Wiki-spam attack from diving-deep
I woke up today to a quite massive attack on my wiki. Large edits to lots of pages. The links spamvertized are all to free forums, misused forums belonging to other people and various other non-hacker exploits.
So far the exploited pages all redirect to one domain:
diving-deep.net
216.255.179.196
That’s in Intercage space - they’ve been notified.
The whois is interesting, it points to Norway. The person is allegedly:
Billy Fulkerson (geojon@care2.com)
And the address and phone number points to the Neptun hotel in Haugesund, Norway. Yep, the address and phone number is legit, but I doubt it has anything to do with the spammer. The registrar is KLIK MEDIA GMBH. Remember them?
The IP numbers used for the spam run are all proxies.
The spammer is affiliate number 35vm5c with evoplus.
—————
Update:
Intercage nullrouted them, and they immediately switched to 85.255.115.213 at inhoster. Intercage is upstream, and immediately nullrouted them again, and now they’re on 212.176.41.8 which I believe is on equant.ru. Unfortunately that website is entirely in Russian, and I have trouble figuring out who to contact. Some help would be appreciated? I sent an e-mail to the contact for the IP numbers. And then I contacted the DNS provider as well. Awaiting reply.
Update May 4:
No response from either the current webhost or the DNS provider. And the spamming has started up again - two new wiki diffs on a wiki I own today.
It seems like that was almost inevitable due to the open nature of Wikis. I assume it’s going to start happening more and more often, too. Maybe it’s time to start thinking about confirmed opt-in registration for people before they can modify content on a Wiki. I’d love to see that on Wikipedia; have to log in and pass a human test at least once before you can go to town on articles.
Hello,
The IP Address in question has been removed from routing per your initial notification. Should you experience and further issues, please let us know.
Thank you for your time. Have a great day.
—
Abuse Department
InterCage, Inc.
I am sorry to hear about that attack you were subjected to. Other than quality control (both in accepting only qualified contributors and those with good writing skills), this is one of the reasons I am a proponent of invitation-only accounts. Perhaps you might want to consider such an option as well? Though the number of articles is greatly reduced, one gains in quality and in time - since there is less work in un-doing the edits of spammers, or questionable content.
Sure, it is a different philosophy (exclusive rather than inclusive), but one that is probably better adapted to wikis like yours that has an educational role and objective. I don’t think anyone would cry foul if you decided to change your registration system…
To Forseti:
The spam on my wiki gives me something to write on. And this wasn’t an attack on my wiki only. I saw it on another wiki I own (smaller scale), and I believe it was also on other wikis.
To Intercage:
Thanks. I did some URL blocking, so I don’t know if the spammer is still at it. I’d have to check someone else’s wiki to be sure. But it’s of course a “whack a mole” game. They’ll be coming back somewhere else. Could you please recheck the domain a few times a week for a while, in case they come back somewhere else in your IP space? I’ll recheck now and then too.
Mmm, yeah, right now they’re on this IP:
85.255.115.213
85.255.115.213-xbox.dedi.inhoster.com
I wouldn’t be surprised if it’s the same webhost, but I don’t remember if you’re upstream from inhoster?
Hello Ann,
I appreciate the follow-up in the investigation. 85.255.115.213 has been removed from routing.
The machine will be reviewed for cancellation per follow-up by our client tomorrow. It is more then likely a vHosting machine, so it may be the result of a single account, rather then a whole server.
Never the less, Should you encounter this issue further, please follow-up with us.
Thank you for your time. Have a great day.
—
Abuse Department
InterCage, Inc.
Over the past week I’ve had spam coming through a form. I started recording the server variables and found that REMOTE_ADDR and HTTP_VIA contained proxy server info (which varied), but HTTP_X_FORWARDED_FOR is always (well, 16 out of 18) 216.255.179.34 which is intercage. I forwarded my findings to abuse@intercage.com but wasn’t expecting response … but you got one, so maybe I will.
… and I heard back from emil at intercage,
“Thanks for reporting this, I am going to look into what is happening.”
(Moderator: I changed the full e-mail address to a partial one, so Emil wouldn’t get too much spam)
Hi ALM,
There are some factors that will give more results when it comes to abuse reports. In my experience, these are some factors: Trust (that the person you complain to know that you know your stuff, and won’t send false reports), Power (if you’ve got a public platform where people actually read your findings), Ease of investigation (some forms of abuse are easier to investigate than others).
I’d love to see the code you used to get that information. Not sure it’ll work in my contact form, but maybe?
Also, if you do a search for that IP number on Google, you’ll find lots of independent proof that something is up there. Lots of wiki diffs with that IP as author.
[...] It’s not just Blogs that are suffering - wiki pollution is a growing problem with poorly secured or badly implemented Wikis. SpamHuntress wrote recently about a massive wiki spam issue on one of the sites she manages. It’s a tough nut to crack - there isn’t a clear definition or deliniation of responsabilities on who is responsible for what. Is it the responsibility of the site owner to make sure their site is secure? Some would say so… but when you try to operate a large community effort (such as managing or maintaining a wiki where you want to promote community participation) implementing extras controls (such as user authentication & validation) dissuade people from participating. [...]
These folks have been spamming the ISFDB Wiki for over a week now. We may be forced to upgrade to a more recent version of the MediaWiki software and implement captchas
The Russian language site is apparently owned by the Russian affiliate of France Telecom (”FT group”) and the parent company’s Webmaster’s e-mail address is infos.groupe@orange-ftgroup.com according to http://www.francetelecom.com/en/tools/contact/index.html.
http://www.equant.ru redirectls to http://www.orange-business.ru
Contacts are here: http://www.orange-business.ru/about/contacts/
Moscow office:
ul Yakimanskaya nab. 4-1, Moscow
phones: +7-495-620-9500, +7-495-705-9229
Hi, sorry my english is bad, a few time ago, really a few hour’s i have write one small extension to mediawiki to use project honey pot, if you use mediawiki you can test this extension.
Greeting’s