This is a weird one. Spammers often do weird things that we don't understand, but this one is the top of the weirdo crew.
On March 15, 2005, James Paige was kind enough to inform us about what he has found in his server logs. Since that time the spammer has discovered the chongqed.org wiki and has been hitting it at least once daily, up to 16 times on the first day (April 4). He hit the same page 27 times before we were able to block him. Even blocked, he has spammed that page 9 more times so far.
Here's a summary:
Some chongqed keywords from his attacks on chongqed.org: domain-hosting.kemerovo.ru ravens.vladimir.ru air-purifier.vladimir.su domain-hosting.ivanovo.su domain-hosting.cbg.ru ecommerce.vladimir.ru pennsylvania-lawyer.cbg.ru ravens domain hosting pennsylvania lawyer air purifier ecommerce diabetes supplies domain-registrations.belgorod.ru web-design.kemerovo.ru web-sites.bashkiria.ru web-pages.tula.su domain registrations web pages web design web sites
1listing.org wikispammer and Back to the Future II Denial-of-Service?
I have been watching a really peculiar wikispammer attack my site (running MediaWiki software) for nearly two weeks now, and I am curious if anybody else is getting hit by the same spammer.
This spammer deletes the entire content of my wiki's main page, and replaces it with:
random text containing spam-phrase <a href="http://spam-phrase.uni.cc" target=_blank>spam-phrase</a>. http://spam-phrase.uni.cc
or alternatively:
random text linktrim <a href="http://linktrim.com/spam-phrase" target=_blank>linktrim</a>, random text. http://linktrim.com/spam-phrase
The spam-phrase is always a porn keyword or a drug keyword, for example: "free-sex", or "levaquin-antibiotic", or "buy-clonidine", or any of many many others.
Since the original report the spammer has expanded to other domains and keywords (frequently web hosting related) but the spamming pattern remains the same. – Joe
All the links redirect to 1listing.org/spam-phrase which is one of those spammy fake search engines that shows nothing but pay-for-click links.
I contacted the administrator of the linktrim.com URL redirection service, and he deleted from his server all redirections to 1listing.org, and blacklisted the address from future creation. He also said that all of the registrations came from the IP address 217.170.94.142
I was unable to contact the admins of uni.cc, which seems to be totally crashed right now.
Now, interestingly enough, none of the attacks have come from that address he mentioned. Each attack has come from a different IP address. Here are some examples:
217.238.199.89 195.174.3.180 195.190.182.94 69.193.24.120 66.185.84.68 24.42.108.124 209.215.22.180 24.200.119.102 217.94.56.44 82.102.33.172 200.174.114.86 65.169.13.202 68.96.139.33 69.164.240.190 217.250.92.139 68.254.136.158 65.9.230.250
I am fairly certain that these IP addresses are zombies infected by some sort of virus or trojan proxy or something like that. Reverse lookups suggest that these are all IP addresses of home DSL/Cable/dialup lines.
Looking more closely at my server logs, I could see that these attacks happened very rapidly, suggesting the work of a script… and here is where it gets really strange.
Immediately after defacing the main page of the wiki, the same IP address then immediately makes several hundred wiki search requests in rapid succession, as if attempting a denial-of-service attack (fortunately my wiki is under-used and over-bandwidthed, so this hasn't harmed me). The text which it searches for is a person's name, for example:
Steven Wolff John Rankin Jerry Sargent Stephen Homsy Tony Piller Max Kleven David Robbie Angela Greenblatt Ric McElvin Ed Verreaux Lisa Freeman Lee Orlikoff Susan Rosen Justin Mosley Spink Lawrence A. Hubbs Cara Giallanza Dorothy Byrne Martin A. Kline Nancy Mickelberry Joseph G. Pacelli Erin M. Cummins
I puzzled for a while over who these people are, until I had the brainstorm of searching for the names at imdb.com . It turns out that every single one of those people was a cast or crewmember in the movie "Back to the Future II"
Tre bizzare, no? – James Paige
We started getting reports of spammers (or a spammer) using uni.cc and linktrim.com in the last week or two. We have discussed them some on WikiForum. The details you provided are interesting, if this really was the work of a script it would be the first we have seen in a long time. Most spammers seem to be spreading their garbage manually. Several of the scripts or bots we have seen are not programmed very well and lead to accidental Denial of Service. The Back to the Future cast and crew just doesn't make sense, I guess he just wanted some random text. Could you tell us your wiki's address so we can study this further? If you don't want to post it here email me at joe@chongqed.org. – Joe - 2005-03-15 19:31 UTC
The wiki is at http://gilgamesh.dnsalias.org:8080/wiki/ohrrpgce/ (I believe I have mailed you about it before, when it first started) I have been blocking this attacker since March 7th, so you wont see any evidence of recent attacks on the "Recent Changes", page but I am still logging attacks (three last night) I can also mail you my apache/access.log if you are sufficiently curious.
