Jump to content

Community health initiative/Mechanisms to prohibit blatant attack usernames

From Meta, a Wikimedia project coordination wiki

This page documents a feature the Wikimedia Foundation's Anti-Harassment Tools team may build. Development of this feature has not been decided or prioritized.

🗣   We invite you to join the discussion!

Tracked in Phabricator:
Task T168438

The Anti-Harassment Tools team are considering building mechanisms that prohibit blatant attack usernames. These feature(s) aim to prevent harassment when a malicious user creates an account name solely for the purpose of personally attacking another user. (e.g. User:Apples_is_an_idiot created to abuse User:Apples.)

At the moment, these features are conceptual. The Anti-Harassment Tools team has not prioritized this work but is considering these features for future development. Input on this page or the talk page is encouraged and appreciated.

Background

[edit]

Currently, there are AntiSpoof mechanisms in place that prohibit users from creating visually identical usernames to existing usernames (e.g. User:App1es for User:Apples). There is also a title blacklist of admin-curated terms that are not allowed in page name or usernames.

However, these are circumventable by appending an abusive statement after the username, often in non-vulgar terms (e.g. User:Apples_should_never_have_been_born). When these accounts are created, the malicious user can then perform benign actions to send on-wiki notifications or emails to contact the user. Simply seeing the username is the harassment. These attack accounts are sometimes created by users sophisticated enough to circumvent IP blocks, or are created on other wikis where their IP is not blocked.

Ideas

[edit]
  • Implement a rule that all new usernames cannot begin with an existing username
    • Seems like there could be a lot of false positives, as there are many short existing usernames
    • Use a dictionary to omit dictionary terms (e.g. User:The)
  • Implement a rule that all new usernames cannot contain a combination of username and a verb
  • Block blatant attack usernames, create a review process for questionable usernames
  • Build a permissioned system for admins and stewards to update a blacklist and/or rules
  • ...