Wiki account creation bypassing the ConfirmAccount extension was possible when email from the container was working due to a bug for which ConfirmAccount is incompatible with the current version of MediaWiki. Yesterday, I applied the workaround to add to LocalSettings.php which allows ConfirmAccount to work with the current version of MediaWiki.
$wgGroupPermissions['*']['createaccount'] = false; Broken email service for the wiki because of complications authenticating to the SMTP server from the Docker container in addition to previous testing configuration remaining in LocalSettings.php meant that there were very few spam accounts created which were actually functional. If the accounts had been functional, we would have found the problem shortly after the upgraded wiki went live. Given the similarity of spam messages and timing there may have only been one or two spammers or spambots even with hundreds of suspicious non-working accounts created. There were about 20 spam accounts which had mostly just created some spam content in the wiki user page for the account and some which created a spam wiki page. 5 accounts before May which did not attract much notice and about 15 from 3 and 4 May which made the problem obvious. All spam content has been deleted and the accounts blocked. Spam accounts were included in recent created users with contributions, https://wiki.koha-community.org/wiki/Special:ListUsers?username=&group=&editsOnly=1&creationSort=1&desc=1&wpsubmit=&wpFormIdentifier=mw-listusers-form&limit=50 . Thanks to Katrin Fischer and especially David Nind for blocking a few hundred accounts which had almost all likely never functioned but had been created automatically until the bug in ConfirmAccount had the workaround applied and could have been activated. I paused after the first hundred or so such accounts. Suspected spam accounts were included in all recently created users, https://wiki.koha-community.org/wiki/Special:ListUsers?username=&group=&creationSort=1&desc=1&wpsubmit=&wpFormIdentifier=mw-listusers-form&limit=50 . We used a manual process one account at a time to block suspicious accounts. Legitimate accounts with contributions could be recognised but it is possible that we inadvertently blocked a legitimate user account which had not yet been used to create content. David Nind proposed to write a message to the mailing list informing anyone who might have been inadvertently affected to raise attention to their account being improperly blocked. The Wikimedia Foundation uses the UserCheck extension to help manage spam account blocking but it is not working properly inside the Koha Docker container where all users appear to have logged in from the same local IP address instead of an external IP address. Other extensions which had helped in combating WikiMedia spam no longer function or do not scale better than the manual process which we used. Direct database manipulation to block accounts could be possible but would need extra careful checking and the problem was small enough to manage manually via the web user interface. Using Docker is nice but there are some Docker specific bugs. Thomas Dukleth Agogme 109 E 9th Street, 3D New York, NY 10003 USA http://www.agogme.com +1 212-674-3783 _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : https://www.koha-community.org/ git : https://git.koha-community.org/ bugs : https://bugs.koha-community.org/
