Spamhuntress

Twiki is wiki software. And in the past it wasn’t much plagued with spam, according to the Chongqed writeup.

That has recently changed. I don’t know who figured it out, but noticed Eugene Blagodarny started posting his MarkusMerk users July 7, 2006. The spam started July 13, 2006. I’ve also seen other user accounts lately that look like spammer probing. There are several spammers using holes in twiki to spam, so it’s hard to figure out exactly who did what.
The spam works as follows:

The spammer registers as a user, with a spammy name, such as Viagra. He then populates the user page with his e-mail adress and name, and then adds a comment on this form:

Example: twiki.gridprovenance.org/bin/view/Main/GrowthHormone

The end result is a redirecting page on a wiki. And yes, it is indexed by search engines. The twiki developers need to close that hole! One way of making twiki less interesting, would be to make sure any user page is off limits to search engine spiders. But the redirect holes will also need to be plugged.

Here’s an example of a spammed wiki:
uai.cs.ubc.ca/cgi-bin/twiki/changes/Main

The spammy users were registered July 13. 29 users, if my count is correct.

I’ve also seen regular comment spam techniques used for adding spam to user pages this way. Here’s one example:
gnuenterprise.org/cgi-bin/twiki/view/Main/AustraliaRealEstate

Update: The twiki guys have identified yet another spam technique, and offered solutions: HTML Attachment Spam

I had a visit from a spammer that spams every special page that I’ve never heard of on MediaWiki. Pages with weird names. Pages that didn’t exist, because most of them were talk pages for possibly existing pages. I have no idea how many pages he spammed. More than 30, would be my guess. He also tagged some talk pages for existing users. And he completely filled them with porn links.

So, here’s a short rundown. I’ve got more, but will try to condense it some.

IP addresses used to spam for. Interesting, because the first five I checked, were all Asian:

58.79.206.53
58.226.83.170
58.230.250.23
59.19.214.176
59.21.210.203
59.150.200.40
61.33.174.189
61.35.176.77
61.248.35.110
67.15.42.29
124.49.135.22
124.61.111.177
163.180.200.211
165.229.48.30
194.117.134.196
202.54.61.99
203.81.136.101
203.236.103.196
210.91.187.248
210.92.103.94
210.92.158.98
211.38.113.101
211.38.191.144
211.50.92.91
211.104.149.173
211.113.213.132
211.178.129.104
211.195.40.226
211.217.137.77
211.219.6.246
211.221.210.158
211.213.131.228
218.25.163.18
218.52.58.26
218.108.24.117
218.145.101.210
218.152.81.57
218.209.42.100
218.209.208.189
219.238.187.3
219.248.66.109
220.3.92.45
220.72.163.175
220.87.148.37
220.124.118.210
220.124.234.54
220.231.30.34
221.149.59.96
221.153.11.138
221.165.123.131
221.165.193.67
222.108.150.107
222.118.179.165
222.111.167.19
The spamvertized domains were:

1domiks.org
1ebalo.org
1foleks.org
1golod.org
1hrens.org
1ibanusiks.org
1jolla.org

IP addresses of webhosts:

74.52.17.161
74.52.17.162
74.52.17.163

The pages all had iframes that showed an affiliate page at 100 % og width and 5000 pixels height.

Affiliate: yourfreevids.com id=751

These e-mail addresses were used:

krun@mail333.com
letuns@mail333.com
stoker@mail333.com

Whois info is most likely fake, but here it is, in case someone’s searching for exactly that data:

Registrant Name:Bilanov
Registrant Organization:1dil
Registrant Street1:Vore 67543
Registrant City:Blin
Registrant State/Province:0
Registrant Postal Code:15478
Registrant Country:MX
Registrant Phone:+746.786546786

Registrant Name:Kakauya raznica
Registrant Organization:1hren
Registrant Street1:ddd 15
Registrant City:Fedor city
Registrant State/Province:0
Registrant Postal Code:76454
Registrant Country:BR
Registrant Phone:+764.768456456

Registrant Name:Pizdec komuto
Registrant Organization:Pizdec
Registrant Street1:debilov 98746354
Registrant City:blya
Registrant State/Province:0
Registrant Postal Code:47852
Registrant Country:AR
Registrant Phone:+452.48678654467

——-

I checked Google for the e-mail addresses, and hit paydirt. One of the e-mail addresses had been used to spamvertize a subdomain on dia-host.com January 2005.

