Wiki Spammers on Public TWiki Sites

See WikiSpam for a general description of the issue.

*NOTE:*	All administrators of public TWiki sites are encouraged to upgrade to the latest BlackListPlugin (version 04 Nov 2005). It prevents known wiki-spam from getting saved in a TWiki topic, makes scripted registrations harder, and protects the site from excessive use by an IP address.

Additional recommendation: Remove the comment box in your TWikiRegistration form, most spammers add spam at the time of registration

Wikispam Sites

NOTE: Below table was useed to list sites that spammed TWiki.org. This list is no longer maintained. The TWiki.BlackListPlugin keeps now track of a local wiki-spam list.

Spam to site	By IP address	Date
gogo.com	148.244.150.58	2005/09/09
cncxj.cn	211.158.135.87	2005/09/26
cncxj.cn	211.158.64.145	2005/09/29
cdseo.vip.sina.com	211.162.162.33	2005/06/07
onjobedu.com	211.162.162.33	2005/06/07
cqqq.cn	211.162.162.33	2005/06/07
cqwyn.com	211.162.162.33	2005/06/07
cqyunhe.com	211.162.162.33	2005/06/07
onjobedu.com	211.162.162.33	2005/06/07
clubbbs.zj.com	218.109.195.176	2005/04/17
elesk.zj.com	218.109.195.176	2005/04/17
hcb.com.cn	218.109.195.176	2005/04/17
hcb.com.com	218.109.195.176	2005/04/17
hschem.zj.com	218.109.195.176	2005/04/17
hschem.com	218.109.195.176	2005/04/17
smss.zj.com	218.109.195.176	2005/04/17
xh365.zj.com	218.109.195.176	2005/04/17
cantonfairhotelguangzhou.com	218.19.101.185	2005/04/06
echinabid.com	218.19.101.185	2005/04/06
property2u.com	218.19.101.185	2005/04/06
abcink.com	218.2.157.115	2005/10/20
abcink.blogspot.com	218.2.157.115	2005/10/20
inksforsale.blogspot.com	218.2.157.115	2005/10/20
spaces.msn.com/members/inksonline/	218.2.157.115	2005/10/20
7t24.net	218.87.226.118	2005/04/02
chinababy.org.cn	218.87.226.118	2005/04/02
snuff-bottle.net	221.193.71.116	2005/09/30
51.net	221.217.48.121	2005/03/23
800bf.net	221.217.48.121	2005/03/23
ezytech.com.cn	221.217.48.121	2005/03/23
freewebpage.org	221.217.48.121	2005/03/23
hsbao.com	221.217.48.121	2005/03/23
ourhost.com.cn	221.217.48.121	2005/03/23
yisosky.com	221.217.48.121	2005/03/23
yjcsuji.com	221.217.48.121	2005/03/23
zzs.cn	221.217.48.121	2005/03/23
cngo.org	221.237.3.67	2005/03/29
cngo.org	221.237.4.138	2005/04/04
cdmap.cn	221.237.4.138	2005/04/04
freewebpage.org	221.237.4.138	2005/04/04
topcities.com	221.237.4.138	2005/04/04
cngo.org	221.237.5.169	2005/03/29
cqlisong.com	222.183.118.77	2005/01/31
cncxj.cn	222.183.16.214	2005/09/01
cnczd.com	222.183.20.82	2005/10/08
china-sws.com	222.183.20.82	2005/10/08
cqunitop.com	222.183.20.82	2005/10/08
cqzhongquan.com	222.183.20.82	2005/10/08
zunzhi.com	222.183.20.82	2005/10/08
cncxj.cn	222.183.21.173	2005/08/23
china-sws.com	222.183.22.32	2005/08/15
cqunitop.com	222.183.22.32	2005/08/15
cqzhongquan.com/	222.183.22.32	2005/08/15
jm918.com	222.183.22.32	2005/08/15
cncxj.cn	222.183.27.175	2005/09/09
1car.cn	222.183.28.21	2005/07/06
jm918.com	222.183.31.175	2005/07/25
google.4pu.com	222.212.24.100	2005/06/07
cdseo.com	222.212.24.100	2005/06/07
chinamotel.com.cn	222.212.24.100	2005/06/07
cits-sc.cn	222.212.24.100	2005/06/07
cqqq.cn	222.212.24.100	2005/06/07
cqwyn.com	222.212.24.100	2005/06/07
cqyunhe.com	222.212.24.100	2005/06/07
cts.com.cn	222.212.24.100	2005/06/07
cytssc.cn	222.212.24.100	2005/06/07
jthotel.com.cn	222.212.24.100	2005/06/07
onjobedu.com	222.212.24.100	2005/06/07
yadoo.com.cn	222.212.24.100	2005/06/07
51.net	222.248.40.21	2005/04/04
freewebpage.org	222.248.40.21	2005/04/04
shujuhuifu.cn	222.248.40.21	2005/04/04
shujuhuifu.com	222.248.40.21	2005/04/04
sjhf.cn	222.248.40.21	2005/04/04
ypsjhf.com	222.248.40.21	2005/04/04
ypwx.cn	222.248.40.21	2005/04/04
ypxf.cn	222.248.40.21	2005/04/04
momcare.com.cn	222.50.120.148	2004/12/31
joes.com	222.50.120.148	2004/12/31
bjzyy.com	61.149.245.150	2005/01/20
zhqzw.com	61.149.245.150	2005/01/20
qzkfw.com	61.149.245.150	2005/01/20
rxbkfw.com	61.149.245.150	2005/01/20
68685633.com	61.149.245.150	2005/01/20
pfxb.com	61.149.245.150	2005/01/20
allforyourlife.com	64.237.62.130	2005/08/12
first.myZ.info	70.85.190.46	2005/08/08
freestarthost.com	80.146.121.129	2005/02/04
dont-explode.com	80.77.80.253	2005/10/06
anzwers.org	85.202.135.13	2005/10/07
republika.pl/onlinewagering	85.95.169.158	2005/10/24
sedu-hair-styles.5ex.de	85.95.169.158	2005/10/24
coolhost.biz	many (see below)	2005/10/21

