Codev WebTags:
WikiSpam
 NOTE: | All administrators of public TWiki sites are encouraged to upgrade to the latest BlackListPlugin, version 29 Mar 2007 (r13238). It prevents known wiki-spam from getting saved in TWiki topics and uploaded as HTML attachments, makes scripted registrations harder, and protects the site from excessive use by an IP address. It also protects TWikis from topics text and attachments with evil script eval() and escape(). |
|---|---|
| NOTE: | TWiki administrators are encouraged to subscribe to the TWikiAnnounceMailingList to get alerted of security issues, new TWiki releases and important spam related announcements. |
| NOTE: | A new type of spam has emerged: HTML attachement spam. This spam is nasty because it might identify TWiki sites as spam sites. |
- Rule 1: Enable spam protection
- Rule 2: Remove spam as quickly as possible when it happens. Reason: Spammers identify easy targets by searching sites for known spam keywords. It pays off to spam sites where spam survives long enough for search engines to spider the content.
- Multiple registrations by the same IP address in rapid succession
- Multiple page saves by the same IP address in rapid succession
- Saving text with known wiki-spam (spam list is maintained and shared by TWiki, MoinMoin and Mediawiki sites)
- Attaching files with known wiki-spam
- Attaching files with JavaScript eval statements
- Manually maintained BLACKLIST of malicious IP addresses
- Automatically updated BANLIST of IP addresses with suspicious activities
- Registration form with magic number in hidden form field to make scripted registrations harder
- Add a rel="nofollow" parameter to external URLs to defeat the purpose of spamming TWiki sites
- WikiSpammersOnTWikiSites - TWiki specific wikispam information
- Wikipedia:Link_spam - link spam info on Wikipedia
- Wikipedia:Wikipedia:Spam - guidelines on how to address wiki spam on Wikipedia
- http://chongqed.org/fightback.html - chongqed.org, fighting wiki spam
- MoinMoin:AntiSpamGlobalSolution - anti-spam solutions on MoinMoin
- Wiki:WikiSpam - wiki spam info on Ward's original wiki
- http://www.usemod.com/cgi-bin/mb.pl?WikiSpam - wiki spam info on MeatBall? wiki
- http://www.communitywiki.org/cw?WikiSpam - wiki spam info on CommunityWiki wiki
- http://openwiki.com/ow.asp?WikiSpam - wiki spam info on OpenWiki
- http://wiki.s23.org/wiki.pl?WikiSpam - wiki spam info on s23
- http://arch.thinkmo.de/cgi-bin/spam-merge - the merged spam list
- http://spamhuntress.com/ - blog by Ann Elisabeth covering web spam
Discussions
At TWiki.org we have once in a while an issue with people deleting or altering content by purpose or because they do not understand how Wiki works. This happens mainly in the Main web, and sometimes in the TWiki web. It is a minor annoyance that can be fixed quickly. Yesterday we had the first case of Wiki:WikiSpam where HasitRuparel with IP address 219.65.75.99 was spamming over a dozen user home pages by adding these URLs: (edit page to see the URL) The log suggests that this person edited the pages manually:| 10 Feb 2004 - 03:20 | Main.HasitRuparel | save | Main.HasitRuparel | repRev 1.1 Main.HasitRuparel 2004/02/10 10:52:00 | 219.65.75.99 | | 10 Feb 2004 - 03:27 | Main.HasitRuparel | save | Main.AndreaMarchetti | | 219.65.75.99 | | 10 Feb 2004 - 03:28 | Main.HasitRuparel | save | Main.AndreasKapp | | 219.65.75.99 | | 10 Feb 2004 - 03:30 | Main.HasitRuparel | save | Main.BillLeeney | | 219.65.75.99 | | 10 Feb 2004 - 03:31 | Main.HasitRuparel | save | Main.BillKelly | | 219.65.75.99 | | 10 Feb 2004 - 03:32 | Main.HasitRuparel | save | Main.AldenWilner | | 219.65.75.99 | | 10 Feb 2004 - 03:32 | Main.HasitRuparel | save | Main.BenjaminDrieu | | 219.65.75.99 | | 10 Feb 2004 - 03:33 | Main.HasitRuparel | save | Main.AllenBierbaum | | 219.65.75.99 | | 10 Feb 2004 - 03:33 | Main.HasitRuparel | save | Main.BalthasarSieber | | 219.65.75.99 | | 10 Feb 2004 - 03:34 | Main.HasitRuparel | save | Main.AndreaSterbini | | 219.65.75.99 | | 10 Feb 2004 - 03:58 | Main.HasitRuparel | save | Main.ChristopheVermeulen | | 219.65.75.99 | | 10 Feb 2004 - 03:58 | Main.HasitRuparel | save | Main.BrillPappin | | 219.65.75.99 | | 10 Feb 2004 - 03:59 | Main.HasitRuparel | save | Main.ChristopheVermeulen | repRev 1.4 Main.HasitRuparel 2004/02/10 11:59:00 | 219.65.75.99 | | 10 Feb 2004 - 03:59 | Main.HasitRuparel | save | Main.BjornStadil | | 219.65.75.99 | | 10 Feb 2004 - 03:59 | Main.HasitRuparel | save | Main.BrillPappin | repRev 1.2 Main.HasitRuparel 2004/02/10 11:59:00 | 219.65.75.99 | | 10 Feb 2004 - 04:00 | Main.HasitRuparel | save | Main.ChrisMcLennan | | 219.65.75.99 | | 10 Feb 2004 - 04:05 | Main.HasitRuparel | save | Main.CarrieCoy | | 219.65.75.99 | | 10 Feb 2004 - 04:10 | Main.HasitRuparel | save | Main.DacreWroe | | 219.65.75.99 |Now, a spammer could raise the Google ranking of his web site by spamming Wiki pages in an automated way, which is a scary thing for public Wikis. Here is an interest related post on the WikiForum? by Arno Hollosi:
John Abbe wrote: > Well, the NCDD wiki was found, and spammed by a robot before we evenIs it time to write a WikiSpamPlugin? ? -- PeterThoeny - 12 Feb 2004 Looks like the 'apocalypse' mentioned in SpamProofingOfComments (first comment) has finally arrived
> have gone public. I'm trying to nudge the team off a sudden interest
> in HardSecurity? . At the same time, on Wiki:ReverseLinkDisabled
> there's mention of turning away IPs with a high request rate.
> Can anyone offer good starting settings for such a protection - how
> many requests in how short a time to trigger it?
On Sensei's Library (http://senseis.xmp.net/) which is one of the largest non-Wikipedia wikis I have a 3-step meassure:
- limit requests/minute: anything beyond 30 requests within 60 seconds and the IP address is disabled for 5 minutes. If after that the maximum gets exceeded again within an hour then the IP address is disabled for 24 hours.
- shield resource intensive requests (or edit links etc.) by checking for a HTTP referer header that originates from your site. Effective as well. Some browsers (privacy proxys, ...) supress the referer header. Those people have to set a (preference) cookie in order to access those functions.
In my experience of running this high traffic site, the trap link in combination with the referer header is most effective. The requests/minute is only there so that people don't mirror the wiki with wget or some other tool. See also: http://senseis.xmp.net/?AccessBlocked
- one of the most effective meassures is adding a "trap link". I.e. if the link is followed the IP address is immediatly added to the block list (at Sensei's for 48 hours). Mark this link as "Disallow" in your robots.txt file so compliant robots don't follow the link. At Sensei's look at source and search for "Blockme" to find the trap link - users are not able to active it, as it contains no link-text.
There are two quite different sorts of WikiSpam, I believe:
- SpamProofingOfComments - what just happened at TWiki.org, could be manual or automated. SlashDot style 'you can't edit another page for N minutes' tests could help here, particularly if people are creating unique userids and not using TWikiGuest. IP-based checking is useful for the TWikiGuest account. Another approach would be to use SpamAssassin to check the content of comments/edits to TWiki pages, which is probably the only defence against patient manual or automated comment spam (i.e. the user or robot does 1 comment every 20 minutes, say).
- Excessive page views by robots? (search engines or mirroring) - this is the target of the Sensei's Library feature mentioned above. It is a component in SpamProofingOfComments.