题。
I used to have a HUGE problem with spam attacks on my wiki. I used to have to go through the wiki everyday and manually delete spam posts and then block the addresses but this was a never-ending battle. Restricting editing to registered users didn't help as the spammers just got tyhemselves registered. So I finally had to shut the site down.
I started a new wiki where I have managed to block all spam.
My wiki is for a particular professional group so what I did was add in a username/password that had to be used to access the wiki directory. The username was displayed on my home page so no secrets there. BUT the password was the answer to a cryptic question selected carefully so the answer was easy for people in my professional group to answer but very hard for a spammer and certainly not something a a bot could work out. The question was selected so the answer could not be found by a Google search on any of the words - I had a mis-spelling and a non-standard abbrevaiation in the question. As it turned out about 1% of my target audience (mostly non-English speakers) found the question troo cryptic so the alternative was for them to contact me by email using a professional organisation email address (not gmail or hotmail). The answer was one word all in lowercase.
I thought I would have to change the password every so often BUT after several years there has been not a single spam message posted so I've just left the same question.
我也遇到过类似的问题,有人连续多年每天每天创建数十到数百个帐户。我有一些垃圾邮件编辑需要恢复,但我想我没有看到其他一些。
MediaWiki 有一个内置脚本,可以删除已添加但未进行编辑的用户。
https://www.mediawiki.org/wiki/Manual:RemoveUnusedAccounts.php
$ php 维护/removeUnusedAccounts.php [ --delete| --忽略组| --ignore-touched]不幸的是,RECAPTCHA 扩展并没有阻止这些帐户的创建或编辑,但它可能有助于限制速率。
I had a similar issue with someone continuously making accounts, dozens to hundreds per day for years. I've had a handful of spam edits to revert, but I assume I don't see some others.
MediaWiki has a builtin script to remove users added who haven't made edits.
https://www.mediawiki.org/wiki/Manual:RemoveUnusedAccounts.php
$ php maintenance/removeUnusedAccounts.php [ --delete| --ignore-groups| --ignore-touched ]Unfortunately a RECAPTCHA extension did not prevent these accounts from being created, nor making edits, but it may have helped to limit the rate.