NOTE: Above table is no longer maintained. The BlackListPlugin keeps now track of a local wiki-spam list.

Discussions

In WikiSpam, MichaelDaum suggested to collect the spammers.

-- PeterThoeny - 02 Apr 2005

It would be nice to have a date column as in BlackListLog

-- MichaelDaum - 04 Apr 2005

OK, done.

-- PeterThoeny - 04 Apr 2005

It occurs to me that most spams occur during registration in the comment field. I will therefore remove that comment field - I'd prefer people edit their topic properly anyway - in the next couple of days if there are no objections.

I checked the logs, most spammers did not edit the home page after registrations, e.g. spam was added in comment field. I just HTML-commented-out the comment box on TWiki.org. We need to keep the comment box in the registration page of the TWiki distribution because of the TWikiMission. -- PeterThoeny - 06 Apr 2005
- In what way is the comment box during registration key to TWikiMission? -- MartinCleaver - 07 Apr 2005
  - Removing the comment box is a measure to fight spam, which is not an issue behind corporate firewalls. The comment box is useful to send a message to the administrator ("I need access to Newtron.SecretStuff"), or for an admin to inform a user of registration ("The admin team registered you so that folks can find you on the Intranet"). -- PeterThoeny - 08 Apr 2005
    - So how about I remove it from TWiki.TWikiRegistrationInternet but leave it in TWiki.TWikiRegistrationIntranet in DevelopBranch? -- MartinCleaver - 08 Apr 2005
    - That is the idea to keep the comment box in the distribution. BTW, no need to remove the comment box from the TWiki.org sample form you mention since that form is deactivated anyway (on TWiki.org). -- PeterThoeny - 08 Apr 2005

-- MartinCleaver - 05 Apr 2005

... and deny registrations with certain patterns. E.g. email address matches @126.com.

I do not see much value in this since there is no good pattern and too much maintenance overhead. -- PeterThoeny - 07 Apr 2005

-- MichaelDaum - 05 Apr 2005

Actually, there is a PluginHook called back during registration: this has the means to edit/delete the data being input. This opens the possibility for a plugin to check for objectionable content and possibly - I'd need to check - even delete the registration if such an event occurred.

-- MartinCleaver - 05 Apr 2005

Maybe someone could write a BayesianRegistrationFilterPlugin?

Or add that feature to the BlackListPlugin. -- PeterThoeny - 07 Apr 2005

-- SamHasler - 06 Apr 2005

A new type of hidden spam happended for the second time, both times added to a TWiki page on TWiki.org:

<div style="overflow:auto; height: 1px;"> (url here) </div>

-- PeterThoeny - 12 Aug 2005

I will be writing a plugin that uses the soon to be shared Anti-WikiSpam regex list in the OnSave (a group of us discussed it at WikiMania2005)

(unless someone else wants to do it (see http://www.usemod.com/cgi-bin/mb.pl?SharedAntiSpam for details)

-- SvenDowideit - 12 Aug 2005

I just met EugeneKim, he gave me an update on WikiMania2005. Sven, why not extending the BlackListPlugin? This seems to be the most logical place; this Plugin is installed on many public TWikis.

-- PeterThoeny - 30 Aug 2005

it doesn't seem logical to me - that and I prefer to to have seperate functions in seperate modules. BlackListPlugin does IP Blacklisting, AntiSpamPlugin uses the shared AntiSpamlist.

-- SvenDowideit - 31 Aug 2005

I see this as different methods fighting the same problem, hence better to manage the code in one place (also for Plugin performance reasons). Fighting spam is applicable to public TWiki sites, but does not apply to the typical deployment behind firewall.

-- PeterThoeny - 09 Sep 2005

Is there an easy way to update a list with addresses that are collected here?

Or a way to get blacklist 'subscriptions'?

-- ArthurClemens - 06 Oct 2005

That will be discussed at WikiSym in two weeks, see http://www.wikisym.org/ws2005/program.html#WS1

In the mean time you could RSS subscribe just to this topic: https://twiki.org/cgi-bin/view/Codev/WebRss?search=Wiki+Spammers+on+Public+TWiki+Sites

-- PeterThoeny - 06 Oct 2005

Arthur, have a look at my BlackListPlugin_pm.diff from 05 Apr 2005 posted to BlackListPluginDev. This allows to add/remove multiple IPs at once, like copy-paste the banlist from BlackListPlugin into the add-form.

Peter, any chance to merge that in. Any chance to get this importand plugin ready for TWiki/Dakar?

-- MichaelDaum - 09 Oct 2005

We just had a new type of WikiSpam attack on TWiki.org. A user registered as MusaDic and saved over 40 topics with links to coolhost.biz enclosed in hidden div (<div id="wikitikitavi" style="overflow:auto; height: 1px; ">). I detected it and removed the account and spam. The user shortly after created another PetaGum account and spammed 25 topics. This guy is using a new twist: Use a new IP address for each save (almost). That is, the current BlackListPlugin cannot protect against this attack. It looks like they are using zombies for these attacks. Spammers are getting more sophisticated. Here are the IP addresses used, with number of occurances:

egrep '(MusaDic|PetaGum)' log200510.txt | grep save | \ 
sed 's/.*\| \([0-9]\)/\1/; s/ .*//' | sort | uniq -c
   1 12.221.121.109
   1 130.13.115.214
   1 152.30.111.223
   1 200.77.219.5
   2 205.251.32.177
   1 24.127.96.36
   1 24.13.150.241
   1 24.150.91.51
   1 24.171.6.39
   1 24.175.248.238
   1 24.175.52.164
   1 24.187.91.97
   3 24.199.110.55
   2 24.23.243.169
   1 24.3.137.10
   1 24.47.32.217
   1 24.92.11.182
   1 64.185.5.46
   1 65.185.122.237
   2 65.190.44.6
   2 65.24.98.56
   1 66.143.179.188
   1 66.215.120.164
   1 66.25.60.167
   1 66.61.39.22
   1 66.91.78.20
   1 67.172.51.180
   2 67.182.63.144
   1 68.173.22.50
   1 68.23.183.87
   1 68.33.54.164
   2 68.54.83.176
   1 68.58.18.225
   1 68.6.139.146
   2 68.77.56.108
   2 69.122.142.70
   1 69.122.148.172
   1 69.14.169.199
   1 69.148.249.63
   1 69.193.49.148
   1 69.194.180.74
   1 69.198.10.253
   2 69.201.154.90
   1 69.208.120.255
   1 69.221.249.39
   1 70.225.93.221
   1 70.226.96.193
   1 70.246.56.241
   1 70.25.255.180
   1 70.29.242.197
   1 70.95.164.132
   1 72.56.1.46
   1 80.56.222.236
   1 81.165.99.162
   1 81.202.225.144
   1 81.82.30.11
   1 81.83.162.150
   1 82.36.20.176
   1 84.90.111.88

