« Nuke redirect code
The upload spammer »

Twiki userpages spammed

Twiki is wiki software. And in the past it wasn’t much plagued with spam, according to the Chongqed writeup.

That has recently changed. I don’t know who figured it out, but noticed Eugene Blagodarny started posting his MarkusMerk users July 7, 2006. The spam started July 13, 2006. I’ve also seen other user accounts lately that look like spammer probing. There are several spammers using holes in twiki to spam, so it’s hard to figure out exactly who did what.
The spam works as follows:

The spammer registers as a user, with a spammy name, such as Viagra. He then populates the user page with his e-mail adress and name, and then adds a comment on this form:
twikiuserspam

Example: twiki.gridprovenance.org/bin/view/Main/GrowthHormone

The end result is a redirecting page on a wiki. And yes, it is indexed by search engines. The twiki developers need to close that hole! One way of making twiki less interesting, would be to make sure any user page is off limits to search engine spiders. But the redirect holes will also need to be plugged.

Here’s an example of a spammed wiki:
uai.cs.ubc.ca/cgi-bin/twiki/changes/Main

The spammy users were registered July 13. 29 users, if my count is correct.

I’ve also seen regular comment spam techniques used for adding spam to user pages this way. Here’s one example:
gnuenterprise.org/cgi-bin/twiki/view/Main/AustraliaRealEstate

Update: The twiki guys have identified yet another spam technique, and offered solutions: HTML Attachment Spam

This entry was posted on Sunday, August 6th, 2006 at 5:53 am and is filed under Wiki spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses to “Twiki userpages spammed”

  1. Peter Thoeny Says:
    August 6th, 2006 at 1:36 pm

    Wiki spam is a growing problem. Spammers get more sophisticated; we fight back. Spam on TWiki sites is not new. To find out, please follow the the WikiSpam link located on the twiki.org homepage: http://twiki.org/cgi-bin/view/Codev/WikiSpam

    I disagree with your statement: TWiki developers do fight spam for a long time. TWiki has a BlackListPlugin that is quite effective, and we update the Plugin every time we disciver a new spam twist, such as redirects obfuscated in JavaScript eval.

    The BlackListPlugin fights spam on several fronts:
    * Multiple registrations in rapid succession
    * Multiple page saves in rapid succession
    * Saving text with known wiki-spam (spam list is maintained and shared by TWiki, MoinMoin and Mediawiki sites)
    * Attaching files with known wiki-spam
    * Attaching files with JavaScript eval
    * Manually maintained BLACKLIST of malicious IP addresses
    * Automatically updated BANLIST of IP addresses with suspicious activities
    * Registration form with magic number in hidden form field to make scripted registrations harder
    * Add a rel=”nofollow” parameter to external URLs to defeat the purpose of spamming TWiki sites

    We strongly recommend owners of public TWikis to upgrade to the latest BlackListPlugin. But the reality is that there are many public TWiki sites that do not even have this Plugin installed.

    Thanks for raising the awareness on wiki spam!

    – Peter Thoeny - peter AT structuredwikis DOT com - http://twiki.org/

  2. Spamhuntress » Blog Archive » The upload spammer Says:
    August 6th, 2006 at 1:44 pm

    […] Spamhuntress Just another WordPress weblog « Twiki userpages spammed […]

  3. Joe Says:
    August 6th, 2006 at 3:09 pm

    Couldn’t the BlackListPlugin be included and turned on in the default install? People on intranets who don’t need it could easily turn it off. But it would protect those who use Twiki on the internet that aren’t aware of the spam problem or the solution.

  4. Peter Thoeny Says:
    August 6th, 2006 at 6:01 pm

    The BlackListPlugin could be included in the distribution, however, it does not make sense for TWiki since its focus is the Intranet.

    To address the issue, we sent out several spam related alerts to the twiki-announce mailing list, and I sent personal e-mails to some site owners not on the list. Still, the awareness of wiki spam needs to be raised so that more site owners take actions.

  5. Joe Says:
    August 6th, 2006 at 8:00 pm

    I know your focus is intranet, but there are many people using it on the web who likely aren’t on your mailing list. I know I rarely sign up to mailing lists of software I use. We have been trying to raise the awareness of wiki spam for years but it isn’t working well. Like comment spam, the only thing that will lessen the problem is wikis with better built in spam protection. Few have it. TWiki isn’t targeted for the internet so it is somewhat understandable, but even the big ones like MediaWiki provide little protection by default.

  6. Peter Thoeny Says:
    August 6th, 2006 at 8:11 pm

    The Spamhuntress blog on “TWiki userpages spammed” prompted me to write an overview on wiki spam on my own blog: http://www.structuredwikis.com/peter_2006-08-06.html

Leave a Reply