Spamhuntress

This is weird…

I was checking my logs for weird patterns, and found that spammers search my wiki. A lot. And since search doesn’t work, it’s weird. I find that they search for spam. One pattern is to search for phentermine and similar, and another is to search for specific URLs that spammers have tried to insert as spam - I assume.

One such URL led to mac.com:

idisk.mac.com/mysharon/Public/narutoporn.html

I harvested the page, removed the redirect javascript, and loaded it. The page looks like a Blogger blog post. The “About me” page is greyed out, as is any other typical blogger system link - or removed altogether.

So, how did a spampage get on a Mac site? I don’t find ANY reference to idisk.mac.com except with the directory mysharon.

Could someone who knows how to get Apple’s attention please notify them?

Incidentally, the spammer that searches for lots of URLs tends to use this malformed user agent:

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Might be the same bunch (or someone using the same software) that are churning out comment spam from this IP on Inhoster: 85.255.117.226

A domain on that server seen in spam is this one: willywonka.co.in

Whois: Registrant Name:Nick Priest
Registrant Organization:IQ inc.
Registrant Street1:Pr. Pobedy 102
Registrant City:Kiev
Registrant Postal Code:05033
Registrant Country:UA
Registrant Phone:+93.456474776
Registrant Email:lustiq@p5com.com

I found 20 more domains on there (.com and .org, probably more domains with other tld’s), and they were very similar. Spot checks revealed they all belong to the same person, though he sometimes uses a Buenos Aires address. I’ve mentioned this guy before.

For a while now, I’ve seen very insistent wiki spam on both wikis I maintain, and no doubt on many other wikis I haven’t checked.

The spammer is the same in most cases. Uses a never ending stream of new IP addresses (most likely proxies), and keeps overwriting his own edits. The end result is that you can’t use the rollback feature on MediaWiki, unless you keep diligent watch all day long.

The most effective way I’ve seen of reverting the edits, is to find the last unaffected edit before he started spamming in diff mode, click on that revision then click edit and save.

I’ve locked (protected) most of the talk pages, adding a piece of text asking people to edit a universal talk page. That won’t work for very busy wikis, which hopefully have other spam filtering in place. I’ve never seen spam on wikibooks, for instance.

The latest wave of spam is typical genre porn. Affiliate links are hidden deep in the pages. The latest links have been on .cn pages. Few wikis would have any interest in .cn links, so the hold TLD might be worth adding to the blacklist.

Most of the spam is today on this IP: 203.116.63.123. It’s from Starhubinternet in Singapore. One of the domains is registered through Estdomains:

N/A
Henry Verinton (support@gay-pornclub.com)
Manfred Av. 34
Huntsville
Alabama,35801
US
Tel. +001.8003867409

Another (Chinese) domain has this info:

Registrant name: OpobaUjojo
E-mail: o_ujojo@yahoo.com

Update: The barrage of wiki spam became too much work. I’ve set the wiki to only accept edits from logged in users. New: Only to discover that wasn’t enough. The MediaWiki setting I used only hides the edit tab for unregistered users, unless you go to for instance diff pages (the edit tab is visible there), and it probably doesn’t stop unregistered users from “guessing” the edit URL.