[Pmwiki-users] Re: Beating spammers.

Wed May 19 03:49:34 CDT 2004

On Wed, 19 May 2004, Mattthew Shaylor wrote:

> I've had an inspired idea for beating spammers: Allow people to edit
> the page as usual, but if they want to include an external link then it
> needs to be approved by an admin.  Until it is approved it will show up in
> the parsed markup (and ideally in the revision history and whatnot) as
> plain text rather than a link - or if you wanted to be really malicious
> then a link to an anti spam site :)

At first I thought this would be too much of an obstacle...

> Ideally the external link privaledge password could be separate from other
> admin passwords so that it could be distributed to all regular wiki users,
> this way the admin overhead should scale nicely.

But using a separate password would work well for me, the users already
have to enter a password to upload files.

> Perhaps for advanced customisation, this feature could be tied in with
> an ip address, so only IP ranges that have previously hosted spammers
> would need their external links verified.

So far the spam has come from mostly different IPs, so I don't think this
would have helped me very much :-( I've actually given up on the main
homepage (wiki.lyx.org/pmwiki.php/LyX/Welcome) by added an edit-password.
However, the first thing I did was send out this password to the user's 
list, so it will be interesting to see if the page is "hacked" again.

> What do others think of this idea?  I like it because its much less harsh
> than plain IP address blocking, it should scale well and be easier to
> manage.  I'd assume that once the spammers learn that their links simply
> won't ever be authenticated they won't bother.  I don't think it would be
> /too/ tough to implement either.
> 
> Any thoughts?

The system should remember if you've entered a "link-password", so that 
you don't have to do it again. In my case the browser (Opera) 
automatically supplies passwords as needed, but this may not be true for 
all browsers, so something else might be needed.

I think that when after editing a page and pmwiki.php discovers a new URI 
(see note below), the user should be warned about the need for entering a 
password. And also given information about how he can obtain the password 
(for my community I'd simply mail this password to the entire user's 
list, hoping that the spammer doesn't read that list).

The concept of a new URI can be made pretty advanced. PmWiki could for 
instance keep track of all previously admitted URIs and automatically 
allow them. In addition, links to admitted domains could also 
automatically be approved. So for example, the first time a user adds

	http://www.lyx.org/some/page.html

to the wiki, he's asked for the 'link-password'. The next time someone 
adds

	http://www.lyx.org/some/page.html

to a page he doesn't have to enter the password since this URI has already 
been admitted. In addition, PmWiki could automatically add www.lyx.org to 
the list of allowed domains, so that no password is required to add

	http://www.lyx.org/a/different/page.html

This might not work in practice though, if the spammer uses some kind of 
redirection domain.

/Christian

-- 
Christian Ridderstr?m                           http://www.md.kth.se/~chr