RE: [Axiom-developer] spam attack

[Page, Bill]

Hi Bob, 

On Wednesday, August 02, 2006 2:00 PM you wrote:
> ... 
> Since wiki spam must occur over a HTTP connection, it is 
> 2-way.  So, you have the verified IP's of the attackers.
> Someone is clearly using a zombie net.  Consider spawning:
>      iptables -A INPUT -s "$IP" -j DROP
> when someone posts something in the banned_links.

Are you suggesting that I drop all connections from the
complete list of ip addresses that are being used by the
spammers? So far there are about 200 of these addresses
scattered over several different subnets so I am not sure
that this is practical. And as far as I can tell the number
of ip addresses they are using is growing. I could also
do something similar using our Apache hosts.deny file but
I am quite concerned that these are spoofed ip addresses
and do not really uniquely identify the spammers. Blocking
all of these addresses might well affect ligitimit users.

> Then, one would want to remove the ban on reguar links
> or you would hit legitimate users. I'm assuming banned_links
> would contain only the bad URL's/domain names. So in each
> case you would get at least one spam.  

No, this does seem practical either because there are
literally hundreds of these domain names. What I did
instead was to ban all use of the http: prefix thus
eliminating the possibility of directly specifying an
external link in any form. (ZWikiRemote links are still
possible for predefined urls.)

> 
> I don't think it's possible or practical to try to ban
> spam *before* seeing spam from a given source.  They can
> always find a way around any system you set up.

Yes. If they got real mean, they could even start posting
random stuff with no embedded links just to bypass the ban
and overrun or server... but I am counting on them going to
all this trouble for a real purpose (i.e. link jamming) and
not just to annoy us - at least not for long.

> 
> > My second attempt to control this threat is to continue the
> > ban on http external links for unauthenticated (i.e. non
> > Zope) users. This is the way the ban was originally supposed
> > to work - users who have a specially assigned user id - over
> > and above that set in their preferences - are allowed to
> > ignore the ban. If they are editing a page or adding a comment
> > that contains banned content, then they will be prompted to
> > enter their user id and password. If it is valid, the edit
> > will be allowed to continue. If not, then they (and all those
> > damned robots!) will receive a 401 Unauthorized return code.
> > 
> > This seems to be working now. Would those of you who have the
> > Zope user accounts, i.e. Ralf, Marten, and Bob McElrath, please
> > try this and confirm that it is working the way it is supposed
> > to.
> 
> That's an interesting idea...can the post be held for moderation
> too, in case someone makes an interesting edit but doesn't have
> a zope userid?

Hmmm, you mean maybe write it to a non-web accessible or otherwise
protected log file somewhere? Maybe even to a set of "shadow" pages
that are only readable by registered Zope users? Moderation is a
neat idea but it would take some programming work to implement.

> ... 
> This is one of the major drawbacks to ZWiki -- there is no way
> for the user to create and manage his account.  Plone, for
> instance, allows the user to create an account and login with
> a password. User rights can be managed from there.  (if anyone
> wants to consider dumping the zwiki portal in favor of putting
> everything in plone...)

I agree that Plone has a smooth and reliable user management
system. It is certainly possible to move the Axiom Wiki over to
Plone and can even be done in a fairly nice and transparent way
by using switchable skins so that you can chose between seeing
the pages in conventional ZWiki style or as embeded in a Plone
portal wrapper. Simon set up something like that for the Ubuntu
wiki at one time, I think. I don't know if they are still using
it or not. Is anyone interested in experimenting with this on the
test.axiom-developer.org server? I did an initial setup like this
6 months ago and it seems to work. I recall that I had a few
issues trying to get authentication to work properly with the skin
switching. But I did not go as far as actually moving the content
of the wiki over a wiki hosted inside my test version of Plone.

> There are lots of zope user management products:
>     http://www.zope.org/Products/user_management
> but it would require some coding to get it to interface with
> zwiki.
> 

I might look at these if it turns out we need a non-Plone longer
term solution.

Regards,
Bill Page.