We need to make BlackListPlugin aware of website regexes.

-- PeterThoeny - 22 Oct 2005

I've suffered the same type of attack on twiki.softwarelivre.org, from this *Dic/*Gum spam guy in the last couple of days. Here's the list of IP address the attack came from:

      1  12.201.95.116 
      4  12.205.190.165 
      1  12.221.245.159 
      4  12.222.127.93 
      1  130.13.212.71 
      3  152.30.111.223 
      2  172.153.73.237 
      2  172.171.238.87 
      1  172.173.233.244 
      1  172.189.23.234 
      2  199.126.62.92 
      6  200.11.133.103 
      1  200.180.180.75 
      1  200.180.183.73 
      5  200.77.219.5 
      2  200.84.18.198 
      5  205.250.103.166 
      1  207.6.179.82 
      1  209.107.124.239 
      1  212.113.164.100 
      1  213.113.165.102 
      3  213.200.180.163 
      1  213.245.78.196 
      2  213.46.126.161 
      1  213.65.186.67 
      2  216.197.181.167 
      4  24.107.243.4 
      3  24.112.237.244 
      1  24.118.169.63 
      2  24.126.145.165 
      6  24.127.227.25 
      6  24.127.96.36 
      1  24.13.150.241 
      2  24.130.127.225 
      5  24.130.208.88 
      2  24.150.91.51 
      2  24.159.8.103 
      3  24.168.136.229 
      2  24.168.138.220 
      2  24.168.5.86 
      1  24.175.248.238 
      2  24.176.225.146 
      4  24.179.5.38 
      1  24.181.51.35 
      4  24.188.23.106 
      1  24.189.177.7 
      4  24.191.14.199 
      1  24.23.243.169 
      2  24.239.79.151 
      2  24.240.185.189 
      3  24.242.61.101 
      1  24.3.137.10 
      8  24.3.250.63 
      3  24.35.81.161 
      1  24.4.212.228 
      3  24.43.239.104 
      4  24.47.32.217 
      2  24.53.141.111 
      1  24.56.47.240 
      5  24.79.137.91 
      3  62.57.138.80 
      1  62.57.140.50 
      7  64.185.5.46 
      4  65.184.27.243 
      3  65.190.81.129 
      2  65.25.149.32 
      2  65.33.38.102 
      3  65.61.73.39 
      7  66.139.43.80 
      4  66.168.49.148 
      4  66.168.5.5 
      2  66.191.89.28 
      4  66.25.138.246 
      3  66.30.241.206 
      3  66.91.78.20 
      2  66.92.15.59 
      3  67.160.229.235 
      4  67.171.198.175 
      3  67.172.51.180 
      2  67.173.124.179 
      5  67.67.194.33 
      4  67.81.169.45 
      5  67.82.231.239 
      4  67.82.5.80 
      1  67.86.69.253 
      1  67.87.36.94 
      4  67.87.87.214 
      1  68.0.228.236 
      3  68.122.83.185 
      2  68.145.63.70 
      6  68.170.104.161 
      3  68.173.22.50 
      3  68.187.171.82 
      2  68.192.79.142 
      3  68.194.37.111 
      6  68.194.90.211 
      2  68.196.11.31 
      4  68.198.157.71 
      3  68.199.255.20 
      3  68.23.144.189 
      1  68.239.116.236 
      2  68.255.89.223 
      5  68.32.29.171 
      3  68.33.54.164 
      2  68.34.151.15 
      1  68.36.188.250 
      1  68.36.247.122 
      2  68.37.173.167 
      3  68.38.61.30 
      2  68.42.83.26 
      1  68.5.164.120 
