My “other” wiki got a visit from our invisible wiki spammer. He uses tags that make his spam invisible on Mediawiki. And then he adds one or more edits afterwards, often just adding a few blank lines. Sometimes he removes the content of the pages.

I don’t know if the page he spammed is someone else’s page (ie he’s still experimenting), or if this is an actual spam. The spammed pages are identical in syntax to the Disney spam before, and goes to the coolhost.biz domain. It’s on a zedo domain parking system.

Mediawiki owners, add that domain to your blacklist, or you may have to clean up after this spammer.

These IP addresses were involved:

24.148.43.54
64.168.100.7
66.61.58.31
66.188.130.109
67.80.191.127
67.160.229.235
67.170.199.253
68.5.163.13
68.23.184.40
68.23.189.107
68.75.169.94
68.198.157.71
68.205.11.49
68.221.109.36
69.112.249.223
69.146.19.127
69.211.99.233
69.253.243.193
70.250.194.196
71.130.59.182
71.192.177.5
72.224.16.4
83.17.52.210
83.83.122.12
216.165.247.195

These IP numbers appear to be regular home computers? They might be part of a botnet.

I found another user of these numbers:
66.188.130.109
67.80.191.127
216.165.247.195

He uses a subdomain on lamer.la (it’s been nulled), and one on ehttp.cc. Those COULD be two different spammers. Doing guestbook spam.

I checked my logs, and noticed that the referrers were faked. Most were from my own site, but I caught a few others. One looked like this:
“developers.feedster.com”

User agent was a pretty standard:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

This entry was posted on Sunday, October 9th, 2005 at 4:52 am and is filed under Wiki spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.