More progress fighting SPAM both on MediaWiki and via email.
I've been trying to find a way to combat SPAM on the Free Geek Arkansas Wiki. Unfortunately, bots that are targeting MediaWiki these days seem rather sophisticated. I turned off anonymous editing and later turned off editing prior to email confirmation. Both of these helped, although I would prefer to be able to run the wiki without either. Still, I was getting too much SPAM, an average of 3 or 4 new, orphaned pages by new, email-confirmed users.
I installed the ConfirmEdit extension and turned on the SimpleCaptcha mode. Somewhat to my surprise, this has not cut down on the SPAM rate, at all. I tried to make it very easy on real users; they only get the CAPTCHA when trying to create a new account. Either the bots simply submit the form repeatedly until they get the CAPTCHA right, or this bot has code to parse out the CAPTCHA and solve it which I suppose isn't too hard. Anyway, it didn't work so today I started looking for something else.
I found some relevant MediaWiki documentation and saw a few features that could be helpful, but the one that stuck out was using a DNSBL. I've noticed that when I clean the SPAM that the rate goes down for a while. It's likely confirmation bias, but I think it is correlated with the fact the I ban the IPs used SPAM the wiki for about a month. That said, I don't want to permanently ban any IPs. IPs get reused, moved, etc. and don't really identify the guilty parties. DNSBL seems like it might be a good compromise.
I used a Wikipedia article to decide which blacklists to use and it was quite helpful. I knew I wanted to support services with automatic delisting (unlike some of the SORBS lists; SORBS is somewhat infamous for nearly extortionistic practices once you are listed, even if it was clearly a mis-configuration). I also wanted to choose something that focused on http SPAMmers, not email SPAM sources. I finally settled on a few and wrote a configuration. I also disabled the ConfirmEdit extension, since it wasn't helping. If SPAM goes down, I may open up the wiki some more. Here's part of my LocalSettings.php:
# Lock down anonymous editing $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['writeapi'] = false; # Require email confirmation before editing, an attempt to stop some SPAM-bots $wgEmailConfirmToEdit = true; # 2011-01-19: Didn't affect SPAM, disabling. # Settings for ConfirmEdit extension # $wgCaptchaClass = 'SimpleCaptcha'; # $ceAllowConfirmedEmail = true; # $wgGroupPermissions['emailconfirmed']['skipcaptcha'] = true; # DNSBL stuff -- might catch SPAM $wgEnableDnsBlacklist = true; $wgDnsBlacklistUrls = array( // 'truncate.gbudb.net', -- SMTP-oriented, but highly accurate. 'xbl.spamhaus.org', 'web.dnsbl.sorbs.net', 'ircbl.ahbl.org', 'dnsbl.proxybl.org', );
I also run a mail server. In addition to all the steps documented in How I Handle SPAM, I added some DNSBL rules there as well. There's quite a few more DNSBLs that are suitable for email, and I am particularly fond of the SpamCop services so I read through the documentation and created a configuration like this:
$ cat /etc/exim4/conf.d/acl/25_local-config_check_connect acl_check_connect: drop dnslists = \ bl.spamcop.net : \ truncate.gbudb.net : \ dnsbl-1.uceprotect.net : \ new.spam.dnsbl.sorbs.net : \ sbl-xbl.spamhaus.org : \ psbl.surriel.com : \ intercept.datapacket.net : \ db.wpbl.info : \ any.dnsl.ipquery.org : \ spamtrap.drbl.drand.net : \ ix.dnsbl.manitu.net message = Blacklisted by DNSBL @ $dnslist_domain log_message = $dnslist_matched @ $dnslist_domain: $dnslist_text: $dnslist_value accept
$ cat /etc/exim4/conf.d/local/acl_check_data drop message = This message contains "$malware_name" (malware). malware = */defer_ok delay = 2m # I hope the new header is seen by the spam condition warn dnslists = pbl.spamhaus.org add_header = X-Unlikely-Server: $dnslist_matched @ $dnslist_domain: $dnslist_text: $dnslist_value drop spam = Debian-exim:true/defer_ok message = This message is ${spam_score_int}% SPAM. add_header = X-Spam-Score: $spam_score ($spam_bar) condition = ${if >= {$spam_score_int}{1} {1}{0}} set acl_m_spam_delay = ${if < {$spam_score_int}{300} {$spam_score_int}{300}} delay = ${acl_m_spam_delay}s condition = ${if >= {$spam_score_int}{10} {1}{0}} add_header = X-Spam-Report: $spam_report condition = ${if >= {$spam_score_int}{100} {1}{0}}
So far, it has stopped one SPAMmer at connect time. I'm going to monitor things, but I'm expecting a further reduce in mail SPAM.
Recent comments