I am getting continuous spam like this:

discussion  85.25.146.11  web  11:02:19 05/17/13  2rand[0,1,1]
discussion  85.25.146.11  web  11:02:13 05/17/13  2rand[0,1,1]

The bot uses an IP address as the username and puts '2rand[0,1,1]' as comment text.

I do not have a page 'discussion' in use, so I have redirected this page with an apache2 Alias to a static page, just in case anyone stumbles on it. This means it cannot really be edited via the web. However the bots that post this spam are evidently not opening the page to edit it, but merely sending a cgi request as if they had edited the page. The result is that no damage is done on the site and no benefit is achieved for the spammer since google cannot see the result. However, the logs are stuffed with spurious entries and a page is constantly recompiled, which wastes resources.

Is there some way to reject edits that do not arise from an established session?

Normally ikiwiki requires a valid session cookie of a logged in user to edit pages. It sounds like you may have the opendiscussion or anonok plugins enabled, which allows anyone to edit without logging in. Recommend disabling them.

Since you know the spammer's IP, put it into ikiwiki.setup:

banned_users:
  - ip(85.25.146.11)

If the user was logging in, you could also put their username in the ban list.

You can also try enabling the blogspam plugin.

Comment by joey Fri May 17 13:55:46 2013

I did indeed have opendiscussion active. I shall wait to see what happens after disabling it.

The bots seem to make 5 consecutive edits at short intervals (around 2 minutes) using an IP address as a username. I do not know if the IP is the one from which they work. There are usually two or three sets of five edits using different IP addresses as username in each hour.

I did try blocking specific IPs but they constantly change.

It would be good if blocking could match a regexp, but as far as I can see this is not an option,

Comment by richard-lyons Fri May 17 16:56:23 2013
I can now confirm that this particular attack has stopped after removing the opendiscussion plugin.
Comment by richard-lyons Sat May 18 04:13:19 2013