Initially, I was simply erasing the spam content and banning the user accounts and IPs, but our user list was filling up with these ugly account names and got to the point where 50% of the accounts were bogus. Mediawiki does not provide a built-in tool for deleting accounts, for reasons of database integrity.
JW_Platt and I have been working to try to better manage this problem:
- There was weakness in our security: While an account with an unauthenticated e-mail address could not edit a page it could still create a new one. We've closed that loophole.
- We've added an extension to the wiki software that allows us to effectively delete unwanted accounts by merging them into another one. All the spam accounts have now been merged into an account named +BlockedUsers+.
- To minimize spambot activity, we've added a reCAPTCHA to the sign up page.
The human input means the reCAPTCHA test is being passed and the account created, but because the email authentication is not being completed, the spam links can no longer be posted. At least I no longer have to delete anything nor bother with blocking accounts as I simply sweep them into +BlockedUsers+ as they appear, which only takes seconds.
The actions we've taken will make us less attractive to the spammers, so hopefully we'll drop off their target list soon. If not, we may need to consider some further action. I don't want to over complicate the sign-up process, but we may need to add further steps to deter the spammers - "time is money" after all: You don't need to have the best security in the world; you just need better security than the guy next door .