[Mediawiki-l] jibberish
Chuck
chuck at mutualaid.org
Tue Oct 16 15:04:36 UTC 2007
This gibberish spam doesn't make much sense, pardon the pun. The spambot
isn't inserting any actual links. My wikis are getting spammed with
short text strings like "copasnotra" and "romonboel". Based on my
limited understanding of spambots, it seems like the bots are making
these changes as a prelude to doing something else.
After some further investigation, some interesting clues emerge. This
"gibberish spambot" is evidently generating fake user accounts. I
deleted hundreds of fake accounts last night from the four wiki
databases that we run. The spambot is surprisingly doing something that
should make it easy to stop them: all of their fake user accounts
include an email address from the ".ru" domain. The user names are all
different, but the spambot only uses a limited number of fake email
addresses from the .ru domain. Would it be possible to reject user
registrations with code that rejects anything from a certain domain?
Another facet of this problem is that this spambot is using proxy ISPs
or rotating fake IP addresses. In my experience, this is a common method
that spambots use to defeat easy anti-spam measures like server level IP
blocking.
Now that I think about it, I may have thwarted the final stage of this
bot's activities by implementing that spam hack that stops hidden DIV
spam. But our wikis are still getting hit hard by the "gibberish spam".
It's unclear if the hidden DIV spam and the gibberish spam are part of
the same spambots suite of attacks.
Chuck
More information about the MediaWiki-l
mailing list