      5  68.5.251.144 
      5  68.51.184.127 
      1  68.54.83.176 
      1  68.56.51.118 
      6  68.58.18.225 
      4  68.6.139.146 
      1  68.72.94.83 
      3  68.77.56.108 
      4  68.85.195.160 
      1  68.90.188.91 
      1  68.93.40.241 
      6  68.97.144.22 
      4  68.98.154.205 
      3  69.0.123.15 
      2  69.107.34.63 
      1  69.108.77.153 
      1  69.112.26.71 
      1  69.118.74.107 
      2  69.122.148.172 
      8  69.123.97.186 
      6  69.136.7.38 
      3  69.137.129.45 
      2  69.137.243.137 
      2  69.144.130.112 
      5  69.162.51.168 
      2  69.164.106.213 
      4  69.169.188.40 
      3  69.180.18.139 
      6  69.183.53.6 
      1  69.192.77.107 
      1  69.194.180.74 
      2  69.198.235.185 
      1  69.208.120.255 
      2  69.214.7.140 
      3  69.221.245.227 
      2  69.222.172.169 
      2  69.229.50.158 
      1  69.251.125.96 
      1  69.92.56.243 
      3  70.178.103.247 
      3  70.225.86.146 
      3  70.225.93.221 
      3  70.236.30.145 
      2  70.236.68.27 
      2  70.240.13.78 
      2  70.244.9.38 
      5  70.25.255.180 
      2  70.250.150.44 
      3  70.32.84.69 
      1  70.33.177.45 
      1  70.95.164.132 
      1  71.114.18.164 
     10  71.136.193.167 
     10  71.81.41.75 
      2  72.224.16.4 
      1  80.111.124.158 
      1  80.167.72.144 
      2  80.219.144.232 
      1  80.5.160.9 
      5  81.202.225.144 
      3  81.234.221.15 
      1  81.245.32.252 
      1  81.68.155.237 
      5  81.82.177.139 
      1  81.83.162.150 
      1  82.119.125.86 
      1  82.159.52.39 
      2  82.216.201.229 
      2  82.36.192.139 
      3  82.36.20.176 
      2  82.42.182.192 
      1  82.42.61.152 
      1  82.43.89.244 
      4  82.73.83.97 
      4  83.17.52.210 
      1  83.217.151.20 
      3  83.82.130.200 
      2  83.92.53.222 
      1  83.97.209.244 
      2  84.74.85.178 
      3  85.136.127.46 
      5  87.231.69.213

-- AntonioTerceiro - 24 Oct 2005

sounds like you should install the AntiWikiSpam plugin i've written for Dakar (see http://develop.twiki.org/~develop/cgi-bin/view/TWiki/AntiWikiSpamPlugin ) - the shared anti-spam list (http://arch.thinkmo.de/cgi-bin/spam-merge) containes the offending url, and would thus have prevented the topic form saving. Note that the plugin uses the new RestCgiScript, and is coded for Dakar.

-- SvenDowideit - 25 Oct 2005

Sven, I was not aware of your Plugin, it is not posted in the Plugins web. Consequently, we have been working on the same functionality at the same time. I finished the BlackListPlugin enhancements I was working on, it handles now wiki-spam filtering based on an external and internal wiki-spam regex list.

The Plugin is installed on TWiki.org, it should now be protected against above type of attacks.

-- PeterThoeny - 30 Oct 2005

New BlackListPlugin version 30 Oct 2005 posted, adds DakarRelease compatibility.

