Hi Harry, A note out of the blue perhaps, but at one point I modified one of our PageProviders to have a simple admin flag that if set kept pages from being saved. It was used in emergencies of the sort you've mentioned.
It could be added to the API and provided with an additional isLocked() method to permit JSPs to post a notice that the wiki has been locked down. Given most wikis are run on a shoestring or no budget at all I felt this was a reasonable approach. Cheers, Ichiro On Wed, Feb 3, 2016 at 10:23 PM, Harry Metske <harry.met...@gmail.com> wrote: > Hi all, > > yesterday we received a lot of spam on https://jspwiki-wiki.apache.org. > Hundreds of spam pages were created, and also many existing pages were > updated with spam. Eventually it also OOMed the JVM. > Spammer is coming from multiple IP addresses and used many (just created) > wiki accounts, our SpamFilter does not handle this. > > We tried to stop this in an elegant way, but given our limited time we > have, we had to take drastic measures to stop the spammer. > > * We changed the security policy so that only Admin users can create/update > pages. > * We restored all pages from a backup of yesterday (2016-02-02 06:41) > * deleted all jspwiki userids that were created since this timestamp > * recycled tomcat > > We will keep this configuration for a couple of days and think about > further steps on how to proceed. > > If you have made page changes after the backup timestamp and you definitely > want these changes in, drop us a mail. > Other comments are welcome too. > > kind regards, > Harry >
