Could we please get the feature eluded to here: http://bugzilla.wikimedia.org/show_bug.cgi?id=5370 turned on for the English Wikipedia (and probably the rest of the projects too)? At least one vandal seems to have spesialised in spamming people with passwod reminders (he must have a bot), and growing number of people have been complaining about it. After replying to some threads about it on the admin noticeboard on enWiki I seem to have incured the "wrath" of this individual as well since I found 112 password reminders in my mailbox today.
Sure they are easy to filter out, but we can't let spammers have free reign like this. If there is such a "throttle" feature it needs to be activated ASAP (how many times a day does the average user forget his password?). If nothing else all these mails are a unnessesary strain on our mail system. Pluss some users have "threatened" to report it to SpamCop and such, and we don't want our mailserver blacklisted now do we?
Am Freitag 20 Oktober 2006 17:25 schrieb Sherool:
Could we please get the feature eluded to here: http://bugzilla.wikimedia.org/show_bug.cgi?id=5370 turned on for the English Wikipedia (and probably the rest of the projects too)? At least one vandal seems to have spesialised in spamming people with passwod reminders (he must have a bot), and growing number of people have been complaining about it.
See also http://en.wikipedia.org/wiki/User:69.50.208.4#Password_reset_attempt -- Leon Weber [[de:User:LeonWeber]]
Sherool wrote:
At least one vandal seems to have spesialised in spamming people with passwod reminders (he must have a bot), and growing number of people have been complaining about it.
... You *do* realise, though, that he does it primarily *because* people get upset about it?
Sure they are easy to filter out, but we can't let spammers have free reign like this.
If you'd filter them out and not make a peep about it, he'd lose interest quickly.
Timwi
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Moin,
On Saturday 21 October 2006 14:36, Timwi wrote:
Sherool wrote:
At least one vandal seems to have spesialised in spamming people with passwod reminders (he must have a bot), and growing number of people have been complaining about it.
... You *do* realise, though, that he does it primarily *because* people get upset about it?
Sure they are easy to filter out, but we can't let spammers have free reign like this.
If you'd filter them out and not make a peep about it, he'd lose interest quickly.
This dos not work, the emails are still generated, people are still upset etc.
By your line of reasoning vandals would go away if everyone would just ignore them.
There really is now reason to allow more then X password reminders being sent per day. Likewise, blocked IPs shouldn't be able to do this at all.
Best wishes,
Tels
- -- Signed on Sat Oct 21 15:23:32 2006 with key 0x93B84C15. Visit my photo gallery at http://bloodgate.com/photos/ PGP key on http://bloodgate.com/tels.asc or per email.
"Man, I'm hot." - "Thirsty?" - "No, I mean good looking."
Agreed. Also, I think it is just a matter of time before Joe Random User gets really annoyed about this, and reports us to a spam blacklist.
Titoxd.
-----Original Message----- From: Tels [mailto:nospam-abuse@bloodgate.com] Sent: Saturday, October 21, 2006 6:25 AM To: Wikimedia developers Subject: Re: [Wikitech-l] Password reminder from Wikipedia spam
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Moin,
On Saturday 21 October 2006 14:36, Timwi wrote:
Sherool wrote:
At least one vandal seems to have spesialised in spamming people with passwod reminders (he must have a bot), and growing number of people have been complaining about it.
... You *do* realise, though, that he does it primarily *because* people get upset about it?
Sure they are easy to filter out, but we can't let spammers have free reign like this.
If you'd filter them out and not make a peep about it, he'd lose interest quickly.
This dos not work, the emails are still generated, people are still upset etc.
By your line of reasoning vandals would go away if everyone would just ignore them.
There really is now reason to allow more then X password reminders being sent per day. Likewise, blocked IPs shouldn't be able to do this at all.
Best wishes,
Tels
- -- Signed on Sat Oct 21 15:23:32 2006 with key 0x93B84C15. Visit my photo gallery at http://bloodgate.com/photos/ PGP key on http://bloodgate.com/tels.asc or per email.
"Man, I'm hot." - "Thirsty?" - "No, I mean good looking."
On 10/22/06, Titoxd@Wikimedia titoxd.wikimedia@gmail.com wrote:
Agreed. Also, I think it is just a matter of time before Joe Random User gets really annoyed about this, and reports us to a spam blacklist.