-- PeterThoeny - 30 Oct 2005

The new BlackListPlugin proved itself useful. We currently have a WikiSpam attack using different IP addresses. Each registration fails with a descriptive error message. The failed registrations continue, it looks like the attack is automated. Extract from log file:

grep SPAMLIST log200511.txt

01 Nov 2005 - 10:20	Main.PeterThoeny	blacklist	TWiki.BlackListPlugin	SPAMLIST add: lines-and-dots\.org, gregorian-c\.com, by user	71.141.108.26
01 Nov 2005 - 10:21	Main.IsaiahPair	blacklist	Main.WebHome	SPAMLIST add: 220.65.209.106, spam 'lines-and-dots.org'	220.65.209.106
01 Nov 2005 - 10:48	Main.DamionCanney	blacklist	Main.WebHome	SPAMLIST add: 83.146.17.60, spam 'lines-and-dots.org'	83.146.17.60
01 Nov 2005 - 10:51	Main.JordanRochin	blacklist	Main.WebHome	SPAMLIST add: 202.54.51.5, spam 'lines-and-dots.org'	202.54.51.5
01 Nov 2005 - 10:51	Main.TyronePermenter	blacklist	Main.WebHome	SPAMLIST add: 24.166.233.179, spam 'lines-and-dots.org'	24.166.233.179
01 Nov 2005 - 10:52	Main.ChaimPrins	blacklist	Main.WebHome	SPAMLIST add: 202.56.253.183, spam 'lines-and-dots.org'	202.56.253.183
01 Nov 2005 - 10:52	Main.QuintinHilbert	blacklist	Main.WebHome	SPAMLIST add: 203.172.179.61, spam 'lines-and-dots.org'	203.172.179.61
01 Nov 2005 - 10:56	Main.LazaroRonca	blacklist	Main.WebHome	SPAMLIST add: 200.216.61.154, spam 'lines-and-dots.org'	200.216.61.154
01 Nov 2005 - 11:02	Main.GregKirk	blacklist	Main.WebHome	SPAMLIST add: 200.245.65.25, spam 'lines-and-dots.org'	200.245.65.25
01 Nov 2005 - 11:10	Main.TristenChapin	blacklist	Main.WebHome	SPAMLIST add: 193.225.206.221, spam 'lines-and-dots.org'	193.225.206.221
01 Nov 2005 - 11:11	Main.QuincyBushee	blacklist	Main.WebHome	SPAMLIST add: 195.113.86.130, spam 'lines-and-dots.org'	195.113.86.130
01 Nov 2005 - 11:13	Main.DustyChamp	blacklist	Main.WebHome	SPAMLIST add: 211.11.207.66, spam 'lines-and-dots.org'	211.11.207.66
01 Nov 2005 - 11:23	Main.DamienFennel	blacklist	Main.WebHome	SPAMLIST add: 209.91.207.161, spam 'lines-and-dots.org'	209.91.207.161
01 Nov 2005 - 11:24	Main.DylanOxner	blacklist	Main.WebHome	SPAMLIST add: 62.2.219.18, spam 'lines-and-dots.org'	62.2.219.18
01 Nov 2005 - 11:25	Main.CraigDespain	blacklist	Main.WebHome	SPAMLIST add: 195.175.37.38, spam 'lines-and-dots.org'	195.175.37.38
01 Nov 2005 - 11:26	Main.JohnDrost	blacklist	Main.WebHome	SPAMLIST add: 207.19.167.21, spam 'lines-and-dots.org'	207.19.167.21
01 Nov 2005 - 11:27	Main.KristoferHou	blacklist	Main.WebHome	SPAMLIST add: 193.251.169.170, spam 'lines-and-dots.org'	193.251.169.170
01 Nov 2005 - 11:28	Main.GradyShaheen	blacklist	Main.WebHome	SPAMLIST add: 61.233.144.118, spam 'lines-and-dots.org'	61.233.144.118
01 Nov 2005 - 11:28	Main.MatteoFain	blacklist	Main.WebHome	SPAMLIST add: 200.201.178.58, spam 'lines-and-dots.org'	200.201.178.58

lines-and-dots.org looks like a benign website, but it has an invisible link to a benign looking algebra-glossary.org.ru site, which in turn has hidden links to porn sites.

