SpamPage

Spammers beware!

All spam found on the chongqed.org wiki will end up on this page. All URLs and keywords will be redirected to a page on http://spammers.chongqed.org. This is basicly a list of really dumb spammers. If you're going to spam a wiki, why spam a wiki who's sole purpose is to fight spammers?

So far, these are the spammers that were this dumb that weren't blocked automatically:

51.net

2004-12-18
spammed: renzhengwang, SpamPage, RecentChanges
method: manual
IP: 210.82.105.10
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon; .NET CLR 1.1.4322)
referrer: Google - wiki chunmeng and Google - nuoya-hd

8cx.net

2004-12-01, 2004-12-08, 2004-12-11
spammed: WikiHome
method: manual
IP: 60.55.56.92, 60.55.60.151
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE?2; SV1)
referrer: Google - wiki Edit text of this page

atrivo.com

almost daily since 2005-04-09
spammed: WikiHome
method:
IP: 69.50.191.196, 69.50.184.215, 69.50.191.198, 69.50.191.197, 69.50.184.212, 69.50.187.88
UA:
referrer:

BackToTheFutureII

daily 2005-04-04 to 2005-04-13
spammed: Wakka
method: automated zombies
IP: many
UA: Mozilla/4.0 (compatible; MSIE 6.01; Windows NT)
referrer: none??? - did BackToTheFutureII spammer ever have a referrer?
note: one of the weirdest spammers we have seen.

chunmeng.com

2004-11-19
spammed: RecentChanges
method: manual
IP: 61.232.113.113
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon; Alexa Toolbar)
referrer: Google - www.sexeach.com/

coco

2005-03-20, 2005-03-23, 2005-03-24, 2005-03-28
spammed: JoesTempSpamHolder2, JoesTempSpamHolder
method: manual
IP: 221.219.58.52, 61.48.88.159, 221.217.48.121, 221.216.30.69
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Alexa Toolbar)
referrer: Google - www.ynsw.com -site:www.ynsw.com, Google - www.hangchen.com -site: www.hangchen.com, Google - www.sinohome.net.cn -site: www.sinohome.net.cn

dsfsfd

2004-09-24
spammed: SpamReport
method: manual
IP: 211.147.229.121
UA: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; Alexa Toolbar)
referrer: Google - www.emmss.com

fudan university

2005-01-17
spammed: wiremesh
method: manual
IP: 218.80.208.18
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
referrer: Google - wiki edit emba sinoart

gghggh

2004-12-04, 2004-12-06, 2004-12-07, 2004-12-07, 2004-12-08
spammed: kejiaoyuan, JoesTempSpamHolder2, Joe, PageRank
method: most likely manual
IP: 61.55.129.189, 221.192.169.90, 61.55.127.32, 221.194.183.209
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon),
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE?2),
referrer: hidden (2004-12-04) and
yisou(yahoo China?): Edit text of this page | View other revisions (2004-12-06)

googlebaidu

2004-10-10
spammed: SpamReport
method: manual
IP: 61.232.113.56
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Maxthon; Alexa Toolbar)
referrer: Google - liuhecai888.agreatserver.com

here.com.cn

2005-05-21
spammed: SpamReport, JoesTempSpamHolder
method: manual
IP: 61.173.105.161
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
referrer: Google - "www.bjerwai.com/modules/peixun"

hotchina.org

2004-12-14
spammed: hotchina.org, pack001.com, renzhengwang
method: manual
IP: 211.158.38.9
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)
referrer: Know-how wiki.

jd9.net (free22.net)

2005-03-23, 2005-03-25
spammed: SpamPage, WikiSpam
method: manual
IP: 82.77.137.102
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
referrer: Google - /wiki/ interracial sex
note: this is the same spammer as keydo.net

John

2005-04-09
spammed: WikiForum
method: manual
IP: 134.75.217.55
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
referrer: none

junkhospital

2004-12-08
spammed: JoesTempSpamHolder
method: manual
IP: 211.147.232.123 and 211.147.232.111
UA: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; FunWebProducts?)
referrer: hidden

kejiaoyuan

2004-11-08
spammed: JoesTempSpamHolder
method: manual
IP: 61.49.188.151
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Poco 0.31)
referrer: Google - www.dongdao.net
note: After spamming the page for the first time, he looked at the page history, then edited the old clean revision, kept editing old revisions, finally gave up or was satisfied.

keydo.net

2005-03-10
spammed: TolerateOrFightSpammers
method: manual
IP: 82.77.137.102
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
referrer: - Google: edit wiki free hardcore
note: this IP address has visited us several times, always coming from Google, but using different searches: "buy wiki edit", "wiki edit online cigarettes", "hydrocodone wiki". He has returned to spam 2 more domains that were originally identified as a seperate spammer, jd9.net.