Agreed. IIRC the OTRS server already once got caught in a (Spamcop?) blacklist which caused problems with email delivery to servers which rely on this blacklist (i.e. do not accept mails from blacklisted sources). So this is something we really need to avoid. Michael
Titoxd.
-----Original Message----- From: Tels [mailto:nospam-abuse@bloodgate.com] Sent: Saturday, October 21, 2006 6:25 AM To: Wikimedia developers Subject: Re: [Wikitech-l] Password reminder from Wikipedia spam
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Moin,
On Saturday 21 October 2006 14:36, Timwi wrote:
Sherool wrote:
At least one vandal seems to have spesialised in spamming people with passwod reminders (he must have a bot), and growing number of people have been complaining about it.
... You *do* realise, though, that he does it primarily *because* people get upset about it?
Sure they are easy to filter out, but we can't let spammers have free reign like this.
If you'd filter them out and not make a peep about it, he'd lose interest quickly.
This dos not work, the emails are still generated, people are still upset etc.
By your line of reasoning vandals would go away if everyone would just ignore them.
There really is now reason to allow more then X password reminders being sent per day. Likewise, blocked IPs shouldn't be able to do this at all.
Best wishes,
Tels
Signed on Sat Oct 21 15:23:32 2006 with key 0x93B84C15. Visit my photo gallery at http://bloodgate.com/photos/ PGP key on http://bloodgate.com/tels.asc or per email.
"Man, I'm hot." - "Thirsty?" - "No, I mean good looking."
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRTofwncLPEOTuEwVAQJaRAf+KJDFOjMuOoZJ2P3Kqak7V0XdKxR6zFj8 +4Yk7bcyKeDK2fkL4trjQJT52FRduzFaD7KuG6a3MAGRPTTDGiSoqkqjyW2BVqOM 5AMxM+rloCvE+85c3EUE/e1EfgsFoAo+RaE1HkEJ3up/F7tXC8Q2yoAssN7EiVV1 RjG0haAsBUjUuCfgqZZEZY29dZvzFVCZtaC87w2psTAxSRfAiMj6EKvKChaFUg0W 0nIWKtG8QuWz+gJBdBbbBv52mhP9gdo6E8N5eR7vx0D8dPVGp/gCR00rVjoye0ab SCgcevbcnv6b0n6PaHNqhXtpqk7Sg9KDSh0lSTbPn3MdtvYrtAvXrQ== =8CPH -----END PGP SIGNATURE-----
Wikitech-l mailing list Wikitech-l@wikimedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
On 10/22/06, Titoxd@Wikimedia titoxd.wikimedia@gmail.com wrote:
Agreed. Also, I think it is just a matter of time before Joe Random User gets really annoyed about this, and reports us to a spam blacklist.
It's already implemented. Blocked IPs can't request new passwords anymore.
"Simetrical" wrote:
On 10/22/06, Titoxd@Wikimedia wrote:
Agreed. Also, I think it is just a matter of time before Joe Random User gets really annoyed about this, and reports us to a spam blacklist.
It's already implemented. Blocked IPs can't request new passwords anymore.
Probably a finer system is needed. Blocked ips can still login, mail users and edit their talk page in order to complain (or elude soft blocks). So if such user loses his password... well, it's unprobable all of each at the same time but i think you see the point.
Tels wrote:
If you'd filter them out and not make a peep about it, he'd lose interest quickly.
By your line of reasoning vandals would go away if everyone would just ignore them.
And indeed they do, and indeed this is what Wikipedians recommend to each other! Revert their edits (equivalent to deleting the spam mails), but otherwise ignore them.
There really is now reason to allow more then X password reminders being sent per day.
There really is no reason to set an arbitrary limit to the password reminders being sent per day.
Timwi
On 10/22/06, Timwi timwi@gmx.net wrote:
There really is no reason to set an arbitrary limit to the password reminders being sent per day.
We don't want Wikipedia being put on spam blacklists, rightfully, because we permit people to send arbitrary amounts of spam to our users.
On Sun, Oct 22, 2006 at 10:19:48PM +0100, Timwi wrote:
There really is no reason to set an arbitrary limit to the password reminders being sent per day.
Support that assertion?
