Sep 222009

The other day, I had to take the unfortunate step of disabling registration for new users to contribute to the Mozilla Developer Center wiki. I took this step because we’ve been having serious problems with accounts being created — seemingly by bots — and adding very intricate spam pages to the site.

These pages, in many cases, are using CSS to completely eradicate the wiki’s interface — including the admin controls that allow us to delete pages. This makes manually deleting the pages tricky in those cases.

MindTouch created a tool that can automatically delete these pages and ban the offending users. Unfortunately, that tool appears to have an issue with our load balancing system, by which it identifies all users as coming from the same IP address. The result is that when I used the tool over the weekend to attempt to process a large number of spam pages, all accounts got banned instead of just the spammers’.

We restored MDC from a backup shortly after that, losing edits made between 7 AM and about 10 PM Pacific Daylight Time on Saturday. Fortunately, this happened on a weekend, so we didn’t lose too much.

I’m actively engaged with MindTouch to figure out how these bots are bypassing the captcha we use to prevent this sort of thing from happening, and to add protections to keep content from overriding the site’s UI. I’m also talking to IT and MindTouch to try to get the automatic clean-up tool to work correctly on our system.

In the meantime, until we make significant headway on this problem, MDC will likely remain locked down. The confluence of the spam bot problem and the ability of content to completely override the user interface makes this a particularly tricky problem.

I know this is a huge inconvenience for some folks, and I’m doing everything I can to get this resolved as quickly as possible. I’ll keep you posted!

 Posted by at 12:14 PM

  2 Responses to “MDC user registration disabled for now”

  1. You should probably post a note about this somewhere on MDC. I just searched the UI of MDC for a few minutes for a register link. Now that I read this, it’s clear to my why I didn’t find one. Had this been posted somewhere on MDC, I probably would have noticed earlier.

  2. You can use View->Page Style->No Style to remove CSS from a page (not that that really helps with the larger problem of course).

This site uses Akismet to reduce spam. Learn how your comment data is processed.