[pmwiki-users] Spam

Petko Yotov 5ko at 5ko.fr
Sun Feb 6 12:29:19 CST 2011


On Sunday 06 February 2011 17:31:23, Wade Lee Hudson wrote :
> Someone is spamming my site.
> I changed the edit password, but that did not help.

Some of your groups have the @nopass edit password which just opens them for 
editing with no password. You should search your wiki for GroupAttributes:

  http://progressiveresourcecatalog.org/index.php?action=search&q=name%3DGroupAttributes

Then follow the link to every GroupAttributes page, then click on the link 
"Page attributes" (between the links "Edit page" and "Page history"), then 
remove the @nopass password. Use "clear" to revert to the site password, or 
"@lock" to lock the editing.

I just did this (@lock) to the PDA.GroupAttributes page, as the PDA group had 
spam in the recent changes. You need the admin password to edit it and to 
revert the latest good version from the page history.

See http://www.pmwiki.org/wiki/PmWiki/Passwords for more information.

> I (temporarily) removed all the password code from local/config.php, but
> that did not help.

This is normal: with no password defined, a wiki is mostly open for editing by 
anyone. You should have $DefaultPasswords['admin'], $DefaultPasswords['edit'], 
$DefaultPasswords['upload'], and $DefaultPasswords['attr']. The 'admin' and 
'attr' passwords are usually not needed by ordinary editors and should be 
secret. The 'edit' and 'upload' passwords may be needed, and you should tell 
them to your users.

See http://www.pmwiki.org/wiki/PmWiki/PasswordsAdmin for more information.

> Please advise.

Your kind of spam is added by spambots, progams that search the internet for 
open pages. A password-protected page usually discourages editors, this is why 
some wikis are left open. We found that it is very easy to protect a wiki by a 
"public" password, mentioned in the wiki documentation, or even on the login 
form - real people can use it, but bots are decieved. These spambots are not 
programmed to search for a password and they just move to the next site.

There are more sophisticated recipes, but all I use is a message at the bottom 
of my page [[Site.AuthForm]], something like:

(:if group Thumblist*,Cookbook,TE:)
'''PmWiki fans''': the edit/upload password is @@quick@@.
(:if:)  

if in config.php I have:
  $DefaultPasswords['edit'] = crypt("quick");

For more information about security, see 
  http://www.pmwiki.org/wiki/PmWiki/Security

> If I cannot solve the problem quickly, my host wants me to temporarily
> block all ability to edit the site, which would be ok with me.

You can set a wiki to read-only by adding this to config.php:
  $EnableReadOnly = 1;

But this would prevent you to clean up the spam. Instead, you could set the 
'edit' password to '@lock' (and not crypt('@lock')) and then use your admin 
password to revert to previous versions from the page history.

Good luck,
Petko



More information about the pmwiki-users mailing list