I am surprised to see that a spammer is spoofing his IP address. I got some spam from 200.90.74.226 - "226" is out of range for IPs and so isn't even a valid IP address. I confirmed that the number is not a wiki username and the apache log shows the same IP. It appears maybe the spammer's script has a bug and not range-checking the generated numbers which made it obvious that the IP is spoofed; otherwise I would have never noticed.
I thought IP spoofing was a fairly sophisticated tactic and didn't expect to see a common wiki spammer using it, or am I wrong? I'm also surprised apache even allowed the connection, much less the Amazon AWS firewall. Am I missing something?
Al
On Fri, Oct 24, 2014 at 3:25 PM, Al alj62888@yahoo.com wrote:
"226" is out of range for IPs and so isn't even a valid IP address.
I don't think that's correct. The max is 255, not 225.
DOH! My apologies... dang old brain of mine.
From: Benjamin Lees emufarmers@gmail.com To: Al alj62888@yahoo.com; MediaWiki announcements and site admin list mediawiki-l@lists.wikimedia.org Sent: Friday, October 24, 2014 1:54 PM Subject: Re: [MediaWiki-l] Off topic: Wiki spammer is using spoofed IP addresses???
On Fri, Oct 24, 2014 at 3:25 PM, Al alj62888@yahoo.com wrote:
"226" is out of range for IPs and so isn't even a valid IP address.
I don't think that's correct. The max is 255, not 225.
The IP address belongs to CANTV Servicios which I have seen a LOT of spam from recently
On Fri, Oct 24, 2014 at 3:25 PM, Al alj62888@yahoo.com wrote:
I am surprised to see that a spammer is spoofing his IP address. I got some spam from 200.90.74.226 - "226" is out of range for IPs and so isn't even a valid IP address. I confirmed that the number is not a wiki username and the apache log shows the same IP. It appears maybe the spammer's script has a bug and not range-checking the generated numbers which made it obvious that the IP is spoofed; otherwise I would have never noticed.
I thought IP spoofing was a fairly sophisticated tactic and didn't expect to see a common wiki spammer using it, or am I wrong? I'm also surprised apache even allowed the connection, much less the Amazon AWS firewall. Am I missing something?
Al _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Spammers might be using something similar to the IPfuck Firefox/Chrome extension, which fakes an IP address instead of allowing the real IP to be recorded, not sure how we can defend against that sort of thing at present.
Date: Fri, 24 Oct 2014 16:25:42 -0400 From: phoenixoverride@gmail.com To: alj62888@yahoo.com; mediawiki-l@lists.wikimedia.org Subject: Re: [MediaWiki-l] Off topic: Wiki spammer is using spoofed IP addresses???
The IP address belongs to CANTV Servicios which I have seen a LOT of spam from recently
On Fri, Oct 24, 2014 at 3:25 PM, Al alj62888@yahoo.com wrote:
I am surprised to see that a spammer is spoofing his IP address. I got some spam from 200.90.74.226 - "226" is out of range for IPs and so isn't even a valid IP address. I confirmed that the number is not a wiki username and the apache log shows the same IP. It appears maybe the spammer's script has a bug and not range-checking the generated numbers which made it obvious that the IP is spoofed; otherwise I would have never noticed.
I thought IP spoofing was a fairly sophisticated tactic and didn't expect to see a common wiki spammer using it, or am I wrong? I'm also surprised apache even allowed the connection, much less the Amazon AWS firewall. Am I missing something?
Al _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
That extension only fools misconfigured webservers, You dont blindly accept X-Forwarded-For, VIA, or Client-IP as the 'real' IP
On Fri, Oct 24, 2014 at 4:34 PM, Arcane 21 arcane@live.com wrote:
Spammers might be using something similar to the IPfuck Firefox/Chrome extension, which fakes an IP address instead of allowing the real IP to be recorded, not sure how we can defend against that sort of thing at present.
Date: Fri, 24 Oct 2014 16:25:42 -0400 From: phoenixoverride@gmail.com To: alj62888@yahoo.com; mediawiki-l@lists.wikimedia.org Subject: Re: [MediaWiki-l] Off topic: Wiki spammer is using spoofed IP
addresses???The IP address belongs to CANTV Servicios which I have seen a LOT of spam from recently
On Fri, Oct 24, 2014 at 3:25 PM, Al alj62888@yahoo.com wrote:
I am surprised to see that a spammer is spoofing his IP address. I got some spam from 200.90.74.226 - "226" is out of range for IPs and so
isn't
even a valid IP address. I confirmed that the number is not a wiki username and the apache log shows the same IP. It appears maybe the spammer's script has a bug and not range-checking the generated numbers which made it obvious that the IP is spoofed; otherwise I would have
never
noticed.
I thought IP spoofing was a fairly sophisticated tactic and didn't
expect
to see a common wiki spammer using it, or am I wrong? I'm also
surprised
apache even allowed the connection, much less the Amazon AWS
firewall. Am
I missing something?
Al _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
On Fri, Oct 24, 2014 at 1:34 PM, Arcane 21 arcane@live.com wrote:
Spammers might be using something similar to the IPfuck Firefox/Chrome extension, which fakes an IP address instead of allowing the real IP to be recorded, not sure how we can defend against that sort of thing at present.
MediaWiki doesn't trust the XFF header unless it's from a trusted proxy, so the user's real IP would be reported.
On Oct 24, 2014 4:34 PM, "Arcane 21" arcane@live.com wrote:
Spammers might be using something similar to the IPfuck Firefox/Chrome
extension, which fakes an IP address instead of allowing the real IP to be recorded, not sure how we can defend against that sort of thing at present.
you're doing something wrong if you're vulnerable to this.
http://ipflood.paulds.fr/ says:
when sending a request to a server you will provide several information
about your IP address : three of them come from the Application Layer and the last one comes from the Transport Layer. This last one I can't modify : you wouldn't get the answer to your request if that was done. But the three others can be overwritten without any consequence to your browsing...
( https://addons.mozilla.org/en-US/firefox/addon/ipflood/ is the same thing)
See also https://meta.wikimedia.org/wiki/XFF_project
-Jeremy
mediawiki-l@lists.wikimedia.org