-- PeterThoeny - 01 Nov 2005

Scripted attempts to create user accounts are now blocked with the latest BlackListPlugin. A magic number is passed to the registration form in a hidden form field. Registration fails if the magic number is missing, incorrect or expired. Here is the TWiki.org log of the last two days since the upgrade of the Plugin:

% grep REGEXPIRE log200511.txt
| 05 Nov 2005 - 01:40 | Main.TestTestE | blacklist | Main.TWikiRegistration | REGEXPIRE: Magic 56629 is missing, bad or expired | 71.141.108.26 |
| 05 Nov 2005 - 22:10 | Main.LondonBarden | blacklist | Main.WebHome | REGEXPIRE: Magic  is missing, bad or expired | 194.117.134.196 |
| 05 Nov 2005 - 22:14 | Main.KwameSlattery | blacklist | Main.WebHome | REGEXPIRE: Magic  is missing, bad or expired | 212.175.113.52 |
| 05 Nov 2005 - 22:17 | Main.JanEvanson | blacklist | Main.WebHome | REGEXPIRE: Magic  is missing, bad or expired | 213.46.224.101 |
| 05 Nov 2005 - 22:36 | Main.ErvinBerkowitz | blacklist | Main.WebHome | REGEXPIRE: Magic  is missing, bad or expired | 194.117.134.196 |
| 06 Nov 2005 - 10:41 | Main.TWikiGuest | blacklist | Main.TWikiLdapRegistration | REGEXPIRE: Magic  is missing, bad or expired | 63.96.179.50 |
| 06 Nov 2005 - 22:10 | Main.SyedFragoso | blacklist | Main.WebHome | REGEXPIRE: Magic  is missing, bad or expired | 194.117.134.72 |
| 06 Nov 2005 - 22:15 | Main.CedricWollenberg | blacklist | Main.WebHome | REGEXPIRE: Magic  is missing, bad or expired | 203.58.20.180 |
| 06 Nov 2005 - 22:17 | Main.AbdulWalden | blacklist | Main.WebHome | REGEXPIRE: Magic  is missing, bad or expired | 218.57.243.36 |

I advise all public sites to upgrade to the latest BlackListPlugin version since there is a lot of spam activity on public TWiki sites lately.

-- PeterThoeny - 07 Nov 2005

We are mostly free from WikiSpam on twiki.org thanks to the latest BlackListPlugin feature. The log shows daily attempts to spam twiki.org.

Shockingly there are many twiki sites with spam (see example Google:phen%74ermine+twiki ). Those sites are preferred targets for spammers, so it is key to clean spam on your site as quickly as possible.

-- PeterThoeny - 18 Dec 2005

A small testimonial: Upgrading twiki.softwarelivre.org to DakarRelease frustrated all the (still periodoo) robot-driven mass registrations.

-- AntonioTerceiro - 18 Dec 2005

I verify a WikiSpam on twiki.im.ufba.br. Look:

twiki# egrep 'DzyWeb' log200512.txt | grep save | cut -d '|' -f 7 | sort | uniq -c
     73  218.80.10.226

I will upgrade for DakarRelease as AntonioTerceiro indicated.

-- AmadeuJunior - 02 Jan 2006

FYI, you do not need to upgrade to Dakar to fight spam, the latest BlackListPlugin works on Cairo codebase and Dakar codebase.

-- PeterThoeny - 02 Jan 2006

Spam update on TWiki.org: Looking at BlackListLog, we did not have one spam since upgrading to the latest BlackListPlugin last November, just two cases of vandalism. In the logs I see daily attempts to spam TWiki.org. For example, there is one bot that is trying to register new users several times a day, always using the same magic number 27830.

-- PeterThoeny - 23 Jan 2006

BasicForm
TopicClassification	TWikiDeployment
TopicSummary
InterestedParties
RelatedTopics	WikiSpam, BlackListPlugin, BlackListLog

Topic revision: r52 - 2006-01-23 - PeterThoeny

Account
- Log In
- Register User

Edit
Attach

Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.