Automatic removal of spam comments?

Antero Aunesluoma January 21, 2014

Hello, we’ve recently had a couple of times a following strange incident:

1. Somebody adds a spam comment to some of our spaces that enable anonymous commenting (w captcha)

2. Space admin or somebody else receives a notification message about the comment, opens the spammed page but the spam comment is already removed!

We are sure that the spam comment isn’t removed by any other user.

I tried to reproduce the incident by adding the original spam comment myself (as anonymous user) but the comment wasn’t removed.

I also tried mispelling the captcha several times but it won’t send the notification message since the comment won’t be saved.

Could it be so, that those comments are posted by some other method which is automatically monitored by Confluence, but there is a slight delay before the removal which causes the notification message be sent?

If so, is there any documentation about this available?

We have been running Confluence 4.3.7 over a year but faced these kind of incidents only recently. We’ve suggested disabling the anonymous commenting or monitoring the comments as a workaround.

2 answers

0 votes
Erkki_Aalto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 5, 2014

No, it seems that the spammer just floods Confluence with comments and somehow triggers a hidden bug that causes the notification be sent in spite of failed captcha. There is nothing strange in the logs, just a massive flood of attempted comments:

175.42.11.121 - - [28/Feb/2014:04:51:15 +0200] "GET /pages/doaddcomment.action?pageId=84088443 HTTP/1.1" 200 96047
175.42.11.121 - - [28/Feb/2014:04:51:18 +0200] "GET /pages/doaddcomment.action?pageId=28211315 HTTP/1.1" 200 97641
175.42.11.121 - - [28/Feb/2014:04:51:20 +0200] "GET /pages/doaddcomment.action?pageId=122031618 HTTP/1.1" 200 96860
175.42.11.121 - - [28/Feb/2014:04:51:17 +0200] "GET /display/network/Network+bulleting+-+Institute+of+Biotechnology HTTP/1.1" 200 92812
175.42.11.121 - - [28/Feb/2014:04:51:16 +0200] "GET /display/cerclesfocus/Past+Scientific+and+Organising+Committees HTTP/1.1" 200 108398
175.42.11.121 - - [28/Feb/2014:04:51:19 +0200] "GET /pages/doaddcomment.action?pageId=123602853 HTTP/1.1" 200 96940
175.42.11.121 - - [28/Feb/2014:04:51:24 +0200] "GET /jcaptcha?id=2073667068 HTTP/1.1" 200 3430
175.42.11.121 - - [28/Feb/2014:04:51:25 +0200] "GET /jcaptcha?id=315987874 HTTP/1.1" 200 3449
175.42.11.121 - - [28/Feb/2014:04:51:25 +0200] "GET /jcaptcha?id=-1251394768 HTTP/1.1" 200 3380
175.42.11.121 - - [28/Feb/2014:04:51:24 +0200] "GET /pages/doaddcomment.action?pageId=120463010 HTTP/1.1" 200 96641
175.42.11.121 - - [28/Feb/2014:04:51:26 +0200] "GET /jcaptcha?id=1968416061 HTTP/1.1" 200 3396


0 votes
Marcel_R__Ackermann January 28, 2014

I'd like to second that question. We are experiencing exactly the same problem with our Confluence 4.3.3 installation since about 3 weeks:

* Anonymous users may view pages and add comments in our wiki space, but a CAPTCHA test is required.

* The repeated addition of spam comments is notified via mail as "Anonymous added a comment to the page".

* However, the spam comment is not to be found on the actual page.

* This behaviour cannot be triggered by an anonymous user submitting comments using the web UI and failing the CAPTCHA test.

The problem here is that this generates a fair number of pretty annoying excess notifications. Also, I suspect that the spammer is actually using some kind of (bugged?) API access instead of the web UI since it cannot be reproduced using the web UI.

For bonus credits: Is there a way to learn the IP the annonymous user is using solely from the notification mail and/or the log files? I'd say such a behaviour deserves an entry to our IP blacklist ...

Any help is appreciated!

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events