Hello, we’ve recently had a couple of times a following strange incident:
1. Somebody adds a spam comment to some of our spaces that enable anonymous commenting (w captcha)
2. Space admin or somebody else receives a notification message about the comment, opens the spammed page but the spam comment is already removed!
We are sure that the spam comment isn’t removed by any other user.
I tried to reproduce the incident by adding the original spam comment myself (as anonymous user) but the comment wasn’t removed.
I also tried mispelling the captcha several times but it won’t send the notification message since the comment won’t be saved.
Could it be so, that those comments are posted by some other method which is automatically monitored by Confluence, but there is a slight delay before the removal which causes the notification message be sent?
If so, is there any documentation about this available?
We have been running Confluence 4.3.7 over a year but faced these kind of incidents only recently. We’ve suggested disabling the anonymous commenting or monitoring the comments as a workaround.
I'd like to second that question. We are experiencing exactly the same problem with our Confluence 4.3.3 installation since about 3 weeks:
* Anonymous users may view pages and add comments in our wiki space, but a CAPTCHA test is required.
* The repeated addition of spam comments is notified via mail as "Anonymous added a comment to the page".
* However, the spam comment is not to be found on the actual page.
* This behaviour cannot be triggered by an anonymous user submitting comments using the web UI and failing the CAPTCHA test.
The problem here is that this generates a fair number of pretty annoying excess notifications. Also, I suspect that the spammer is actually using some kind of (bugged?) API access instead of the web UI since it cannot be reproduced using the web UI.
For bonus credits: Is there a way to learn the IP the annonymous user is using solely from the notification mail and/or the log files? I'd say such a behaviour deserves an entry to our IP blacklist ...
Any help is appreciated!
No, it seems that the spammer just floods Confluence with comments and somehow triggers a hidden bug that causes the notification be sent in spite of failed captcha. There is nothing strange in the logs, just a massive flood of attempted comments:
18.104.22.168 - - [28/Feb/2014:04:51:15 +0200] "GET /pages/doaddcomment.action?pageId=84088443 HTTP/1.1" 200 96047
22.214.171.124 - - [28/Feb/2014:04:51:18 +0200] "GET /pages/doaddcomment.action?pageId=28211315 HTTP/1.1" 200 97641
126.96.36.199 - - [28/Feb/2014:04:51:20 +0200] "GET /pages/doaddcomment.action?pageId=122031618 HTTP/1.1" 200 96860
188.8.131.52 - - [28/Feb/2014:04:51:17 +0200] "GET /display/network/Network+bulleting+-+Institute+of+Biotechnology HTTP/1.1" 200 92812
184.108.40.206 - - [28/Feb/2014:04:51:16 +0200] "GET /display/cerclesfocus/Past+Scientific+and+Organising+Committees HTTP/1.1" 200 108398
220.127.116.11 - - [28/Feb/2014:04:51:19 +0200] "GET /pages/doaddcomment.action?pageId=123602853 HTTP/1.1" 200 96940
18.104.22.168 - - [28/Feb/2014:04:51:24 +0200] "GET /jcaptcha?id=2073667068 HTTP/1.1" 200 3430
22.214.171.124 - - [28/Feb/2014:04:51:25 +0200] "GET /jcaptcha?id=315987874 HTTP/1.1" 200 3449
126.96.36.199 - - [28/Feb/2014:04:51:25 +0200] "GET /jcaptcha?id=-1251394768 HTTP/1.1" 200 3380
188.8.131.52 - - [28/Feb/2014:04:51:24 +0200] "GET /pages/doaddcomment.action?pageId=120463010 HTTP/1.1" 200 96641
184.108.40.206 - - [28/Feb/2014:04:51:26 +0200] "GET /jcaptcha?id=1968416061 HTTP/1.1" 200 3396
Do you use templates with Confluence? Take part in a remote 1-hr workshop. You'll receive USD $100 for your time! We're looking for people to participate in a remote 1-hr workshop...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs