[Systems] New Wiki spam

Frederick Grose fgrose at sugarlabs.org
Fri Jul 17 10:15:05 EDT 2009


On Fri, Jul 17, 2009 at 10:10 AM, Frederick Grose <fgrose at sugarlabs.org>wrote:

>
>
> On Wed, Jul 15, 2009 at 10:32 PM, Chris Leonard <cjlhomeaddress at gmail.com>wrote:
>
>> On Wed, Jul 15, 2009 at 10:50 AM, Frederick Grose <fgrose at gmail.com>wrote:
>>
>>> Please see the user creation log and many spam pages added on 15 July
>>> 2009, http://wiki.sugarlabs.org/go/Special:RecentChanges.
>>>
>>> We have this problem on wiki.laptop.org as well, see
>>> http://wiki.laptop.org/go/OLPC_talk:Vandalism#Article_updated_via_HTTP_request
>>> .
>>>
>>> Chris suggested that we may need a page creation restriction, such as
>>> http://www.mediawiki.org/wiki/Manual:Preventing_access#Restrict_page_creation
>>> .
>>>
>>> Suggestions...
>>>
>>>          --Fred
>>>
>>>
>>
>> Just to clarify, there are two dominant styles of wiki vandalism these
>> days on w.l.o (and apparently now on w.sl.o).
>>
>> Style 1 (mostly on w.l.o)
>>
>> Repetitive creation of a number of specific pages in Main space containing
>> only a link.  These pages are created by a rotating series of anon IP
>> addresses.
>>
>> It is this type that I think could be addressed by a page creation
>> blocking tool. The same pages created are generated by some HTTP request
>> that appears to be immune to normal IP blocking, very odd.  The same pages
>> are created over and over again.    Given how fast they are created, I'm
>> reasonably confident that this is being done by a bot that looks to see if
>> these pages have been deleted and recreates them (with a different spammy
>> URL) probably as some form of SEO link indexing spam motive.
>>
>> I've blocked a lot of anon IPs, but they just change uo, only sometimes do
>> the IP addresses repeat.  I've deleted the same 20-odd pages many times.
>>
>>
>> Style 2 (on w.l.o and now most recently on w.sl.o)
>>
>> Creation of a new user with the naming pattern of
>>
>> (nnn) buy (some drug name)
>> where nnn is some three digit number and the drug names vary.
>>
>> and the population of that user's page in User space with a series of
>> spammy text and links.
>>
>> I have handed out a lot of infinite blocks (as these are unacceptable user
>> names) and deleted a lot of pages (because the user pages are spammy), but
>> this pattern represents a very large possible namespace and there are a very
>> large number of possible combinations of this naming pattern.
>>
>> For this type of attack I am guessing that an improved CAPTCHA on user
>> creation is needed.
>>
>> I would encourage systems and wiki-gang to collaborate on automated or
>> systemic solutions to these attack types.  I'd love to have a
>> countervandalism bot installed (there are wikipedia examples that merit
>> investigation).  I've been stomp on these attacks, but it is getting sort of
>> old.  Any help would be appreciated.  As I am soon ot be unemployed (in
>> about two weeks) and fully engaged in the job hunt, it will cut into my time
>> available to vandal-stomp, resulting in the build-up of the attacks I have
>> been manually countering.
>>
>
> A variation of 2 is occurring on dev.sugarlabs.org as well,
> http://dev.sugarlabs.org/wiki/131_buy_risperdal


Or for a fuller view,
http://dev.sugarlabs.org/search?ticket=on&milestone=on&wiki=on&q=Click&page=2&noquickjump=1

>
>
>       --Fred
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sugarlabs.org/private/systems/attachments/20090717/f20de3bf/attachment.htm 


More information about the Systems mailing list