The website is no longer active, but the whois is:

DiabloCompany
Diablo (admin@new-incest.com)
Garvard 2-10
Oklahoma
null,655158
ES
Tel. +91.2228797504

I found that exact whois info on coolsearcher.net, which has been found to contain malicious downloads (see the Description pane here). I also found references to new-incest.com at sites warning about CoolWebSearch hijackers.

On my other wiki, I’ve had a rash of edits where the editor left random numbers and nothing else. Added on to blank pages, and at the bottom of populated pages. The numbers are always different. Here are some examples:

336234641135702647895605 - 200.176.229.236 cm-virtua-poa-C8B0E5EC.dynamic.brdterra.com.br
777322549507730590193372 - 200.179.207.13 20713.rjo.virtua.com.br
462763863953269399265857 - 65.98.32.16 FortressITX
14755179620817222574718 - 66.114.171.47 bizsig.webex.com
432350101939458677857224 - 218.119.214.71 softbank218119214071.bbtec.net
278494673457118851373917 - 130.227.200.43 Tele2 in Denmark
57490997966354632647955 - 64.12.187.244 egweb-m01.groups.aol.com

They had two different user agents:

“-”
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET

One of the IP addresses also tried to validate an account on my forum on that site - and the same code was entered from several IP addresses, some trying several times:

222.105.77.236
59.7.18.115
80.58.205.35
130.227.200.43
219.144.196.226

User agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

The username was: splitcam2008

And it’s been used on other forums, with spammed profiles spamvertizing this domain:

splitcamera.com

Registered at joker, with this whois:

Removed whois, because of this discussion about the splitcamera spamming.

Remember, one misused IP address could be used by several spammers, so one may not necessarily be connected to the other.

Speculation?

Update:

Will at Nanonengineer has collected more speculation

I got this cute little message from a spammer today on my wiki:

I really think you should get a life . I bet you’re single and frustrated and decided to upset other people with your small insignificant existence . Just a thought from a spammer . Happy Valentine’s !

I love it when I get these little love notes. It shows me what I’m doing has some effect. The more personal the potshots, the more I think I’m on to something.

The IP number (195.175.37.55) was from Turkey, and a proxy. So I checked my logs. The joker didn’t try too hard to hide himself. The real IP address was easy enough to find:
86.120.197.66
That’s from Bucharest, Romania. And it’s been used to spam extensively in the past.

It’s known primarily from November last year, when he earned a lot of bans from wiki admins. He was into “invisible” wiki spam, and also left this cute message:

We leave content intact . We allow you to easily remove the additions
We respect your pages and appologize for the spam .
We are the Ethical Spammers group .
(this is an oximoron - two terms that are put together but are opposed meaning) .

Which means he’s the spammer known as

Ethical wiki spammers.

He seemed to disappear shortly after November, so I tried to find more info.

Most of his spam back then was subdomains on rx-seote.com. That site throws up 403s for me at the moment.

But a subdomain on buy-quality-meds.info (also his, but made to look like throwaway domains) had a redirect to findrxdrugs.com that might look like an affiliate link to the uninitiated. which has this whois info:

Andrei, Calugaru design@websign.ro
Str. Cicero Nr 111
Bloc S11 Sc1 Ap 6
Drobeta Turnu Severin, 220022
Romania
+40744366836 Fax —

The e-mail address in the whois info used to be a webdesign business. Now it’s blank, but there are invisible links to drug related pages that redirect to findrxdrugs.com. There’s also webspam with that domain from January 2006.

So chances are that really is his contact info.

So, did he stop spamming? Noooo

Lately he’s been spamming a lot of forums, especially yybbs.cgi. Looks like that’s a type of forum or guestbook that’s primarily in use in Japan. And they’re usually spammed to death. I also see some amount of referrer spam.

And I found a log full of spammer entries, where he’s tried to spam:
86.120.197.66 - - [03/Feb/2006:10:24:56 +0900] “POST /cgi-bin/bbs4/yybbs.cgi HTTP/1.1″ 403 311 “-” “Mozilla/5.0″

So, he’s still using his own IP address.

He’s also using a technique where he appends a bookmark with the name of his target keywords. The anchor probably doesn’t exist on the site, since the goal is the redirect from the throwaway site.

Webhost IP numbers I’ve found that may be associated with this spammer:

209.59.132.158
70.85.249.130
70.86.183.34
70.84.123.66

I’m using MediaWiki on my site. I like it a lot, and I was resting easy, assured that all outgoing links had nofollow on them.