Wow! Thanks for reporting this, James. This is really very, very, very bizarre. I have noticed this kind of spam recently. I found it strange then, but with your description… Here is somebody who has the resources (time) to create a bot, create a listling of people involved in the making of Back to the Future II (which just isn't as good as the first part, btw.), to set up all those redirect sites, to command a small army of zombies, etc. And yet, he doesn't have any idea about wiki formating rules?
My guess is that those search requests are intended to trigger some bug in some wiki engines. There is a bug (or maybe vulnerability would be the better term here), that will lock Oddmuse and Usemod wikis. I don't know if it can be triggered with search requests, though. But the locking will prevent further edits and therefore any spam cleaning activity, at least by people who don't know about that bug/vuln. It doesn't sound like a good explanation for this, but it's the only thing I can come up with.
What referrers and user agent strings do you see in your logs? – Manni - 2005-03-16 17:49
Is the Back to the Future spammer the same as the one using uni.cc and linktrim.com? I saw a lot of spam from that one, but couldn't find any old revisions that included Back to the Future crew. I tried Googling for similar spam, but it looks like Google hasn't yet indexed any other spam using the same names.
The large number of edits to the same pages definatly look like either a buggy script or like Manni said an attempt to break the wiki so the spam can't be reverted. I don't know that Wikimedia is vunerable to that though. – Joe - 2005-03-17 01:57 UTC
I definitely think that we are talking about the same guy here, yes. Note that he is both making a large number of edits to the same page in tight intervals and he is probably issueing all those BackToTheFutureII search requests. – Manni - 2005-03-17 11:12
Oh, I was confusing the details James gave. I thought the spammer was spamming those names. Just searching for them makes even less sense. I guess that is a good sign he is trying to damage to the wiki to prevent cleaning. – Joe - 2005-03-17 18:52 UTC
I don't think the large number of edits are an attempt to break the wiki (I have no clue what the search requests are about). I think he is trying to take advantage of the fact that on UseMod links on historical pages can improve PageRank since UseMod doesn't place a noindex robots meta tag on the old revisions of a page. In addition, since Google often only chooses to index a subset of the pages on a site, by inserting many edits he is increasing the number of Google-visable pages that contain his links and thus increasing the probablility that Google will index a page containing his links. – RichardP - 2005-03-17 21:11 UTC
That's some pretty decent reasoning. But if he knows that UseMod doesn't protect kept pages from being indexed and if he knows about Google's indexing strategy, then why of why isn't he using decent wiki formatting? (Of course the same can be said about my theory of him trying to lock the wiki). I just don't get it! – Manni - 2005-03-17 22:27
That only makes sense to do it to wikis where previous versions are indexed though. WikiMedia? doesn't have that problem. And he is spamming redirect URLs, those aren't going to increase his PageRank anyway. It seems to me that this guy is just a total idiot. – Joe - 2005-03-17 21:50 UTC
Total idiots scare the hell out of me. Escpecially if they have that much power. But I don't see any facts that contradict your conclusion. – Manni - 2005-03-17 23:06
You're right, the lack of correct wiki formatting does suggest that my "UseMod kept pages spammer" theory is probably incorrect - if he knows UseMod well enough to take advantage of that weakness, he presumably would know it well enough to format his edits correctly. Now that I've thought about it a bit more, I think I have a better theory. Maybe this guy is an blog spammer, not a wiki spammer. He has written (or, more likely, somehow obtained) a tool designed for blog spamming. This tool is intended to search for what it thinks are blog articles with "add a comment" forms and then add a bunch of comment spam to the article. In this case presumably the idiotic tool thinks the UseMod edit form is a blog comment form. This would explain both the HTML formatting (most blog software uses HTML formatting, not wiki formatting) and the many edits to the same page (blogs append comments, not replace the content with the edit like a wiki). What do you think? – RichardP - 2005-03-17 23:09 UTC
I thought about this too. But that would mean that his bot is spamming UseMod and Media Wiki wikis accidentally. You wrote a very good bot, Richard. Don't tell me that you really believe that it could be used to post comment spam on blogs without any code changes. Of course, he might have a very good bot on his hands that can spam wikis of any kind, blogs of any kind and whatnot, he just doesn't know how to use it. Which brings us back to Joe's conclusion. – Manni - 2005-03-18 00:30
