Using Wikibooks/Vandalism

Vandalism
Spam is when outside groups try to use Wikibooks as a vehicle for advertising. Spammers, often automated spam programs, insert links to external commercial websites on various pages.

Vandals are not financially motivated. They disrupt the project by adding inappropriate pages and content.

Types of Disruption
There are several common types of disruption that have occurred at Wikibooks in the past. Some of these types have been mitigated through technical measures. Some have simply become less popular for vandals over time. Others are still in occasional use. In general, Wikibooks has very low levels of spam and vandalism, especially compared to what it once had. However, it's a problem that never goes away completely and that our administrators and vandal fighters should be prepared for.


 * "Friends of gays" vandalism: This is the type of vandalism where one immature editor makes inappropriate remarks about other people they know from offline. Often, it's considered an easy way to put an insult online in a place that looks "official". This can be comments like "John is gay" or "Sarah is a whore", and are usually inserted without much fanfare on a single page. The goal is to insult the target not to disrupt the Wikibooks project, so this type of vandalism is usually found in unpopular and rarely-visited pages that only the attacker and victim are likely to be looking at. Since the goal is not to disrupt the project, these types of vandals are not serious and do not need to be dealt with harshly.
 * Image vandalism: This is where an inappropriate or pornographic image is uploaded to Wikibooks (or pre-existing images are used inappropriately), and it is added to several pages. Particularly difficult forms of this vandalism inserts the image into popular templates, which causes the inappropriate image to be displayed in many places. This type of vandalism used to be very common, however new technical measures make it less appealing for vandals. New accounts must wait 4 days before they can upload an image, precisely because of this type of vandalism.
 * Page move vandalism: Page move vandalism is when the vandal renames a page to something inappropriate. A tame example would be moving Main Page to Main Page on Wheels!!. This type of vandalism used to be very common, like image vandalism. However, new technical measures such as fast reverts of page moves and requiring new users to be autoconfirmed before moving pages have helped reduce this.
 * Personal Attack vandalism: This type of vandalism represents a personal attack on one or more editors here at Wikibooks, and can be comprised of image vandalism, page move vandalism, or other types. Common targets are typically admins and active vandal fighters who have piqued a personal interest among the vandals. This type of vandalism usually occurs in the User: and User talk: namespaces, especially on the user and user talk pages of the person being targeted.
 * "Is this for real?" 'vandalism': This is a very benign type of vandalism where new and incredulous users post test edits on pages to see if wiki is real. This type of vandalism, which isn't even called "vandalism" in most cases, is less common than it used to be just because society has become more familiar with wikis and people are less surprised by it. These types of edits should be redirected to the Sandbox, or to a user's page, instead of occurring in the content or discussion pages. These users are often just being curious, and shouldn't normally be blocked because of it.
 * Page blanking vandalism: This is vandalism where a user deletes all or substantial portions of the content from a page. Removing all content will be obvious in Special:RecentChanges where the system will automatically insert a message that the page has been blanked; removing lots of content creates the (-14,528) alerts. Page blanking is not always vandalism, and sometimes it's a perfectly normal part of the editing and authoring process. Keep an eye out for these kinds of edits, and don't hesitate to revert them and start a discussion if you are worried.
 * Edit summary vandalism: Using disruptive and inappropriate edit summaries, as part of scandalous edits or even as part of edits that otherwise look normal, is still considered vandalism. Those bad edit summary messages can be trapped in the edit history of the page forever, or until it is removed by an admin or a user with oversight access.

There are dozens of other types of vandalism, and many repeat vandals have particular signatures that can be used to identify their handiwork. However, these are some of the main types to be aware of.

Watching For Vandalism
Some Wikibookians watch the Recent Changes list to try and monitor for vandalism. Other users monitor the vandalism alerts on IRC. Sometimes users will find vandalism and report them at the Administrative Assistance reading room. A good admin should keep these pages on their watchlist, or find another way to stay alerted about vandalism.

Many types of vandalism will become obvious on the recent changes list, such as page-move vandalism, edit summary vandalism, or page blanking.

Fighting Vandalism
When fighting vandalism, the first task is to block the offending user. The length of the block depends on various factors. Once the user is blocked, you can start reverting the vandal edits.

