There's been a spambot active for the last few days. It uses a number (2-15) of open proxies simultaneously to edit at a high rate, often on small unattended wikis. It finds pages by spidering. Each anonymous proxy seems to represent an autonomously spidering bot -- the bots often repeat each others' work, adding the offending external link multiple times. Over the last few days it's probably made over 1000 edits. The site in question is a Chinese Internet marketing company called EMMSS.
The open proxy blocking code I've been developing since the discussion on open proxies at wikien-l still has some teething problems. It should help if it's tweaked somewhat for this particular situation (I originally intended it for human vandals). However there's a few other features on my wishlist which I think would help to deal with this sort of problem.
One is a combined recent changes, showing all wikimedia wikis. This would allow people to watch for anomalous activity on usually quiet wikis. I imagine this would share code with the socket-based IRC bot which is in development.
Another much-requested feature is enhancement of the rollback function, especially to allow for page deletion. The bot created many pages, apparently by following red links. In my opinion, the ideal feature would be to allow the user to supply a list of IP addresses and usernames, and then to revert every edit from those users with a single click. People cleaning up after this spambot often had to revert manually because the bot had edited the same page with multiple IP addresses. For completeness it would be nice to include page-move reversion.
For now we've been dealing with this using filters and editor manpower. Filters are bad, they're against the wiki security model. I'd much rather put more power into the hands of users to deal with these situations, than to continue a filter-based arms race.
If anyone wants to help out with features such as these, please speak up.
In case anyone's wondering, the main response to this problem so far has been to contact a developer, who makes then makes any willing editors temporary sysops on the wikis under attack.
-- Tim Starling