TIPS & TOOLS

How to delete a long list of spam users in MediaWiki

MediawikiIf your MediaWiki site has been spammed with tons of automatized account registrations (and it’s not new that captcha could not be enough to stop spammers) one preventive response is to install the ConfirmAccount extension. This extension disables direct account creation, requiring approval by admin users.

But how do you delete the long list of spam users that has been created?

Another extension comes to the rescue: User Merge and Delete. Once installed you can choose to merge the spam accounts with the Anonymous one and delete them from the database… one by one.

To delete a long list of spam accounts we can follow Viswaprabha’s crude but ingenious way to “automatize” the use of the UserMerge extension.

1.- First let’s get the following:

The trick consists in using the Web Developer Extension to get information from the UserMerge form. Information that we will concatenate with a list of spam accounts to produce a simple web page. In turn, the produced html page will be used by the Firefox DownThemAll! extension to instruct UserMerge to delete the spam users.

2.- We use the Special:ListUsers page of our MediaWiki to get a column-list of the spam account’s user names. This can be done, for example, copying, pasting and filtering the users list in a spreadsheet. Be careful not to include the legitimate users!

3.- Now, logged in as an admin user of the wiki, we go to the Special:UserMerge page using Firefox. Once in that page, we select in the tool bar of the Web Developer extension Forms > Convert Forms Methods > Convert GETs to POSTs. Then Forms > View Form Information will open a page where the information we need is the session token that is unique to a browsing session (e.g. 2c05d520d9b202235c03e8fe8ll8khB)

4.- We then use a Python script to concatenate the generated list from step 2, let’s say in a userslist.txt file, with the session token from step 3 and produce an html file. Here is below an example of such a script. Notice that to use it yourself you need to replace Your Wiki Domain and the token

The usage of the script above, named for example concatenate_UserMerge_MediaWiki.py, is:

5.- Our last step is use the html page generated above with the Python script, e.g. userURLlist.html. When we open this file with Firefox we should see a page full of links, each one of those representing an instance to instruct the UserMerge extension in our wiki to delete one user. To effectively visit each of these links and execute UserMerge we use the DowThemAll! Firefox extension on the, e.g. userURLlist.html page. It is important that for this step you are still logged in within the same session of step 3

As the download of our links progresses, the spam accounts will be deleted by UserMerge.

Apart from UserMerge, the other tools used for the steps above can be replaced with alternatives to generate the list, the web page with links and to visit those links. Any suggestions of your own? Your comments below are welcome!

4 Responses

  1. Hi Joseph-Luis, first of all thank you for your script and advice. I wish you a very happy new year!

    I have followed your instructions. Everything is clear so far, but when I click one of the generated links, the user is not being deleted. Actually nothing happens. Just this link is being opened: http://streetwiki.gangway.berlin/index.php?title=Spezial:Benutzerkonten_vereinigen&olduser=NildaBanda2450&newuser=Anonymous&deleteuser=1&token=49157ab378647508dbe4f30dff4e5792+\ but without actually deleting the user. I am logged in as admin with firefox. When using “DownoadThemAll” just the same happens.

    This is one of the generated links: User URL Link
    I have also tried this, but no result also: User URL Link

    Any idea, what I do wrong?
    Kind regards
    Péter

  2. Frohes neues Jahr! to you Péter!

    Thanks for noticing that Special:UserMerge should be replaced by the German Spezial:Benutzerkonten_vereinigen in the script.

    As for the reasons why step 5 could not be working, did you check that the same browsing session that you used for step 3 is the session where you do step 5? One way to check is that when one is ready for step 5 then use the Web Developer extension again to check that the token is the same as the one in the generated links.

    Have you also checked that your wiki user belongs to the Bureaucrats (Bürokraten) group?

    Hope the above helps!

  3. BlankerHans

    Had the same Problems as multifrucht and solved it:

    MY token was “e48943fb19abcde894f7cad0b94677d7+\”. As you can see it ended up with “+\” as it does at multifruchts token. That’s the part where it got tricky.

    After a lot of trying I just changed “+\” to hex-code “%2B%5C”.

    As you also may know it is also important to escape special characters or signs in python like quotes: ” . To escape these signs you need to put a backslash in front of it like this: \” .

    At first I tried to escape the last two signs of the token too, but that didn’t work.

    So in all I worked out the following expression:

    print “<a href=\""+"http:///index.php?title=Spezial:Benutzerkonten_vereinigen&olduser=“+line+”&newuser=Anonymous&deleteuser=1″+”&token=e48943fb19abcde894f7cad0b94677d7%2B%5C\””+”>User URL Link”

    All combined the py-script works and gives me a working html-file which I can go on working with DownThemAll.

    Greeting from Germany

    Hans

Leave a Reply