However, if there are multiple vandals, checkuser help is going to be needed to determine where the vandals are coming from. A checkuser can determine if multiple vandal accounts are coming from the same computer and if so, block all of them at once. Another benefit to checkusers is that when a source for vandalism has been blocked, no new vandal accounts can be created from that computer. Here is a general checklist or playbook to follow when dealing with a vandal:


 * 1) Block the vandal or vandals first.
 * 2) If there are multiple vandals, post a message on WB:AN to get help from a checkuser. If no checkusers are around, the stewards can be contacted at Meta to do the job.
 * 3) If there is a lot of vandalism, request help cleaning it at WB:AN too.
 * 4) Start cleaning the vandalism by reverting all page edits made by the vandal.

If the vandal creates inappropriate pages or uploads inappropriate images as part of the vandalism, they cannot be reverted and need to be deleted. Admins can delete the page, while other users can mark it with.

Open Proxies
A side note to the discussion about vandalism is the discussion about open proxies. An open proxy is an internet IP address which is available for other people to use. The result is that a person can appear to be editing from the open proxy, while concealing their real IP address. WMF policy is that open proxies should be banned for a year. While this isn't always ideal (there are many people who rely on open proxies for regular internet access) it does cut down on vandalism dramatically.

Some admins choose to mass-block open proxies, some admins choose not to bother with it. Technically, an open proxy can be blocked indefinitely, but we don't make people do it if they don't want to.

Vandalism Waves
Some vandals are highly determined, and may use multiple user accounts and multiple IP addresses (typically open proxies) to attack. Sometimes, these attacks can feel overwhelming. Here are some tips for getting through a difficult vandalism attack:


 * Block first, revert second:This way, the vandal won't be creating more messes while you go to clean up the previous messes. Also blocked users can request to be unblocked on their user talk pages. This means that if a person is blocked in error, those blocks can be reversed.
 * Use bot rollback:This advanced technique hides flood vandalism, and the reverts, from Special:RecentChanges.
 * Get Help:Even formidable administrators can use some support when dealing with a tricky vandal. Multiple users and admins should tackle the problem together. Ordinary users can recruit administrator help by posting a request at Administrative Assistance or reporting in IRC. Remember that even non-admins can undo page edits or (for reviewers) revert the page back to a good revision in the page history. The only thing admins are really needed for is blocking vandals and deleting pages.
 * Watch the Recent Changes List:Some users watch the list in real time on IRC, but refreshing the Special:Recentchanges page every couple of minutes is good too. Make sure you keep track of what pages are being targeted, and where the cleanup effort is making progress.
 * Temporarily protect pages:Administrators may need to protect, for a short period of time, pages which normally wouldn't be protected against editing. If a vandal is persistently attacking one page repeatedly, protecting that page will slow the vandal down (or cause the vandal to lose interest all together). If you need to protect a page that gets heavy traffic (such as the reading room or other discussion pages) leave a message about the protection.

Blocking and Unblocking
Blocking users is a necessary weapon in the fight against vandalism. However blocking non-vandals is something that should almost never be done, except in the most extreme circumstances. User blocks can be very disruptive and demoralizing. For that reason, except in cases of obvious vandalism or serial spam should a user be blocked. However, a block is not a one-size-fits-all solution, there are many options that can be set by the blocking admin to affect the way a block is performed.

Block Duration
The duration of a block is the most obvious option that an admin can modify. A user can be blocked for as little as a few minutes, and as long as indefinitely. When deciding a block duration, the admin should check how long similar blocks have been for in the past, and how serious was the offense.

Users who are being disruptive but are acting like a new user (adding "friends of gays" vandalism, or making test edits) should be talked to first. If they don't respond to messages, they can be blocked for a short period. If you block a user temporarily, leave a message on their talk page explaining how long the block was, why they were blocked, and what the expectations are for them to return to regular editing. Some users will just disappear after that, others will learn their lesson and become normal editors here.

Some users are not so harmless and actually make a concerted effort to disrupt the project. These types of users are "vandals", and can be dealt with more suddenly and harshly. These users, who are only interested in disruption and are not experimenting, are not ever going to become normal editors and do not need to be warned or treated kindly. Accounts which have been created for the sole purpose of vandalism can be blocked indefinitely on sight without warning.

