[Mediawiki-l] jibberish

[Chuck]

This gibberish spam doesn't make much sense, pardon the pun. The spambot 
isn't inserting any actual links. My wikis are getting spammed with 
short text strings like "copasnotra" and "romonboel". Based on my 
limited understanding of spambots, it seems like the bots are making 
these changes as a prelude to doing something else.

After some further investigation, some interesting clues emerge. This 
"gibberish spambot" is evidently generating fake user accounts. I 
deleted hundreds of fake accounts last night from the four wiki 
databases that we run. The spambot is surprisingly doing something that 
should make it easy to stop them: all of their fake user accounts 
include an email address from the ".ru" domain. The user names are all 
different, but the spambot only uses a limited number of fake email 
addresses from the .ru domain. Would it be possible to reject user 
registrations with code that rejects anything from a certain domain?

Another facet of this problem is that this spambot is using proxy ISPs 
or rotating fake IP addresses. In my experience, this is a common method 
that spambots use to defeat easy anti-spam measures like server level IP 
blocking.

Now that I think about it, I may have thwarted the final stage of this 
bot's activities by implementing that spam hack that stops hidden DIV 
spam. But our wikis are still getting hit hard by the "gibberish spam". 
It's unclear if the hidden DIV spam and the gibberish spam are part of 
the same spambots suite of attacks.

Chuck