Maybe he isn't that stupid after all. Just stupid enough not to be able to figure out the wiki formatting. Anyways. I had my bot running on a GhostTown for several hours now when I noticed that he is suddenly using my bot's username: Cleaner. – Manni - 2005-03-18 00:58
Before you posted this last comment Manni, I was going to say that you are certainly correct that my bot coudn't be used to post spam to blogs without changes. However, a really stupid bot could do so. A bot that just looked for forms, filled out all the editable fields with a short HTML snippet, and clicked submit would work for both blogs and wikis and also explain why his wiki "comments" usually include the same style of HTML as the body of his edit. It would also explain why he might appear to be doing searches - since searching is usually implemented as a form, a really stupid spam bot might confuse the search form with a comment/edit form. However, now that you say he is adaptively modifying his spam bot to defeat your Cleaner bot, I am not sure that my "he's a blog spammer" theory holds water. – RichardP - 2005-03-18 00:09 UTC
A really stupid bot? Not a bad idea. I wonder whether his bot is working on the zombies or whether the zombies are just proxying his spam. If they are just proxies, he'd need a lot of bandwidth. But in that case he could be using a stupid bot. Not a Perl or Python script with low-level GET and POST requests, but some absurdity like a VB program that simply uses IE as a 'plugin'. I don't think he could do something like this on a zombie. Somebody would notice pretty soon. The bot would also have to be clever enough to find the edit link. Which would still leave him pretty stupid. To change the user name on a UseMod wiki, you have to get a cookie. This could be done manually, of course. The bot could simply reuse the cookie. So maybe you have a point there and your theory is quite watertight after all. – Manni - 2005-03-18 01:26
Changing his username to Cleaner seems to confirm he knows what a wiki is. And it seems unlikely he is using bots on zombie computers or it would be harder (though not impossible) to respond to your cleaning. Have we had any hits from that wiki's page explaining Cleaner? I wonder if the spammer is reading this stuff about his stupidity? – Joe - 2005-03-18 00:41 UTC
The searching doesn't seem like a bot just hunting for forms, for searching at least on James' wiki he was searching for Back to the Future crew. But his spam doesn't include them. – Joe - 2005-03-18 00:48 UTC
No matter what theory we will finally come up with, that Back to the Future stuff will never make any kind of sense, I'm afraid. I had a look at the logs. Nothing unusual, I guess. Somebody had a look at AntiSpamBot and had it translated to German. But that was more than 7 hours ago. – Manni - 2005-03-18 01:56
If I only had a brain! I would have done different Google searches much earlier. I was searching for instances of his spam on other wikis, when I should have been a little more open-minded. Our friend is a guestbook spammer! It's a simple as that. Here is an example snippet:
| Name | Bob Widin | Friday, March 18, 2005 |
| bob@hotmail.com | ||
| Location | Whichita | |
| Comment | The credit report find credit report! http:// credit-report.msk.ru/ |
Now we know what he is doing with those Back-to-the-Future-II names. And his formating works just fine on most guestbooks, I guess.
– Manni - 2005-03-18 16:09
Now that he is hitting the chongqed wiki it seems he has found a use for the Back to the Future names on wikis too. He logs in as one of the names. I guess they are a good source of real looking American names. He must be thinking that people might not look carefully at an edit by a real person rather than just an IP or pseudonym. – Joe - 2005-04-08 06:24 UTC
What other spammer do we know about that has been known to run broken bots against wikis? Exactly. The Russian online-cigarette spammer who is also into cruises, pills of all kinds and flowers. When I noticed the Back to the Future spammer use the username 'Cleaner' on a wiki that I had my bot clean, I also noticed the cigarette spammer on that wiki and he, too, changed his username to 'Cleaner'.
Just now I noticed that both spammers were operating from the same host. So it's really just one spammer. Even better: AntiSpamDan has just caught spam from the cigarette spammer so I finally had the opportunity to see him on the logs.
Let's start with the basic facts. The UA string sent was "Mozilla/4.0 (compatible; MSIE 6.01; Widows NT)". We know that this is easily faked, though. Interestingly, he also sent a referrer: updated.com: search for carnivalcruise. Now, either updated.com is a very good or a very bad search engine, in any case, it is returning exactly one result for this search and that is the chongqed.org blacklist. 17 minutes after the hit on the blacklist, the bot comes back, immediately requesting editing the SpamReport page. The bot did not request the wiki stylesheet.
So what kind of bot is this?
– Manni - 2005-03-19 13:04
Here is a PrivateRemarkAboutTheBackToTheFutureIISpammer. – Manni - 2005-04-04 18:56