Comments on: Random numbers edits on wikis

by: Code Codex

Fri, 21 Jul 2006 14:16:22 +0000

Thanks Will, that seems to be working on my site!

These numbers were driving me crazy. I still have no clue what they are…

by: Will

Sun, 09 Jul 2006 20:09:25 +0000

It turns out I got too clever, trying to use “^” and “$” to identify the beginnings and endings of lines. That didn’t catch the numerical spam. Also I didn’t previously know about “{m,n}” as a regex way to specify a number of repetitions. Here’s what I’ve got now: “[0-9]{20,50}”

by: Will

Sat, 08 Jul 2006 18:59:23 +0000

I’ve also been seeing a lot of this on a Mediawiki installation. Laura, thanks for the info about $wgEnableSorbs. Here is what I just added to my $wgSpamRegex, I don’t yet know if it will catch these things:
“^\s*[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+\s*$”.
I made this the last item (right before the “/i” line), so I added “|” to the end of the previous regex to “or” this in with the others. The period at the end is a string concatenation. I found info about PHP regexes at http://weblogtoolscollection.com/regex/regex.php.

by: Laura Q

Fri, 30 Jun 2006 17:58:13 +0000

Yeah, we’ve been getting a *lot* of these. Numeric strings of either 18 or 20 characters long; often but not always creating a new page.

A friend speculates that they are a malfunctioning spambot.

We’ve using MediaWiki software, and just enabled proxy blocking ($wgEnableSorbs) and I just added $wgSpamRegex which blocks edits that include the prohibited matched text. I think I’m going to add 16-digit numeric strings to the $wgSpamRegex and see if that helps.

by: Joe

Sun, 25 Jun 2006 04:19:49 +0000

Recently I have seen similar edits a lot. It is not a recent invention though this pattern is new and it seems more common lately. On my honeypot wiki, one was done as page section edit of the last section on the page and only added 47614383212899288105565. What seems most likely to me is testing for unmonitored wikis like Chris said. I have yet to see any proof of it though. I am really interested to find out if there are any hits later to those pages that seem unusual, especially a search engine referrer looking for that string of numbers.

by: Chris Mikkelson

Sun, 25 Jun 2006 02:09:19 +0000

Some sort of test/probe perhaps? Maybe they send the bots back later to see if the random numbers are still there. If they are, it means:

1) “whatever this bot is doing” got through, i.e. they’re testing the defenses of the website, and

2) the wiki is not well-policed, and thus a better target for wiki-spamming.

by: IncrediBILL

Sat, 24 Jun 2006 20:04:08 +0000

I’m just curious why you allow blank user agents on your sites.

Install a good UA filter and it’ll stop a lot of automated tools.

Also, consider putting a captcha on your wiki to stop the rest.

by: Dirk

Sat, 24 Jun 2006 20:03:42 +0000

No idea if they’re related, but I got a few spam posts for numeric domains on one of my forums today, e.g.

416983032 [url=h*tp://www_480429077_com]480429077[/url] h*tp://www_139138793_com

That was the entire post (slightly edited: dots to underscores and h*tp instead of http to prevent linkage)

by: Administrator

Sat, 24 Jun 2006 14:16:34 +0000

To Matt,
I doubt it. Some of the pages were absolute virginal. Never been added content to.

by: Matt Sergeant

Sat, 24 Jun 2006 13:28:14 +0000

I remember a while ago Justin Mason pointing out breadcrumbs left by Nigerian scammers to say “I’ve done this one”. I wonder if it’s a variation on that theme.

Or just broken spamware.