From: anarcat <anarcat@web>
Date: Sat, 23 May 2020 00:33:51 +0000 (-0400)
Subject: more spam problems...
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/afa9a0b7f641a85ae53deeab5e7979323a37da06

more spam problems...
---

diff --git a/doc/bugs/emailauth_bypasses_account__95__creation__95__password.mdwn b/doc/bugs/emailauth_bypasses_account__95__creation__95__password.mdwn
new file mode 100644
index 000000000..47c2897b7
--- /dev/null
+++ b/doc/bugs/emailauth_bypasses_account__95__creation__95__password.mdwn
@@ -0,0 +1,39 @@
+I have had the following in my `ikiwiki.setup` since 2016:
+
+    account_creation_password: XXXXXXXXXXXX
+
+The XXX is made of lowercase, uppercase and digits, randomly generated. I would expect this to stop any account creation. Yet new accounts get created all the time:
+
+    w-anarcat@marcos:~/source/.ikiwiki$ perl -le 'use Storable; my $userinfo=Storable::retrieve("userdb"); print $userinfo->{$_}->{regdate} foreach keys %$userinfo'  | sort -n | tail -10
+    1587487021
+    1587574304
+    1587695540
+    1587770285
+    1588354442
+    1588409505
+    1589257010
+    1589834234
+    1590175162
+    1590176201
+
+The last two timestamps, for example, are today. I'm not absolutely certain, but I believe that account is an [[plugins/emailauth]] account:
+
+          'zemihaso_hfdsf.sadsdskfm.com' => {
+                                              'regdate' => 1590175162,
+                                              'passwordless' => 'd8de5ec25cfd68e64318fe6353c6428a',
+                                              'subscriptions' => 'comment(blog/2020-04-27-drowning-camera)',
+                                              'email' => 'zemihaso@hfdsf.sadsdskfm.com'
+                                            },
+
+It's obviously a spammer. It seems to be attacking my wiki by doing the following:
+
+ 1. register an account with emailauth
+ 2. subscribe to the page
+ 3. spam the page with a comment
+ 4. which then sends email to the victim(s)
+
+It's all kind of a mess. I'm at the point in my [[todo/anti-spam_protection]] where I am seriously considering disabling all user registration and all comments on all pages. Maybe delegate this to Mastodon or some other third-party commenting system, because I'm just tired of dealing with spam and bounces...
+
+Anyone else seeing this? Shouldn't the `account_creation_password` setting apply to emailauth? What else am I missing?
+
+Thanks! -- [[anarcat]]