User talk:Greener/Spambots
Phase Two of Cleaning Up[edit]
Hi all,
I've now reached the inglorious point of having temporarily blocked 500 IP ranges for spam over the last few months. To clarify, these IP's rarely actually spammed the wiki, but instead attempted to join the wiki with a fake account. Given that the temp blocks were for 6 months, and all evidence points to most ranges never getting fully cleaned of their spam bots, I would like to open up a discussion.
I started gathering data from these logs with the intention of cleaning the chaff out of the Special:AbuseLog in order to ensure that actual editors were not being blocked from either editing or joining the wiki. With daily average number of logs ranging from the low-30's to over 150 against a single filter, identifying if/when there was a problem became a daunting and demoralizing task. The filters that have been implemented are incredible, and false-positives are quite rare. Actual people are reading the prompts and using GWW:AN to join, while my prods to the other IP's haven't always worked (e.g. User talk:93.212.133.10). But I want to squeeze every last ounce of energy from the community to keep the maintenance up, even if at a trickle. Having three pages of abuse filter logs to stare at did not help, and I do not want to go back to those times. I believe that cleaning out spam bots from Special:AbuseLog would be beneficial not only now, but especially so as the years go by and sysop activity inevitably dwindles.
A few points to note before continuing:
- Many of my initial blocks were done to be as narrow as possible (e.g. a /25 instead of /24, even if a week later I had to increase the range).
- Some of the range blocks listed in the first link have been subsequently rolled into infinite blocks over the larger range they belong to.
- All of the ranges belong to larger companies which sell either individual IP's or small IP-ranges to other people or business
- These are not ranges which are used by Rogers or Comcast for people's homes, etc.
- Spam bots on these ranges do get shut down, but often start up again.
- Reasons could include everything from hacked servers to spammers repeatedly buying an IP for a few bucks a month. (Damn you, ColoCrossing!)
- There are some spam bots which we will never be able to catch, as they hit from completely random IP's with no discernible pattern.
- They're the ones which hit the same filter twice in a row, but never again from that range. Blocking the range would be pointless.
- Proposal
Up to this point, my actions have been completely reactive, despite wanting to block all of Micfo or ColoCrossing. They've also been based in the vain hope that the ranges might somehow be used by an actual editor. I do believe I should continue to be reactive (only blocking when there's a problem); I would like to hear back from the community about extending some of the six-month bans to be infinite, based solely on the company that owns/sells the IP range.
- Feedback topics
- Would you be okay with me extending blocks from six-months to infinite if I can associate the range as belonging to a large company such as ColoCrossing? Why or why not?
- What checks and balances would make you comfortable? (e.g. I use check-user when I feel there's even a slight possibility that my data and research could be insufficient).
- Should preemptive blocks against large IP's be considered? Note that these would be ranges which have never shown a sign of spam.
- Should we consider bringing in a black-list from another source instead of creating our own?
I do want to stress that there is no reason for me to implement any of these steps. I can always wait until September to see the bots come back and ban them at that point (though they won't all come right away, requiring scrutiny for many following months). G R E E N E R 18:41, 4 May 2015 (UTC)
- Hi Greener, I'm essentially inactive on here but here are my thoughts:
- I don't see the problem with perma-blocking IP ranges if the only live contribution within is spambots
- Provided you're sure that the range of IPs blocked adequately covers the source (i.e. you checkuser a few (>2) ips from the range to confirm) as little checks/balances as you wish
- Sure... kind of goes with point #1.
- I've no idea where we would get an external blacklist from (without doing some research first), but if someone else has produced a good list, this seems like a good idea too.
- -Chieftain Alex 23:26, 6 May 2015 (UTC)