User:Qwh/vandalbot

If you see a vandalbot, contact an administrator or a steward at your earliest to have them block the account or accounts involved. Do not panic but act quickly.

What is a vandalbot?
A vandalbot is a script which automatically performs some kind of malicious edit or similar operation to a wiki at high rate. When you see one, you have to know what to do. Read this page now&mdash;don't leave it until the heat is on!

For Wikimedians who are not administrators, vandal bots can be reported at vandalism reports.

Operating vandalbots in any Wikimedia Foundation project is prohibited (see the relevant section of the Terms of Use for details).

Spambots
Perhaps you may not have heard anything about those or little about them. Basically a spambot is, like a vandalbot, an automated process (bot) that will vandalize your wiki by adding spam to the wiki pages or creating a mass of spam pages. The way of dealing with them is the same as the vandalbots, so please continue reading.

Response from administrators
The basic response to a vandalbot is to fist block the account and revert its actions using rollback. You can revert edits without the rollback right, but that's slow and tedious. You're better off finding an administrator. If there are no administrators around, the Stewards will be able to assist you. You may find a full list of stewards here. You can also contact a global rollbacker if you don't have rollback rights.

If you are an administrator and you see a vandalbot that is editing existing pages, you're encouraged to do the following:


 * 1) Block it. Make sure to set autoblock and block account creations.
 * 2) Go to the vandalbot's contributions page.
 * 3) Append   to the end of the contributions page URL of the vandalbot and load that page. For example:  .  This will avoid your rollbacks to appear at the recent changes page.
 * 4) Click on all the rollback links.
 * 5) Please contact a steward to globally lock the account and/or globally block the IP address. Please post on Steward requests/Global under the relevant section.
 * 6) Aditionally, please consider asking for global URL blacklisting at Talk:Spam blacklist here at Meta-Wiki.


 * Light bulb icon.svg A tip: Note that it's easier to click on all the rollback links if you have them loading in an inactivated tab/window, i.e. "in the background". Modern browsers do now support tabs.


 * Nuvola apps important.svg If the vandalbot has also created a mass of pages those can be bulk deleted usually by any administrator accessing the page «Special:Nuke» and following the instructions. Be careful to enter the correct username in the form.


 * It may also be useful to bring the incident to the attention of the community so that others can be on the look out for similar attacks soon after.

Steward response

 * Main article: Stewards.

If there is no administrator around, it is an emergency, more hands are needed or it is an attack that affects multiple Projects, the Wikimedia Stewards are there to help you. You may quickly contact them on the IRC channel or by posting a message in the vandalism reports board. Stewards have complete access to the wiki interface and functions in all Wikimedia projects as well to powerful global tools which can use in order to stop the attack.

It is always helpful to notify stewards at the vandalism reports board for this cases &mdash;even if you had local administrator assistance&mdash; so they can have a look at the issue and take other measures, such as terminating the malicious accounts involved.


 * List of stewards

When to get help from the system administrators

 * Main article: System administrators.

In some cases, it may be easier for a system administrator to deal with a vandalbot attack rather than ordinary users. This cases include &mdash;but are not limited to&mdash; the following:


 * Large scale page creation (hundreds of pages). Pages can be deleted without making an entry in the deletion log, or saving them to the archive for undeletion. Large scale deletion by a developer generally requires just 3 or 4 queries regardless of the scale of the attack, but carries with it the risk of permanent deletion of innocent pages.
 * Serious security incidents.

Usually developers can be found on the #wikimedia-tech or #mediawiki IRC channels, on the irc.freenode.net network. Please make sure you give some indication of the scale of the attack such as how many pages, what edit rate, etc.

Please note that Wikimedia gets vandalised all the time and that merely saying «the wiki is being vandalised!» probably will not get their attention.


 * List of system administrators.

Tools

 * Extension:AbuseFilter is a tool available at all Wikimedia wikis at «Special:AbuseFilter» which applies heuristics to actions by users, such as edits, based on filters that can be configured locally to prevent various kinds of vandalism. The configuration of the filters is not easy so if you have not used the tool ask first or you may end blocking legitimate edits.


 * Extension:SpamBlacklist is a tool that will block from saving pages containing a certain URL. A local spam blacklist exist on each wiki at «MediaWiki:Spam-blacklist» with a global one working for all projects is located at Spam blacklist. Do not use SpamBlacklist or AbuseFilter without a basic understanding of Regex.


 * CheckUser is a tool available for users with the 'checkuser' permission which is to be used to fight vandalism and prevent abuse to the projects. Due to the sensitive nature of the tool is only used as a last resort for difficult cases.