Let's say we discovered that the user 'brainstorm1' is spamming the Wiki. Here's what to do:
- Delete the user from LDAP
- Deleting the user from LDAP by itself doesn't actually delete pages created by them. Do this manually by going to Wiki and delete pages created by them. A good starting point to do this is https://wiki.jenkins-ci.org/display/~brainstorm1
- If an attack is ongoing, you can expire a spammer's HTTP session by going to https://wiki.jenkins-ci.org/tomcat-manager/html/sessions?path=/ (login with your Jenkins account). This is necessary because Confluence doesn't notice that the user is removed from LDAP.
- You can flush the mail queue here: https://wiki.jenkins-ci.org/admin/mail/viewmailqueue.action to make sure the spam killer bot gets the email.
- You should also flush the content indexing queue https://wiki.jenkins-ci.org/admin/viewindexqueue.action to keep the recent pages dashboard clean (usually runs every minute)
- Keeping the space's trash clean is helpful as well, it can be purged here: https://wiki.jenkins-ci.org/pages/viewtrash.action?key=JENKINS
- Clear out the LDAP cache here: https://wiki.jenkins-ci.org/admin/cachestatistics.action?showDistributions=false
Confluence spam remover is a little GUI tool that helps you bulk delete pages.
Another way to bulk delete pages, especially if they all have the same parent is to follow the accepted answer in this question on answers.atlassian.com about importing a word doc to replace page, and selecting to delete all children pages.
- Record the IP address the spam user has signed up to see if any patterns can be detected, as often a spammer appears to be using multiple users.
- When deleting an user from LDAP, blacklist the e-mail address.
My investigation record of 2012: Tracking down spammers