[15:14:21] There's some spambots at https://snapwiki.miraheze.org/wiki/Special:RecentChanges [15:14:22] [url] Recent changes - Snap! Wiki | snapwiki.miraheze.org [15:16:20] [discord] Looking [15:16:54] [discord] Goodness me [15:17:00] yeah... [15:17:04] [discord] wow [15:17:11] [discord] How are they bypassing the AbuseFilter? [15:18:14] I can't see the abuse filters, so no idea [15:18:37] [discord] There's a global abuse filter which prohibits unregistered users from posting links [15:18:38] [discord] I think [15:18:47] [discord] but anyhow, hCaptcha is not working it seems [15:19:18] they aren't unregistered users [15:19:59] [discord] I see some IP users who edited, no? [15:20:22] Yes, but they didn't add external links: https://snapwiki.miraheze.org/w/index.php?title=Simple_Hair_Care_Tips_To_Restore_Your_Locks_To_Their_Natural_Luster&curid=1282&diff=0&oldid=12780 [15:20:23] [url] Simple Hair Care Tips To Restore Your Locks To Their Natural Luster: Difference between revisions - Snap! Wiki | snapwiki.miraheze.org [15:20:32] so that's why the AbuseFilter doesn't catch them [15:21:14] [discord] @CosmicAlpha any ideas? ^ [15:21:27] but anyway, there's a pretty obvious pattern in these spambots that should be more reliable than looking for external links [15:21:28] [discord] That wiki is getting bombarded with spam after we switched to hCaptcha [15:21:59] [discord] 99% of bots abuse a web host IP range so I just nuke their entire ASN [15:22:11] OMG, can someone think of the spammers?!!!!?? [15:22:22] [discord] Spammers have no rights 😠 [15:38:20] [discord] I see the issue [15:38:25] [discord] Users have the skipcaptcha right [15:38:41] [discord] they shouldn't as that allows you to bypass captchas and the global AbuseFilters [15:40:51] [discord] wellp [15:47:38] [discord] A solveable "them" problem, then? I assume that's not an inherited global default. [15:48:13] [discord] I've asked CosmicAlpha to revoke the skipcaptcha right from the user group globally [15:48:21] [discord] it's on the ManageWiki blacklist anyhow [15:58:17] [discord] I wonder if it's possible to block accounts that trigger global filter 18, even if just for a day? [15:58:31] [discord] Thanks for looking into this. 🙂 [16:00:02] [discord] I'll look into it [16:00:36] [discord] The only issue would be with false positives [16:00:44] [discord] I'll see if the filter has any false positives [16:01:34] [discord] Well, if the block is only for a day (and assuming the filter checks for the 'confirmed' group), local admins should be able to revert them. [16:03:42] [discord] if not, a local wiki might implement the filter and make it slightly more aggressive to suit its needs [16:04:09] [discord] It's private... [16:04:20] [discord] that can be worked out [16:05:07] [discord] just an idea in case the global filter isn't necessarily able to cover all situations well enough [16:05:39] [discord] As long as the `user` group doesn't have `skipcaptcha`, our global filters should catch 99% of bots [16:06:16] [discord] That was an intentional change as some Chinese users were unable to edit as reCaptcha didn't work for them but I suppose it can be removed now. [16:07:03] [discord] We've moved to hCaptcha so hopefully Chinese users are able to edit now as hCaptcha isn't blocked by the Great Firewall of China [16:07:16] [discord] but an unintended consequence is that now we have more spambots lol [17:06:35] [discord] bypassing hcaptcha is not hard [17:06:52] [discord] just duckduckgo "captcha solver" [17:07:14] [discord] either with AI or by hiring humans to solve captchas [17:07:32] I know right? [17:07:45] same with Google's reCAPTCHA [17:07:55] [discord] yea [17:08:09] [discord] maybe the spambots are based out of china so thats why theres more spambots [17:08:19] [discord] i've always found the hcaptchas harder than the recaptchas s [17:08:38] I'm of the opinion that we should just not use them, both for being bad at their job, and for privacy concerns [17:08:45] [discord] so i dont think that they're easier for the bots who solve them by having humans do them [17:08:56] [discord] this has been argued for [17:08:57] I also think Miraheze can't call itself 100% open source if it uses these CAPTCHA systems [17:09:00] [discord] but SRE said no [17:09:06] [discord] due to spambots [17:09:28] But have they ever tried? [17:09:34] [discord] i am not sure [17:09:39] [discord] although if you want a case study [17:09:44] [discord] https://en.uncyclopedia.co [17:09:45] [url] Uncyclopedia | en.uncyclopedia.co [17:09:47] Given how Miraheze already blocks open proxies and webhosts, maybe it wouldn't be that bad [17:09:52] [discord] with the spambots there [17:10:04] [discord] i'm a rollbacker and abuse filter helper