Cheers, -- jra
I've just implemented a per-user limit on password reminder emails. By default, 24 hours must elapse from one password reminder to the next. I figure if you've just been sent one password reminder, you don't need another one, assuming your mail was working. There is also a per-IP limit which was already implemented, it just needs to be configured properly. The per-user limit prevents mail-bombing of a given user with multiple password reminders, and the per-IP limit makes it more difficult to send password reminders to a large volume of users. Per-IP limits are prone to false positives due to shared IPs, and can be evaded to some degree by technically capable users, but the per-user limit is quite secure.
Both features will be enabled on Wikipedia soon, if there are no sensible objections.
-- Tim Starling
On 23/10/06, Tim Starling tstarling@wikimedia.org wrote:
Per-IP limits are prone to false positives due to shared IPs, and can be evaded to some degree by technically capable users, but the per-user limit is quite secure.
Also, consider the situation when you are not sure about your registered username on Wikipedia -- you might try to fill in a few usernames and click "mail me a new password" on each, which is quite a valid use case. (Another solution to the problem would be a requirement to fill in your e-mail address to use this functionality.)
-- [[cs:User:Mormegil | Petr Kadlec]]
Tim Starling wrote:
I've just implemented a per-user limit on password reminder emails. By default, 24 hours must elapse from one password reminder to the next. I figure if you've just been sent one password reminder, you don't need another one, assuming your mail was working.
And there you've already highlighted a grave problem with your approach. Suppose you didn't receive the mail (for whatever reasons). Then what?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Moin,
On Friday 27 October 2006 23:56, Timwi wrote:
Tim Starling wrote:
I've just implemented a per-user limit on password reminder emails. By default, 24 hours must elapse from one password reminder to the next. I figure if you've just been sent one password reminder, you don't need another one, assuming your mail was working.
And there you've already highlighted a grave problem with your approach. Suppose you didn't receive the mail (for whatever reasons). Then what?
I think 1 hour would be a bit better limit (manually triggering them needs a 1 hour waiting period, vandals might lose the impatience with that).
Plus, maybe you could allow the reminder to be sent out faster if you get back a bounce.
(silently eaten reminders still cause a problem, but if you dont get the first, you likely dont get the second,either)
Another alternative aproach would be to make reminders sent out immidiately if you enter your email adress, otherwise they are capped to (whatever limits) you want.
best wishes,
tels
- -- Signed on Sat Oct 28 00:32:25 2006 with key 0x93B84C15. Visit my photo gallery at http://bloodgate.com/photos/ PGP key on http://bloodgate.com/tels.asc or per email.
"The UAC is making safer worlds through superior firepower."
"Timwi"
Tim Starling wrote:
I've just implemented a per-user limit on password reminder emails. By default, 24 hours must elapse from one password reminder to the next. I figure if you've just been sent one password reminder, you don't need another one, assuming your mail was working.
And there you've already highlighted a grave problem with your approach. Suppose you didn't receive the mail (for whatever reasons). Then what?
You will likely press send password' again but the second one would probably don't arrive neither. Or maybe it's just the first who is arriving too slow so the second one (the first one won't work then) will take a while too. I'd tell them "We really sent you a message, please wait" is probably ok. However i don't mind setting the limit lower.
Am Freitag, 20. Oktober 2006 19:25 schrieb Sherool:
Could we please get the feature eluded to here: http://bugzilla.wikimedia.org/show_bug.cgi?id=5370 turned on for the English Wikipedia (and probably the rest of the projects too)? At least one vandal seems to have spesialised in spamming people with passwod reminders (he must have a bot), and growing number of people have been complaining about it. After replying to some threads about it on the admin noticeboard on enWiki I seem to have incured the "wrath" of this individual as well since I found 112 password reminders in my mailbox today.