So I’ve been wondering for some time about spammers, and why they bother with spamming it.

I think I may have found out why.

RSS feeds.

Both the atom and RSS feeds of RecentChanges are being indexed by Google. Not good. Although the links don’t actually work on those feeds, I can still find the spammy buzzwords doing a search for them via google with
site:spamhuntress.com

Some spammers are smart, but many are just using tools, spraying and praying, and don’t have a clue about nofollow or other sticky points. So figuring out exactly what the Mediawiki spammers are THINKING, is probably futile.

But the MediaWiki developers need to fix this. They need to put a nofollow on those links, and some others that Joe found. Joe, can we get a comment with your findings?

I’ve found that most wiki spammers go for the pages that all MediaWiki installations have by default. Some of those are reached by the menu on the left.

To cut down on the spam left on those pages, protect them while logged in as sysop. That way they can only be edited by someone with rank. But that should be a small price to pay for less wiki spam in general, right?

Here’s an overview of the pages I found necessary to protect on my own wiki.

If you have a different type of wiki, check if you can protect pages, just for your own peace of mind. And please still moderate heavily. I have spammers who go for other pages as well.

Update: Proof of concept

Since discovering the iframe on Yahoo Groups, I’ve been thinking about the possible ill uses of that technique.

Basically, those that have interactive services: You need to disable iframes from working.

Iframes can be used to drop parasites, as well as ads, into services that never intended to become a vehicle for such.

So Yahoo Groups, now’s the time to act!

And any software - forums, guestbooks, wikis, classified - anything out there that allows contributions by people whose character you don’t know, make sure iframes can’t be used!

I found a post through Joe’s blog, about an ethical wiki spammer group.

What they mean by that, is that they don’t delete wiki content, but add their own.

More spammer ethics…

The blogger also noted how he’d had to look out for hidden spam. Note to wiki owners: Look at the diffs. That’s the only way to consistently remove invisible spam. I get almost nothing but invisible spam these days.

I’ve got a regular wikispammer, who likes spamming his own profile page.

I traced his latest spam URL to
69.50.188.132

Just check the history tab for the constant ballet of spammer edits and spamhunter reverts.

It’s part of the Intercage IP block. I also found nameservers belonging to ESThost in that range:
69.50.188.130
69.50.188.131

I don’t know? Maybe there’s a migration happening? I haven’t seen dyndns spam domains in that range in the past. I’ve copied both Intercage and ESThost on the abuse mail. Update: The user account seems to have been suspended.

And about the IP address he was spamming from. It was on a socks proxy list a while ago, as having a proxy port of 8790. It’s a small list, and most of the machines on it have high number proxy ports. And many of them do not appear to be webservers. So I’m wondering if maybe they are compromised in some way? I also found that particular IP address on a spam list that appear to be tallying spam mail received (the site is in German, and I didn’t read the whole thing).

BTW, I guess you guys are tired of my sudden obsession with mail spam, eh?

My “other” wiki got a visit from our invisible wiki spammer. He uses tags that make his spam invisible on Mediawiki. And then he adds one or more edits afterwards, often just adding a few blank lines. Sometimes he removes the content of the pages.

I don’t know if the page he spammed is someone else’s page (ie he’s still experimenting), or if this is an actual spam. The spammed pages are identical in syntax to the Disney spam before, and goes to the coolhost.biz domain. It’s on a zedo domain parking system.

Mediawiki owners, add that domain to your blacklist, or you may have to clean up after this spammer.

These IP addresses were involved:

24.148.43.54
64.168.100.7
66.61.58.31
66.188.130.109
67.80.191.127
67.160.229.235
67.170.199.253
68.5.163.13
68.23.184.40
68.23.189.107
68.75.169.94
68.198.157.71
68.205.11.49
68.221.109.36
69.112.249.223
69.146.19.127
69.211.99.233
69.253.243.193
70.250.194.196
71.130.59.182
71.192.177.5
72.224.16.4
83.17.52.210
83.83.122.12
216.165.247.195

These IP numbers appear to be regular home computers? They might be part of a botnet.

I found another user of these numbers:
66.188.130.109
67.80.191.127
216.165.247.195

He uses a subdomain on lamer.la (it’s been nulled), and one on ehttp.cc. Those COULD be two different spammers. Doing guestbook spam.

I checked my logs, and noticed that the referrers were faked. Most were from my own site, but I caught a few others. One looked like this:
“developers.feedster.com”

User agent was a pretty standard:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)