Block Reason
There is a drop-down list of the most common blocking reasons. If possible, a reason should be selected from the list when a user is blocked for a common offense. Sometimes, the reason why a user is blocked is not well-suited to the pre-existing explanations, and a custom explanation is in order. When explaining a user block, be as descriptive as you can to show why the user has been blocked. These reasons will appear in the logs so that they can be considered by future admins who might be considering an unblock request.

Block Options
There are three options when blocking users which may have a profound effect on the user. Some of these options are cryptic:


 * Prevent account creation
 * Preventing account creation means that if an IP address is blocked, the user will not be able to create any accounts from that IP until the block expires. This is primarily useful for when a vandal is using a series of sock-puppets from a single source IP address.


 * Automatically block the last IP address used by this user, and any subsequent IPs they try to edit from
 * The second option, often called "autoblock" is used when blocking a username when the IP address is not known. This option blocks that user, blocks the user's IP address, and any additional IP addresses that the user might try to use. This can be a very valuable vandalism fighting tool, especially when sock-puppetry is suspected and no Checkusers are available to run a check. There are two things to note about this kind of block:
 * This may large groups of IP addresses to be blocked automatically, including proxy addresses that are shared by many legitimate users (such as AOL shared IP addresses).
 * Each block will show up individually in the block logs, and to remove the blocks or to modify the block time, each block will have to be examined individually (this can become quite a large number).


 * Prevent user from sending e-mail
 * Blocked users are, by default, enabled to send email to other users. This is a useful aid in discussing a block, or requesting an unblock. However users which are blatant vandals or spammers should have this right revoked to prevent spam or vandalism emails.

Changing Block Parameters
Historically, one had to unblock and re-block a user to change the settings of the block. Recently, this was changed so administrators can change the settings without unblocking. Use the "change block settings" link, or simply use Special:Block/User.

Partial blocks
Historically, the only way to block a user was to prevent them from editing the entire site. With the introduction of partial blocks, it is now possible to block users to, for instance, a particular textbook. This is very useful if the contributor is problematic only in that section of the project (for instance, edit warring) and is otherwise a productive editor. It is also possible to allow full editing but block email access only.

Unblock Requests
A user can request unblock on their user talk page. Administrators should consult the admin who placed the block, except in obvious, uncontroversial cases. An admin may, at their discretion, unblock the user or engage in a discussion with that user about the terms for being unblocked. Caution and discretion are advised, however, because many vandals use bogus unblock requests as an additional form of harassment and vandalism. Users abusing the ability to edit their talk page should have that ability revoked. Previously, this was done by full-protecting the page, but administrators can now adjust the block settings to disallow the blocked user from editing the user talk page. If abuse continues from IPs or new accounts, then protection should be placed in addition to blocking other users/IPs.

CheckUsers are privy to private system logs which are not accessible by the public or administrators. Blocks marked as or "per CU" etc are not to be lifted without consultation with project CheckUsers.

Emergency: Rogue Admin
Possibly the worst-case scenario is a rogue admin or bureaucrat account. It has never happened on Wikibooks, but it has happened on other wikis, notably the English Wikipedia and English Wiktionary, before. Typically, this happens when an administrator's password is discovered by a vandal. It is not unheard of on Wikipedia for a regular admin to become disgruntled with the project and act out negatively as well. The vandal using the administrator's account, or the disgruntled admin, can then go on a rampage blocking ordinary users, deleting pages and unblocking other vandals to destroy the project.

A quick solution would be to block the rogue admin, who can do nothing but block you (admins can no longer unblock themselves). Bureaucrats are not able to demote an administrator, so the only help after that will come from the stewards at Meta. In the event of a rogue admin, the first and most important task is for people to request help from the stewards and/or block the rogue admin if possible. Once the admin has been demoted and blocked, the cleanup effort can begin.

This scenario is a major reason why all Wikibookians, especially those with additional tools, should choose a strong password and (for admins) consider applying two-factor authentication. If a vandal is able to get access to your account, they can cause long term damage not only to the project but to your reputation as well.