[Pmwiki-users] Re: hackers: Another good reason for authentication

[Crisses]

On Jun 18, 2004, at 11:38 AM, Steven Leite wrote:

> That's a good idea, but to improve on that idea a bit, I would create a
> custom template for the Main/WikiSandbox page.  The only difference
> between the default site template and this template would be the text 
> at
> the top of the page reading:
>
> "This page is password protected.  The edit password is "xxx".
>
> This will prevent people from messing with the same message if you had
> typed it in the wiki's page text instead.

I was thinking to do that for the whole site.  But what if I defined 
the password/authentication domain with "password is x"?

> Other good idea's I've seen include:
>
> * auto resetting the wiki.d/Main.Sandbox page every xx minutes (after
> the last edit)

I'll probably be doing that next.

> * using robots.txt to instruct search bots NOT to index the Sandbox 
> page
> (doesn't help prevent spam, but at least the spammer will be wasting
> their time, at least on that one page).
> * looking at the HTTP_REFERRER to see if it's a browser or bot.  If 
> it's
> a bot, don't allow edits, or if an edit is attempted, just redirect to
> the same page (instead of bringing up the edit dialogue).

How does one do that? (and I'm wondering if that will prevent my own 
interface-programs from working)

> * ip banning (counter-attack after abuse has already occured)

This wont work for my 'nice guy' -- he's on a dynamic DNS at an ISP in 
Germany.

> * preventing external links (requiring admin to approve/disapprove 
> links
> before they are allowed in the wikitext).

I'd like this as an option.  It seems like a very VERY strong security 
feature, if some more admin overhead.

Another way to perform a counter-campaign is perhaps to let the people 
at the target websites know exactly what it is that they're paying for 
with the people who are "increasing their popularity on search engines" 
by placing fake links on open-edit community websites.  Send an (auto?) 
email to the webmaster or customer service (etc) at such domains and 
report that such-and-such was posted regarding their company, and 
explain how that is used to increase their hit-rate on Google and other 
search engines, how it's unethical and as bad as spam (nearly no one 
likes spam) and makes the internet a bad place to visit, or work 
from...and they can save their money and find legitimate ways to 
increase their popularity.  Most people running the sites probably have 
no idea that they're getting hits because of such unethical practices, 
and are probably paying for the service.  If it works, it will hit the 
spammers where it counts: in their bank accounts.  Maybe we can get the 
information about the spammer's business from the customer, and report 
them to the Better Business Bureau or similar.

i.e. that's the "Waaah!  I'm gonna tell Mommy that you hit me!" method. 
:)

I'm going to try this when my daily spammer hits my site today.

> If anyone can think of other approaches, add them to this list (or
> create a page on the PmWiki website).  Understanding the problem
> clearly, will help a lot in trying to come up with ideas and methods to
> fix the problem.

And publicize them for these critters (people) to take them into 
account.  I think the information needs to be shared, but temporary 
measures will be circumvented quicker -- i.e. they'll find ways around 
them quickly.

Crisses
-- 
No man is an island, entire of itself; every man is a piece of the 
continent, a part of the main.  If a clod be washed away by the sea, 
Europe is the less, as well as if a promontory were, as well as if a 
manor of thy friends or of thine own were: any man's death diminishes 
me, because I am involved in mankind, and therefore never send to know 
for whom the bell tolls; it tolls for thee.
   -- John Donne, 1624.