Comments on: Wiki-spam attack from diving-deep

by: tuxsoul

Sun, 20 Jan 2008 14:26:28 +0000

Hi, sorry my english is bad, a few time ago, really a few hour’s i have write one small extension to mediawiki to use project honey pot, if you use mediawiki you can test this extension.

Greeting’s

by: plr

Wed, 01 Aug 2007 20:58:44 +0000

www.equant.ru redirectls to www.orange-business.ru
Contacts are here: http://www.orange-business.ru/about/contacts/
Moscow office:
ul Yakimanskaya nab. 4-1, Moscow
phones: +7-495-620-9500, +7-495-705-9229

by: Ahasuerus

Fri, 15 Jun 2007 22:15:23 +0000

These folks have been spamming the ISFDB Wiki for over a week now. We may be forced to upgrade to a more recent version of the MediaWiki software and implement captchas

The Russian language site is apparently owned by the Russian affiliate of France Telecom (”FT group”) and the parent company’s Webmaster’s e-mail address is infos.groupe@orange-ftgroup.com according to http://www.francetelecom.com/en/tools/contact/index.html.

by: Comment Spam @ WordPress « Dasher’s Corner

Tue, 22 May 2007 08:38:18 +0000

[…] It’s not just Blogs that are suffering - wiki pollution is a growing problem with poorly secured or badly implemented Wikis.� SpamHuntress wrote recently about a massive wiki spam issue on one of the sites she manages.� It’s a tough nut to crack - there isn’t a clear definition or deliniation of responsabilities on who is responsible for what.� Is it the responsibility of the site owner to make sure their site is secure?� Some would say so… but when you try to operate a large community effort (such as managing or maintaining a wiki where you want to promote community participation) implementing extras controls (such as user authentication & validation) dissuade people from participating. […]

by: admin

Tue, 08 May 2007 00:12:40 +0000

Hi ALM,

There are some factors that will give more results when it comes to abuse reports. In my experience, these are some factors: Trust (that the person you complain to know that you know your stuff, and won’t send false reports), Power (if you’ve got a public platform where people actually read your findings), Ease of investigation (some forms of abuse are easier to investigate than others).

I’d love to see the code you used to get that information. Not sure it’ll work in my contact form, but maybe?

Also, if you do a search for that IP number on Google, you’ll find lots of independent proof that something is up there. Lots of wiki diffs with that IP as author.

by: ALM

Mon, 07 May 2007 20:47:14 +0000

… and I heard back from emil at intercage,

“Thanks for reporting this, I am going to look into what is happening.”

(Moderator: I changed the full e-mail address to a partial one, so Emil wouldn’t get too much spam)

by: ALM

Mon, 07 May 2007 20:42:30 +0000

Over the past week I’ve had spam coming through a form. I started recording the server variables and found that REMOTE_ADDR and HTTP_VIA contained proxy server info (which varied), but HTTP_X_FORWARDED_FOR is always (well, 16 out of 18) 216.255.179.34 which is intercage. I forwarded my findings to abuse@intercage.com but wasn’t expecting response … but you got one, so maybe I will.

by: InterCage :: Abuse

Tue, 01 May 2007 15:23:11 +0000

Hello Ann,

I appreciate the follow-up in the investigation. 85.255.115.213 has been removed from routing.

The machine will be reviewed for cancellation per follow-up by our client tomorrow. It is more then likely a vHosting machine, so it may be the result of a single account, rather then a whole server.

Never the less, Should you encounter this issue further, please follow-up with us.

Thank you for your time. Have a great day.

�
Abuse Department
InterCage, Inc.

by: admin

Tue, 01 May 2007 13:12:10 +0000

To Forseti:
The spam on my wiki gives me something to write on. And this wasn’t an attack on my wiki only. I saw it on another wiki I own (smaller scale), and I believe it was also on other wikis.

To Intercage:
Thanks. I did some URL blocking, so I don’t know if the spammer is still at it. I’d have to check someone else’s wiki to be sure. But it’s of course a “whack a mole” game. They’ll be coming back somewhere else. Could you please recheck the domain a few times a week for a while, in case they come back somewhere else in your IP space? I’ll recheck now and then too.

Mmm, yeah, right now they’re on this IP:

85.255.115.213
85.255.115.213-xbox.dedi.inhoster.com

I wouldn’t be surprised if it’s the same webhost, but I don’t remember if you’re upstream from inhoster?

by: Forseti

Tue, 01 May 2007 11:55:15 +0000

I am sorry to hear about that attack you were subjected to. Other than quality control (both in accepting only qualified contributors and those with good writing skills), this is one of the reasons I am a proponent of invitation-only accounts. Perhaps you might want to consider such an option as well? Though the number of articles is greatly reduced, one gains in quality and in time - since there is less work in un-doing the edits of spammers, or questionable content.

Sure, it is a different philosophy (exclusive rather than inclusive), but one that is probably better adapted to wikis like yours that has an educational role and objective. I don’t think anyone would cry foul if you decided to change your registration system…