Weird Wiki Spam



  • I just started a site running MediaWiki and quickly added captcha to deal with bots that automatically post links. But I still get some really bizarre spam on random pages:

    I love house music. And you?

    Hi all. Your site www.vbulletinprogramming.com is very suitable. I think I've found my constant comunication place :) Sorry if wrong branch

    A search for either of these reveals a lot of hits on various wikis and forums. Any idea why someone would want to do this?



  • Dunno about the first one.  The second one is presumably an attempt to inflate PageRank.

     



  • No, I forgot to mention that vbulletinprogramming.com is my site. If you search for "constant comunication place" you'll see it substitutes whatever domain it's posting on. There have been plenty of attempts to post links and keywords, and even one anti-war bot, but those sort of make sense at least.



  • So, isn't your solution to scan for short responses, especially ones that contain the name of your site, and ask the poster to answer an extra question? No spam-bot will expect a second question, plus you can make it depend on the contents of the message. So instead of asking for another captcha, you could ask "Please repeat the last two words of your message". Anyone can do that with copypasta, but a spambot will be caught off-guard.



  • @TGV said:

    So, isn't your solution to scan for short responses, especially ones that contain the name of your site, and ask the poster to answer an extra question? No spam-bot will expect a second question, plus you can make it depend on the contents of the message. So instead of asking for another captcha, you could ask "Please repeat the last two words of your message". Anyone can do that with copypasta, but a spambot will be caught off-guard.

    Brillant!

    As mentioned in a thread a month or so ago, a bot coder would have to code specifically for your site.  That's too much work for not much reward (1 site).  If that were implemented in the MediaWiki so everyone had it, though....



  • This is the style of spambot that looks for every submittable form and just types its message into it without regard for what the form is actually for.  I used to get the same thing a lot on my blog.

    In my case, I was able to cut it down to exactly nothing by base64 encoding the comment form and having a short javascript that does the base64 decode.  If you have Javascript enabled, you see the comment form; if not, you see a short message telling you to enable Javascript.  I have had literally zero spam messages posted since then (about a year and a half ago).



  • I found I got a lot of weird posts on my wiki at first, so I subscribed to the RSS feed for recent changes. Now I can easily see if somebody other than me updates it. Of course, this only works well for personal or low-traffic wikis.

    @rox_midge said:

    This is the style of spambot that looks for every submittable form and just types its message into it without regard for what the form is actually for.  I used to get the same thing a lot on my blog.

    In my case, I was able to cut it down to exactly nothing by base64 encoding the comment form and having a short javascript that does the base64 decode.  If you have Javascript enabled, you see the comment form; if not, you see a short message telling you to enable Javascript.  I have had literally zero spam messages posted since then (about a year and a half ago).

    Not to mention pissing off people like me that browse with JS disabled.



  • Hi all. Your site www.vbulletinprogramming.com is very suitable. I think I've found my constant comunication place :) Sorry if wrong branch

    Most likely a generic spam message posted by bots that automatically trawl the web for forms and submit them with spam (as mentioned earlier). The place where the above kind of comment makes the most sense is in blog comments, where the message body is some kind of generic "nice site|blog" message, and the "Website URL" field (typically username as a hyperlink) contains the page that wants its PageRank boosted.

     

    I love house music.
    And you?

    That's probably a test message that the bot posts to see if it's able to succesfully spam stuff (without links in it) via that form.

     

    @rbowes said:

    Now I can easily see if somebody other than me updates it

     Assuming this is mediawiki, you can just disable anon edits and restrict account creation.



  •  Heh, never realized just how big bots were on the internet...



  • @rox_midge said:

    This is the style of spambot that looks for every submittable form and just types its message into it without regard for what the form is actually for.  I used to get the same thing a lot on my blog.

    In my case, I was able to cut it down to exactly nothing by base64 encoding the comment form and having a short javascript that does the base64 decode.  If you have Javascript enabled, you see the comment form; if not, you see a short message telling you to enable Javascript.  I have had literally zero spam messages posted since then (about a year and a half ago).

    I wouldn't bother to enable javascript. Obtrusive methods like that are a red flag in my book.


  • Usually having a trap form object like

    <input type="text" name="email" style="visibility: hidden">
    <!-- or -->
    <input type="text" name="email" class="invisible">
    

    with a

    if (isset($_GET['email'])) {
            die($posted_successfully_message);
    }
    

    Kills the bots' messages just fine.



  • I'm sure there are plenty of things I could do to stop it, but I left it alone for now since it's harmless and I was curious about it.



  • I got similar messages on two Wikis I run. I left the Wiki unattended for 2 weeks with no CAPTCHA (bad idea) and came back to see that bots had destroyed most of it (every page had been overwritten by spam). I implemented ReCAPTCHA (they've got a MediaWiki plugin) which seems to have stopped most of the linkspam, but I still get some weird ones (including the "great site!" messages and random 9-letter words



  • @Daniel15 said:

    I still get some weird ones (including the "great site!" messages and random 9-letter words
    They're giving out free passwords!



  • @Lingerance said:

    @Daniel15 said:
    I still get some weird ones (including the "great site!" messages and random 9-letter words
    They're giving out free passwords!
    Sounds to me like a bot trying to CRACK passwords, but getting the form fields completely wrong.

    I'm slightly worried the trick email field idea might cause problems if people have google or whatever 'autofilling' their forms.If it fills said trick field, then the user gets a bizarre failure that they have no idea how to fix. Otherwise, it seems good.

    But seriously, for MediaWiki (and anything really), unless you actually want it allowed, just disable anonymous editing, and require users to confirm their email (there's an extension for it). If you think your users will be concerned about privacy, make it delete the email address as soon as the user has confirmed.

    A time delay on new accounts being allowed to edit helps thwart spammers too, though may inconvenience legitimate users.



  • @m0ffx said:

    A time delay on new accounts being allowed to edit helps thwart spammers too, though may inconvenience legitimate users.
    From my experience having a public facing phpBB board, which got spammed heavily until I used the aforementioned trick (except with the website field), the bots generally wait a short while before posting. Also only 12 out of the 139 that signed up actually posted, only 30ish were even activated (I required email activation). If you're worried about an auto-filling program then use garbage name fields, of course this ends up disabling their program but better that then a swarm of bots.



  • I ran a site for a while that used phpBB, and I used the following to get around the problem:

    1. Only allow registered users to post (guest accounts read-only)
    2. Require e-mail activation
    3. Change the element IDs on the registration pages - this really only had to be one field, such as user-name - if the bot scripted out the submission form using the standard phpBB fields, that field wouldn't be supplied in the POST and the registration request would therefore fail.


  • Well I figured on of the bots out, at least. This guy:

    Good day! 

    new to the forums. just thought i would introduce myself!

    My name is Leyro

    apparently like to post polls on forums advertising his marijuana selling site, but he uses the wiki syntax so I have no idea why he doesn't mention the site on the wiki. The bots also seem to like [url=http://www.vbulletinprogramming.com/wiki/articles/Talk:vB_Datastore_APC]this page[/url] which is pretty random.



  • @aythun said:

    I wouldn't bother to enable javascript. Obtrusive methods like that are a red flag in my book.

    That's ok.  I'm probably not really interested in what you had to say anyway.  See?  It's the best of both worlds: I block spambots *and* self-important blowhards!



  • @rox_midge said:

    @aythun said:

    I wouldn't bother to enable javascript. Obtrusive methods like that are a red flag in my book.

    That's ok.  I'm probably not really interested in what you had to say anyway.  See?  It's the best of both worlds: I block spambots *and* self-important blowhards!

     

    I nominate this post for winner of the thread. 


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.