Difference between revisions of "Talk:How Things Work Around Here"

I was seeing a lot more anonymous edits show up in the recent changes, and while I know this page implies some are OK, I think it's really best to require the login. I can easily remove it (or you can, EB - it's the last line in LocalSettings.php). This way we have accountability, and it's not as if we're about to sell people's email addresses. --Krenn 11:21, 16 Sep 2005 (EDT)

I'm of two minds about this and would like more input from the community (that's you, whomever is reading this). One side of me agrees with Krenn, we'd like to have some way of confirming the authority behind any changes (who is this person and do they really know what they're talking about?). Also, sometimes when I arrive at the Wiki it says it knows who I am, but as soon as I edit a page, it loses the cookie and treats my edits as anonymous. Sometimes I go for two or three edits before I realize it. The OTHER side of me doesn't want to discourage participation in any way. If I have a choice, I prefer to access web services anonymously and will often skip over a site requiring a registration/login in favour of one that doesn't. I don't want folks feeling that way about the An Tir Wiki.

Anybody have thoughts either way on this? --Elizabeth Braidwood

I think there are a lot of people who do an edit or two before they get hooked and create an account. I know that at other wikis I like to have the ability to do a quick edit without needing to create yet another account. One wiki that I have seen go the other way is: http://www.katrinahelp.info/wiki/main.html which does require an account. --IasonVorax

Personally, I regard the cookie glitch as a really good reason to have this turned on. Otherwise, you don't realize you're making edits without the system properly attributing you. I truly don't see the login requirement as a barrier at all, and people can still access it fine without login, it's just edits that require that. It may be possible to set it so that talk pages can be anonymous but main pages require it, I'm not certain. --Krenn

Krenn, I don't think we've come to a consensus on this issue yet. Please turn OFF the required login for the time being. --Elizabeth Braidwood

OK, done, but having seen automated wikispam hit several other sites, I reserve the right to say "I told you so." ;) --Krenn

Three bot hits in the last two days. IMO, we either need to turn off anon posting, or add in Captcha images to block bots. I'm not sure how hard the latter would be. --Krenn 06:20, 30 Nov 2005 (EST)

I'm in favor of encouraging, but not requireing. And I'm fully ready to hear the "I told you so"! :) - Quentin Martel

Three more spamhits (rv'd by Wenyeva) since my last message. I think that qualifies for "I told you so". :( --Krenn 23:51, 30 Nov 2005 (EST)

I know Wikipedia doesn't believe in requiring logins, and I understand why, but I also think that a wiki with a small editor base like this may need to require logins. We don't have thousands of people patrolling to catch the spam. I just started editing here, and I have been checking Recent Changes since I noticed that wikispammers were here, but if the edits have scrolled out of Recent Changes, I (and others) might miss them. Hopefully there are enough people watching to keep the spammers away, but this wiki is definitely on their list now... I hate captchas. I'd rather require logins. Wenyeva atte grene 23:59, 30 Nov 2005 (EST)

I think it may be possible to have the CAPTCHA only on anonymous and on account registration, but not on validated accounts. It's definitely a "hack the code" implementation, so I'll need to step lightly. --Krenn 00:28, 1 Dec 2005 (EST)

CAPTCHAs especially sophisticated ones can be annoying, and there are accessibility issues. OTOH I've already stuck a real basic one on the recommendation page on the main An Tir site, with the actual letters spelled out in the alt tag. Obviously pretty hackable, but my theory was that it wouldn't be worth the bother. Another option would be email notification of edits, but that could be pretty annoying just by itself. --JL

On my weblog what we did was add a script that generates a tiny math problem like "3+2=?" and they have to answer the question for the post to go through. I didn't want CAPTCHAs because of the accessibility issue. For the weblog, the math problem has worked great -- but only because we're the only ones using it in that form. If every Wordpress blog used it, the spammers would crack it in no time flat. But they don't bother for just my own blog. I still get the occasional spam but the moderation there catches it, and they all seem to be hand-entered and not automated. So if you come up with something unique for this wiki, it might help keep the automated spammers away, even if it's not really complex. Wenyeva atte grene 17:01, 1 Dec 2005 (EST)

Remember, what I'm hoping to do is make it so that registered users don't see CAPTCHAs except for a one-time deal when they make an account. If a spammer wants to make an account, then we can just lock out that account, problem solved. The CAPTCHA will also be a handy reminder to somebody that the Wiki has forgotten who they are and to log back in if they want proper attribution. You can see the number of changes that Jeanjacqueslavigne is making, and yet half of them are IP-tagged because the loss of the login token is so subtle. --Krenn 05:10, 2 Dec 2005 (EST)

I am leaning toward the above option (a CAPTCHA on the account creation and turning off anonymous edits). I dislike doing it, because it adds barriers to new users, but it's beginning to sound like spam-patrol is taking up too much time. As nominal godmother and one of the senior admins of this site, I'm asking that everyone weigh in with a simple Yes/No/Brief comment by... say Saturday night and we'll go from there. If you don't mind spam-patrol, we don't have to do this, but it looks like Krenn had to do some fancy rollbacks to get the homepage back and he (and we) have better things to do. --Elizabeth Braidwood 18:09, 6 Dec 2005 (EST)

Turning off anon edits: Yes. (By the way, I am wondering if the cookies glitch is browser-specific as I see it happens to others, but hasn't happened to me yet. I'm using Safari on Mac OS X.) CAPTCHA: Yes, but only if there is a way to make it accessible to the visually impaired. (Or even those with normal vision. I had to submit a CAPTCHA page three times earlier today before I got it right, because the letters were so distorted I couldn't read them.) -- Wenyeva atte grene 19:50, 6 Dec 2005 (EST)