Sure they are easy to filter out, but we can't let spammers have free reign like this. If there is such a "throttle" feature it needs to be activated ASAP (how many times a day does the average user forget his password?). If nothing else all these mails are a unnessesary strain on our mail system. Pluss some users have "threatened" to report it to SpamCop and such, and we don't want our mailserver blacklisted now do we?
wouldn't the whole problem be avoided it the user had to fill in his e-mail-address (which he hopefully hasn't forgot...) when asking for the password reminding email?
greetz
Julian Fleischer wrote:
Am Freitag, 20. Oktober 2006 19:25 schrieb Sherool:
At least one vandal seems to have spesialised in spamming people with passwod reminders (he must have a bot), and growing number of people have been complaining about it.
wouldn't the whole problem be avoided it the user had to fill in his e-mail-address (which he hopefully hasn't forgot...) when asking for the password reminding email?
greetz
-- Public Key at http://keys.warhog.net/mediazilla_warhog_net.asc
Does that really avoid the problem? Let's use you as an example. And the sake of this hypothetical example, let's suppose I want to spam you with hundreds of password reminders.
From your warhog.net domain name, I'll guess your username is [[:en:User:Warhog]]. So I go to that page and it says you're
originally from the German Wikipedia. So now I view the whois record for your domain at http://whois.domaintools.com/warhog.net , and sure enough it's in Germany, and the domain owner name matches the name you used in your email, so we can be fairly sure we've got the right Wikipedia username for our password reset form. Now we just need your email address.
So then we look at http://keys.warhog.net/ and we can get an idea of the email addresses you're using from the filenames. However we don't see anything with "wikipedia" on it, so we can try resetting your password using all the entries on that list, plus also wikipedia _at_ the-various-domain-names-you-use-for-email.
Presumably the password reset form tells the user when the email address doesn't match (for legitimate users who have multiple email addresses and really do need their passwords reset), so we try the above addresses until we get a successful match.
Now, maybe you're using an entirely different address for your Wikipedia account which cannot be predicted using the above approach. But most people won't be - they either use the same address, or one of a collection of addresses, or they use a predictable format to their email addresses. And once the spammer has that address, then they can spam you with password resets (at least until you change it). And now because they know that people are likely to change their email addresses to stop the spamming, rather than being a chronic pest by sending 100 password resets every couple of days, now they'll probably do a once-only spam-run with thousands of password resets before you can change your email address.
I'm just not sure having to enter an email address solves the problem. It would slow it down some, but it also forces the spammers who want to continue to become more like stalkers, which isn't good! ;-)
Anyway, it's probably moot, because it looks like this is fixed now with r17147 http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-October/018107.html ).
All the best, Nick.
On 10/23/06, Julian Fleischer mediazilla@warhog.net wrote:
Sure they are easy to filter out, but we can't let spammers have free reign like this. If there is such a "throttle" feature it needs to be activated ASAP (how many times a day does the average user forget his password?). If nothing else all these mails are a unnessesary strain on our mail system. Pluss some users have "threatened" to report it to SpamCop and such, and we don't want our mailserver blacklisted now do we?
wouldn't the whole problem be avoided it the user had to fill in his e-mail-address (which he hopefully hasn't forgot...) when asking for the password reminding email?
As another attempt at a solution, it would be useful (and maybe even sufficient) to make the user complete a capcha before the reminder is generated. This would at least avoid bots sending out hundreds of password reminders.
Steve
On 10/29/06, Stephen Forrest stephen.forrest@gmail.com wrote:
As another attempt at a solution, it would be useful (and maybe even sufficient) to make the user complete a capcha before the reminder is generated. This would at least avoid bots sending out hundreds of password reminders.
And blind people from sending out one.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Moin,
On Sunday 29 October 2006 19:22, Simetrical wrote:
On 10/29/06, Stephen Forrest stephen.forrest@gmail.com wrote:
As another attempt at a solution, it would be useful (and maybe even sufficient) to make the user complete a capcha before the reminder is generated. This would at least avoid bots sending out hundreds of password reminders.
And blind people from sending out one.
Blind people could set "[X] I cannot use captchas" in their options. (When that is implemnted)
Best wishes,
Tels
- -- Signed on Sun Oct 29 19:54:26 2006 with key 0x93B84C15. Visit my photo gallery at http://bloodgate.com/photos/ PGP key on http://bloodgate.com/tels.asc or per email.
"What is fair use? Fair use is not a law. There's nothing in law. Right now, any professor can show a complete movie in his classroom without paying a dime - that's fair use. What is not fair use is making a copy of an encrypted DVD, because once you're able to break the encryption, you've undermined the encryption itself." - Jack Valenti
wikitech-l@lists.wikimedia.org