[pmwiki-users] An possible anti-spam measure

Patrick R. Michaud pmichaud at pobox.com
Wed Jun 7 13:16:24 CDT 2006


On Wed, Jun 07, 2006 at 01:00:46PM -0500, Tegan Dowling wrote:
> On 6/7/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> >On Tue, Jun 06, 2006 at 07:13:35PM -0400, David Spitzley wrote:
> >> I just had a strange thought regarding wikispam, which I'm still
> >> periodically having to scrape off my site even with SiteBlock3
> >> running.  [...]
> >> One thought that occurs to me is that through a bit of razzle-dazzle
> >> it might be possible to use the Author Required feature to block them.
> >> What if PmWiki
> >> * sent several different author fields with different values for the 
> >"name" property
> >> * assigned each author field different CSS classes, all but one of which 
> >had their "display" value set to "none"
> >> * only accepted input from the one visible field, and only if none of 
> >the others were filled in?
> >
> >Intriguing idea.  But ultimately I'm not sure it's going to work...let's
> >explore a bit.
> >
> >First, if we use Author Required as a means of filtering spam, that means
> >that PmWiki can no longer automatically fill in the "Author" field on the
> >form -- an author would have to manually fill it in on each edit.  Most
> >authors would be really annoyed by this, and it goes directly against
> >PmWikiPhilosophy #1.
> 
> Why would using Author Required mean that an author would have to
> manually enter "Author" name with each edit?  I Require Author, but
> cookies allow author names to be carried from edit to edit.  Were you
> eliding some technical implication of Author Required that I didn't
> catch?

It's not a problem of Author Required as it exists now -- David's
proposal (as I understood it) is that we have Author Required check 
multiple author fields, all but one of which is hidden, and 
allow the post if the visible field has an author name in it 
and the hidden fields are all empty.

We don't get any security improvement if we tell the spambot which
field is the valid one by pre-filling in the visible field with
the Author cookie.  So, we have to leave it blank, so as not to
tip off the spambot, and that means that the author has to fill in
the field manually in order to enable the post.

Pm




More information about the pmwiki-users mailing list