Question
We have a public Twiki site (http://www.resc.rdg.ac.uk/wiki
) and we have always been bothered by spammers registering on our site (fortunately, they don't tend to do much damage). Our site is set up so that only registered users can edit pages.
I thought I had fixed the problem when I arranged it so that the registration page itself could not be viewed except by registered users. That way, a new user has to find an existing user to register them, which in our case is not normally a problem. This worked well for a few months and the flow of bogus registrations stopped.
However, this morning we have had three unwanted registrations from spammers. I can't work out how they have registered - I assume they didn't ask one of our existing users. Although they appear in the TWikiUsers page they do not appear in the /twiki/data/.htpasswd file, which I found surprising.
Does anyone know how these people might have registered and how I can stop it happening in the future? All suggestions very much appreciated.
Environment
Answer
Not sure about how the Wiki spammers managed to register (did they perhaps edit the TWikiUsers page directly?), but see WikiSpam for discussion and links, and in particular try installing the BlackListPlugin, which is very effective at TWiki.org. -- RichardDonkin - 31 Jan 2006 Maybe they logged in as TWikiGuest? Try changing the password for that account. -- MartinCleaver - 31 Jan 2006 I had a similar problem on my TWiki installation before I locked down registration. I had tried everything and still the bogus registrations kept coming. Then I noticed that the new users' home pages had info from fields that were part of the default registration form... but I had long since removed those fields from the registration form I have on my site! I guessed that whoever was registering was filling in a local copy of the default form that directly called the register script on my site. I tried that trick myself and lo! sure enough, it could be done. Since then, I've changed the way that registrations are handled on my wiki (it's now a much tighter ship but registrations are no longer automatic) and I haven't had any problems since (knock wood). -- AndrewZinck - 31 Jan 2006 Thanks Andrew, this looks like it could be the problem. So if I've understood correctly, the spammers might be POSTing the registration data direct to the registration script on my server? What's the best way of preventing this? Could you give me more details on how you fixed it please? -- JonBlower - 31 Jan 2006More info
Thanks for your suggestions guys. I've installed the BlackListPlugin. Martin - users can't log on as TWikiGuest so I'm sure that's not the problem. Here are some more details that might be instructive:- When the bogus users registered I was notified automatically via email as usual
- However, there was no entry for them in /twiki/data/.htpasswd
- Oddly, the front page of the Wiki and the front page of the Main web were both "defaced invisibly", by which I mean that their contents had been edited (a load of links to poker sites), but these edits did not appear in the HTML version of the page: they only appeared in the edit view (and presumably they would also have appeared in the raw view)
- The WebChanges pages for the defaced webs did not show these changes
The (possible) answer
It seems that AndrewZinck was right - it is possible to register simply by having a local copy of the registration page that POSTs data to the registration script (/twiki/bin/registration). In this way any user can register and circumvent any protection on the registration page. (However, this doesn't explain why my bogus users were not appearing in the /twiki/data/.htpasswd file.) I've fixed this in the following way:- Arranged it so that only registered users can view the registration form (so a new user has to ask an existing user to register him/her)
- Added a hidden field to the registration form that passes a string (an authorization key) to the registration script
- Edited the registration script to check for this key, passing the user to an error page if it does not exist or is wrong.
).
And I am sure the story won't end here, given the ongoing race of arms between spammers and netizens. Codev.Captcha has been proposed, as well as a couple of other techniques to avoid unwanted registrations (see for example RegistrationAsPluginRequirements).
One thought on your solution: Given that only registered users are allowed to use registration, would it be possible to protect the register script in the web server configuration so that only authenticated users can call it - like edit, viewauth and the like? On TWikis where users register themselves this is exactly what can't be done, but in your case users authenticate to view the registration form....
-- HaraldJoerg - 01 Feb 2006
Thanks Harald, this is a much neater solution than mine and just as effective. I have simply added the lines
<Files "register">
require valid-user
</Files>
to my bin/.htaccess file and now new users cannot be registered except by an existing user. Don't know why I didn't think of that before 
!
-- JonBlower - 01 Feb 2006 
Site map
Blog web
Search
Changes
RSS Feed
Notifications
Statistics
Preferences
Register new user
Support Forum 
Ask a question
Open questions 
My recent questions
Get quick help in #twiki IRC channel
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.