This page documents an English Wikipedia WP:AF. Editors should generally follow it, though exceptions may apply. Substantive edits to this page should reflect consensus. When in doubt, discuss first on this guideline's talk page. |
AbuseFilter is a tool used to allow privileged users to set specific controls on user activity and create automated reactions for certain behaviors.
The Abuse Filter extension was developed by Werdna with support from the Wikimedia Foundation, and went live on the English Wikipedia in March 2009.
The extension allows automatic filters/heuristics to be applied to all edits. Specific rules can be developed, such as "users with fewer than 500 edits are blocked from moving pages to titles which match this regular expression: /poop/". Of course, the rules can get quite a bit more complicated—for example, a rule that blocks all pagemove vandalism with a 70% success rate (and with the option of blocking the IP address of the user making these page moves), with about 2-3 false positives per year (checked on the last year's worth of moves).
All users will be able to view some filters, and all log entries. For all filters, including those hidden from public view, a brief, general summary of what the rule targets will be available, and displayed in the log, the list of active filters, and in any error messages generated by the filter.
We're planning on treading carefully—most abuse filters will be tested for a few days (in "log only" mode) before being brought to full force ("block", "disallow" or "throttle" modes), and to start with, we'll allow only members of a specific group to modify the filters, although this group will be assignable by administrators.
Extension documentation
The below was written when the extension was first written, and may be somewhat out of date. |
Filtering criteria
For all of the following, we can do extensive normalisation, regex matching, length comparison and regular comparisons (less than, greater than, equal to) matching, combining different filters with boolean logic.
User
- Edit count.
- Account age.
- Groups.
- Email-confirmed status.
Titles (moved-to, moved from included)
- Namespace.
- Title.
- Full text.
- Restrictions and protection status.
Action
- The action type (edit, move or createaccount).
- Edit summary.
- Contents of the edit.
Throttling
- Filters can specify whether actions done at a certain rate are by the same IP address, account, /16 range, account-creation-date, and/or to the same page, for a consequence (below) to be invoked.
- Any of the above conditions can be combined to produce a separate rate-limiter. For instance, we can group all accounts created on the same date, from the same /16, for the purposes of rate-limiting.
- Any actions set for that filter will occur if, and only if, the rate-limiter is tripped. This reduces false-positives by making the filter apply only if the same user is consistently tripping a particular filter, rather than a single false-positive.
Actions which can be assigned in response to filtered edits
If a user triggers a filter, AbuseFilter can apply any of the following sanctions based on the severity of the offense:
- All actions triggering a filter are logged at a special page.
- The user's action can be tagged for further review.
- The user can be warned that their actions may be unconstructive.
- The user's action may be disallowed.
- The user's account may have its autoconfirmed status suspended for a random period between 3 and 7 days.
- The user's account may be blocked from editing, along with all IP addresses used in the last 7 days.
- The user's account may be removed from all privileged groups (such as sysop, bot, rollbacker).
Note: Individual sanctions can be disabled selectively.
Monitoring
All edits triggering an action will produce a report at Special:AbuseLog. On this page, a brief log entry is entered. Users with the appropriate permissions may view the log summary. Users with certain higher permissions may view details on the log entry. This includes all information available to the filter when it ran, and may be useful for debugging purposes. Users with the highest level of log-viewing permissions may view private data about the action which caused the log event, such as the user's IP address. See #Permissions for more details on the permissions structure.
Sample abuse log entries
- 06:43, 23 June 2008: Andrew (Talk | contribs | block) triggered an abuse filter, making a edit on Main Page. Actions taken: warn,disallow; Filter description: Test Filter
- 06:43, 23 June 2008: Andrew (Talk | contribs | block) triggered an abuse filter, making a edit on Main Page. Actions taken: none; Filter description: Test Filter
Sample detailed abuse log entries
- 06:43, 23 June 2008: Andrew (Talk | contribs | block) triggered filter 1, making a edit on Main Page. Actions taken: warn,disallow; Filter description: Test Filter (details)
- 06:43, 23 June 2008: Andrew (Talk | contribs | block) triggered filter 2, making a edit on Main Page. Actions taken: none; Filter description: Test Filter (details)
- 06:42, 23 June 2008: Andrew (Talk | contribs | block) triggered filter 1, making a edit on Main Page. Actions taken: warn; Filter description: Test Filter (details)
- 06:42, 23 June 2008: Andrew (Talk | contribs | block) triggered filter 2, making a edit on Main Page. Actions taken: none; Filter description: Test Filter (details)
- 06:22, 23 June 2008: Andrew (Talk | contribs | block) triggered filter 1, making a edit on Main Page. Actions taken: warn,disallow; Filter description: Test Filter (details)
- 06:22, 23 June 2008: Andrew (Talk | contribs | block) triggered filter 2, making a edit on Main Page. Actions taken: none; Filter description: Test Filter (details)
The details link brings up a screen like that on the right.
Safeguards
To protect the wiki against poorly-configured filters, a technical limit is imposed on the maximum percentage of actions that will trigger a given filter. Other technical limits are in the process of being written.
Notification
All notifications are based on the template {{abuse filter warning}}.
Standard notifications shown to a user triggering a filter action:
Message name | Message text | ||
---|---|---|---|
abusefilter-disallowed |
| ||
abusefilter-blocked | MediaWiki:Abusefilter-blocked | ||
abusefilter-degrouped | This action has been automatically identified as harmful.
Consequently, it has been disallowed, and, since your account is suspected of being compromised, all rights have been revoked. If you believe this to have been in error, please contact a bureaucrat with an explanation of this action, and your rights may be restored. A brief description of the abuse rule which your action matched is: $1 | ||
abusefilter-autopromote-blocked |
|
Generic warning message is below. Admins are advised to use custom warnings.
Message name | Message text | ||
---|---|---|---|
abusefilter-warning |
|
Some existing filters and their warnings:
Filter and message | Message text | ||
---|---|---|---|
3: blanking articles |
| ||
30: large deletions |
| ||
18: test edits |
MediaWiki:Abusefilter-warning-testeditwarn |
If a filter is set to warn and disallow, then a user clicking "Save page" will alternatively see that warning and standard disallowed message.
Known issues
When the extension is initially installed, the available actions will not include blocking or removing from privileged groups. This restricted usage has been determined by community consensus, and if the extension is successful, the community may decide to enable the block, rangeblock or degroup actions for use on this wiki.
The full technical details of implementation are available on the bug (bug 15684).