on uncyc [17:10:23] [discord] until we added a captcha on the signup page the amount of spambots were overwhelming [17:10:32] [discord] even now we have a lot of signed out spambots that we addressed with an abuse filter [17:10:40] [discord] and a very small group of signed up spambots [17:13:32] [discord] one thing, what captcha is it that wikipedia uses [17:13:35] [discord] maybe we could test that one [17:16:41] I think they're running one of the built-in CAPTCHA in the ConfirmEdit extension: https://www.mediawiki.org/wiki/Extension:ConfirmEdit [17:16:42] [url] Extension:ConfirmEdit - MediaWiki | www.mediawiki.org [17:17:19] Wikimedia admits theres dont work and have tasks to change to hcaptcha also. [17:17:32] theirs [17:18:28] seriously [17:19:28] https://phabricator.wikimedia.org/T250227 https://phabricator.wikimedia.org/T241921 [17:19:29] [url] ⚓ T250227 Investigate and evaluate hCaptcha to replace Wikimedia's Fancy Captcha | phabricator.wikimedia.org [17:19:30] [url] ⚓ T241921 Fix Wikimedia captchas | phabricator.wikimedia.org [17:20:24] I hope they don't switch, honestly [17:24:00] CosmicAlpha : No [17:24:09] The task itself literally explains why it cannot happen [17:24:23] Plus there are literally thousands of open tasks. That doesn't mean it will ever happen\ [17:24:24] [discord] optimally for captcha I like the idea of something self hosted that is actually good (good luck) and is supplemented with good abusefilters etc for what does slip by [17:25:54] This is the second time people have acted like "Wikmedia is going to add hcaptcha soon!" to defend using it [17:26:12] Without actually reading the task https://usercontent.irccloud-cdn.com/file/l3sypoxu/image.png [17:26:34] I wasn't saying that. I was replying to the a ive about switching to what wikimedia uses, which they admit doesn't work at all. [17:27:23] [discord] this is not the first time a misreading of the conversation is extrapolated into a 'this is the xth time people have y for z' [17:28:33] Who is "they"? Anyone can create a task [17:28:47] Which Tgr says doesn't work at all [17:29:16] [discord] hCaptcha tackles the most basic spambots or else we'd also have them too [17:29:33] [discord] There's a good handful of spambots originating from compromised home computer connections [17:29:45] [discord] but they generally seem to not be able to break through the captcha [17:30:10] [discord] ever considered emailing the ISPs to tell them about that [17:30:19] [discord] We have and they never reply [17:30:21] [discord] oh [17:30:22] [discord] F [17:30:28] [discord] pretty typical of going to isps [17:30:46] [discord] well if the spambots are on digitalocean, namecheap, etc. i'd consider reporting [17:30:48] [discord] Many are home connections from foreign countries and if I block that range, I'm afraid I'll end up blocking the entire country lol [17:30:51] [discord] you'll get more progress reporting to things like stopforumspam [17:31:02] [discord] because [17:31:04] [discord] Wikipedia once blocked one singular IP and ended up blocking an entire country [17:31:05] [discord] they have good abuse handling [17:31:10] [discord] if it's from a hosting provider the chances are slightly higher something is done [17:31:13] [discord] Very rarely do I see a DO spambot [17:31:21] Agent: but that was unrelated to the spambot thing [17:31:22] [discord] njalla also has a policy requirement that you don't spam [17:31:24] [discord] and yeah, those are rarer anyway [17:31:30] [discord] yeah ik [17:31:37] [discord] It's mostly spambots who abuse a handful of devices like IPXO, Dedipath, OVH, etc [17:31:41] [discord] the places you mention are the places where it is less likely to happen in the first place; the problem remains for 90+% of cases [17:31:47] [discord] OVH suspends things a lot [17:31:50] [discord] I've blocked over 20,000 ranges probably but we still have plenty of spambots [17:32:05] [discord] according to wikipedia they banned guerrilla mail [17:32:12] [discord] nice [17:32:14] [discord] so report to OVH [17:32:14] @Agent What country would that be? Even North Korea has around 6 IPs I think [17:32:39] [discord] https://techcrunch.com/2007/01/01/wikipedia-bans-qatar/ [17:32:39] [url] Wikipedia Bans Qatar | TechCrunch | techcrunch.com [17:32:46] [discord] seems it was quite a while ago [17:33:09] [discord] but Qatar had one IP for the entire country [17:33:20] [discord] thats honestly hilarious [18:05:37] [discord] @Colleiflower +1 for allpedia edit [18:05:46] [discord] yay thanks [20:45:28] [discord] i forgot about allpedia 😭 [21:09:53] [discord] not hard to do [21:10:06] [discord] I only remember it because I went out of my way to list wikis where people gave me some sort of responsibility