I like Wenyeva's simple math problem for a CAPTCHA -- this could be extended into an SCA story problems, and the answer could be given in the question so as not to make them too hard. eg "Manfred reigned with the Fair Queen -- Morwyn or Morag? I don't remember ;( -- immediately after An Tir ceased to be a Principality" -- with the Question: Who was the first King of An Tir? OK, I'm pretty sure it was Morag who was queen cause I got my AA at the 12th nite coronation. Whatever.... Whether, Krenn shuts down annonymous posting or puts the CAPTCHA into the submit edit page(s) depends mostly on how many pages he would have to modify. --Jl 22:57, 6 Dec 2005 (EST)

The CAPTCHA enabling is not simple as it's not supported by MediaWiki directly. It'll require some experimental grafting. The simplest stage would be to turn off anon-edits, and then to watch to see if spammers start to register accounts. If they do that, we can start using CAPTCHAs. I don't think we really need CAPTCHAs unless we're continuing to allow anonymous editing. Heck, we could probably fake-captcha the anon edit or registration pages with instructions to "enter the name of this kingdom in the blank". Only a customized spambot would be able to fill that in, the rest would bomb out. --Krenn 11:47, 8 Dec 2005 (EST)

Yup, that is sort of like how my blog's math script is. It would be trivially easy to program a way around it, but bots don't bother custom programming for a single blog or a single wiki. So that might do the trick. And it would be more accessible than a traditional CAPTCHA. -- Wenyeva atte grene 18:48, 8 Dec 2005 (EST)

The latest batch of spam was a huge mess -- from several different IPs, but all advertising At*v*n. They created a bunch of new pages to hold spam, too. And they are using the CSS trick to hide the spam, as well as putting a ton of white space at the top of the edit. Look out for more of this. *Sigh* -- Wenyeva atte grene 02:31, 12 Dec 2005 (EST)

Right. Krenn, please turn off anonymous edits and everyone keep an eye out for how the spammers react. Wenyeva, were you able to clear up the mess? Need any help? --Elizabeth Braidwood 19:07, 12 Dec 2005 (EST)

Well, I cleaned up that bunch but it looks like 3 more just appeared at 16:18. I can get rid of those pretty quickly. If you see any more of these crop up, though, by all means, revert them. :) -- Wenyeva atte grene 19:49, 12 Dec 2005 (EST)

IP banning spammers?

Is it possible to ban the IPs of some of these spammers? At least one of them is using the same IP each time. I'm about to go clean up after him/her again. Wenyeva atte grene 17:25, 2 Dec 2005 (EST)

212.62.19.185 is a problem here. Right after I posted this and cleaned up one batch of his spams, he returned to spam again. Wenyeva atte grene 17:47, 2 Dec 2005 (EST)

I can try that. I suspect it'll just switch to a new bothost though. --Krenn 00:10, 3 Dec 2005 (EST)

Probably. But it was pretty brazen of it to keep using the same IP over and over. Wenyeva atte grene 05:02, 3 Dec 2005 (EST)

Added thought: But if there's a way to catch edits that include style="overflow:auto;height:1px;" that would also help. I don't know how easy that is with MediaWiki, though. I might have posted this already but I don't remember. :) Wenyeva atte grene 17:31, 2 Dec 2005 (EST)

Not easily. I'd rather have a robust solution than a brittle one like that (they change one character and it gets through again). --Krenn 00:10, 3 Dec 2005 (EST)

Ah, good point. I wonder if it would be enough. I noticed that sometimes they are testing the spams in the Sandbox. Is that something bots do? Or is that an indication that a human is manually spamming? Wenyeva atte grene 05:02, 3 Dec 2005 (EST)

Actually, some Wikis will save the Sandbox if the form submit method is faked (tikiwiki comes to mind). It could also just be selecting a random link on the site, possibly from the recent changes, or else from links on the front page. --Krenn 06:59, 3 Dec 2005 (EST)

Yikes! Spam attack

I was working on editing content on the wiki just a few minutes ago, when we started getting slammed with wikispam, from multiple anon IPs, faster than I could keep up with fixing it. I have to get back to my real job and have to leave the wiki alone for a while so I can't fix all the new spams, but I hate to leave it with a bunch of spam on it. I will check back in later, but someone might want to look in on it. There hasn't been any new spam added in about 10 minutes, so maybe the bots took a few minutes off... but of course, they will be back.

Also, spam was posted from one logged-in account a bit earlier: User:Qolyan. (I e-mailed this text to Krenn just now, as well as posting here.) -- Wenyeva atte grene 20:56, 12 Dec 2005 (EST)

• Sorry folks, was laid up ill for a bit there. Anonymous edits are now disabled. Will also ban the fake user, and look into CAPTCHA for 1.4. --Krenn 23:08, 12 Dec 2005 (EST)

Yikes, now they are logging in to spam. See the edits of User:Bounty. If it's a bot, would customizing the account creation page help? Making it not match what the bot expects? -- Wenyeva atte grene 22:19, 13 Dec 2005 (EST)

Yeah, that's likely the next step I'll take. I have to take care of some stuff but will be looking at this before work tonight. Out of curiosity, do you see the blocks show up in the log when I ban them, or do only admins see that? --Krenn 16:01, 14 Dec 2005 (EST)

Yes, I see the blocks. -- Wenyeva atte grene 17:16, 14 Dec 2005 (EST)