[pmwiki-users] PmWiki and Spam

Patrick R. Michaud pmichaud at pobox.com
Sat Jan 12 21:20:09 CST 2008

On Sat, Jan 12, 2008 at 11:07:00AM +0100, Petko Yotov wrote:
> Hello all,
> > > I'm willing to do a captcha, at least for a while, if someone will
> > > prototype a replacement Site.EditForm page for it.
> I am strongly against a Captcha solution. If I have to do one and 
> only edit in the day, a Captcha is acceptable. But as we may be 
> doing several of edits or fixes, it is really a pain.

Captchas in PmWiki are once-per-session -- i.e., once you've
verified a captcha, that verification is good for all subsequent
edits until the session expires.

> And here is the proof:
>    http://google.com/search?q=%2262.140.77.68%22+proxy
> ( edited PITS.00108)
> I also do not understand why in the Blocklist there are whole ranges of 
> blocked IPs, like :
>    block:12.43.115.*

For a long time it was too much trouble to list individual addresses,
and we _would_ receive spam posts from multiple addresses in the range.

> Even if it is 
> the case (which is not: these are open proxies), there are 254 legitimate 
> innocent IPs that are blocked.

I'm fine with guilt-by-associate for now.  I've never run into a
case where a legitimate poster complained about being inadvertently
blocked by one of these address ranges.

> If this is not a malicious attack by someone who hates us, what I 
> beleve to be best is to have an edit password on the groups that 
> we are cleaning every day. It may be written in the Site.EditForm :
>   Please enter '''pmwiki''' in the following textbox in order to edit.
> This is less annoying than a Captcha and may work.

The issue I have with this approach is that someone viewing and
interacting with PmWiki for the first time can get very confused
by this.  For one, if the page is protected by a password other
than "pmwiki" (and there are some), then the new author will be 
very confused by the fact that the statement doesn't seem to work.

Beyond that, I think that newcomers who don't understand that the
password is being used as a spam mechanism will be likewise
confused.  I can envision people thinking "What good is it to
publicly display the edit password?" and concluding that
"PmWiki isn't very secure."  That's not really the impression
I want to leave newcomers to the site.


More information about the pmwiki-users mailing list