lortabspammer

2005-04-09
spammed: WikiHome
method: bot
IP: 69.50.191.196
UA: curl/7.12.1 (i386-portbld-freebsd4.10) libcurl/7.12.1 OpenSSL?/0.9.7d zlib/1.1.4
referrer: none

oa8000.com

2004-10-27
spammed: JoesTempSpamHolder
method: manual
IP: 218.61.23.78
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
referrer: Google - www.sinoart.com.cn/oa.htm

pack001.com

2004-11-13
spammed: emailed flowerwish dot com, RecentChanges, Honeypot, WikiRSS, SandBox, WikiBlackList, DB Improvements, renzhengwang
method: manual
IP: 221.15.142.249
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Alexa Toolbar)
referrer: Google - www.peak-e.com

photomovies

2005-03-15
spammed: RecentChanges
method: manual
IP: ppp2-162.b-online.forthnet.gr
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
referrer: Google - "keydo.net/"

property2u.com

2005-04-08
spammed: WikiMinion
method: manual
IP: 218.19.101.185
UA: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; Alexa Toolbar)
referrer: Google - wikiminion

rapespammer

2005-03-28
spammed: Manni
method: manual
IP: 202.83.175.98 (ntc.net.pk)
UA: Mozilla/6.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
referrer: none
note: I emailed the abuse address at his free web host and his account was blocked.

renzhengwang (nuoya-hd)

2004-11-09
spammed: SpamReport
method: manual
IP: 202.108.59.100
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
referrer: Google - www.88881888.com
note: Returned twice on the 12th and once on the 15th, each time spamming only a few URLs for nuoya-hd.com. On the 22nd he spammed our spam submisson form with his renzhengwang links. Each time his IP address has remained the same.

shoesebuy.com

2005-03-15
spammed: RecentChanges, WikiNode, WikiHome, Chinese shoe spammer
method: manual
IP: 220.161.155.226
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
referrer: Google - shoesorder

SneakyBastard

2005-04-15
spammed: WikiHome, TolerateOrFightSpammers
method: manual
IP: 220.160.145.32
UA:
referrer:

texas-holdem

2004-11-29, 2004-12-13
spammed: SeraphimProudleduck, texas-holdem
method: manual
IP: 213.91.217.118
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0),
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
referrer: Google - wiki fateback.com,
Yahoo! - wiki 6x.to,
Altavista - wiki fateback.com

uusky

2004-11-08, 2004-12-19
spammed: RecentChanges, SpammerTricks, WikiHome, uusky
method: manual
IP: 218.74.23.215, 220.191.47.220
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE?2),
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
referrer: Google - Edit text of this page,
Google - inurl:uusky

wiremesh

2004-10-19
spammed: JoesTempSpamHolder, RecentChanges
method: manual
IP: 210.82.105.10
UAs: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE?2; Maxthon)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon; TencentTraveler? )
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon; .NET CLR 1.1.4322)
referrers: Google - swellong.freewebpage.org, "www.16198.com", "myoa.freewebpage.org", "voip1voip.freewebpage.org", "myvoip.freewebpage.org", "voip1voip.freewebpage.org", "voip99", "vpn.freewebpage.org", "swellong.freewebpage.org"
note: Returned just two days after he was removed from BannedHosts.

zdaqq

2004-12-17
spammed SpamPage
IP: 220.170.245.238
method: manual
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
referrer: Google - site;vpn.freewebpage.org

zj.com

2005-02-15
spammed: zdaqq
IP: 220.170.245.243 (Chinanet)
method: manual
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
referrer: Google - zdaqq

zzzzzz

2005-03-27
spammed: WikiForumArchive March2005
IP: 219.133.244.243
method: manual
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
referrer: Google - link:+www.piclab.com
note: This seems to be a very ineffective way to find spammable wikis. Strange.

Note: Method is the likely way the spammer attacked the wiki, it is always hard to tell a bot from a human, but by looking at the damage, attack speed, spammer stupidity, referrer, and user agent we can make an educated guess.

Anybody know those UA strings?

I'd be interested to know what exactly 'Maxthon', 'TencentTraveler?', and '.NET CLR' are. Anybody know this? And why the Alexa Toolbar when you do your searching with Google? – Manni - 2004-11-19 18:35

Maxthon is an Internet Explorer addon that gives IE many of the benifits of using Opera or Mozilla. Tabbed browsing, mouse gestures, skinning, plugins, privacy protection, and supposedly it uses less resources than normal IE. It used to be called MyIE2.

Alexa Toolbar is similar to the Google or Yahoo toolbars which I assume you have also not seen since you stay away from IE. There are clone Firefox extentions that give most of the features. They just give you quick access to whatever the service provides, other than their searches they have stuff like Yahoo's email, Google's PageRank, Alexa's site popularity, and most useful popup blocking. There is also a Netscape toolbar for IE I think.

I had never heard of TencentTraveler? until these referrers. I have no idea what it is, but you can download it from here apparently but I am not going to try it. It looks like its only available in Chinese. From bablefish it appears to be pretty similar to the other toolbars.

.NET CLR was also new to me, but a quick Google found me a bit of useful info. It is .NET's Common Language Runtime. Apparently it allows support for third party and legacy programming languages in .NET if you have a CLR complaint compiler for the other langage.

– Joe - 2004-11-19 18:14 UTC

I just realized using IE now with VisualStudio.Net installed I get a similar browser string.

  Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

– Joe - 2005-03-13 23:15 UTC

Someone (adsl-149-251-217.msy.bellsouth.net) changed my text above about TencentTraveler? to this:

TenCentTraveler? is Mozilla Firefox in Chinese. It is a popular browser in China and can be found here: here bablefish

I don't think that is true, I can find nothing connecting it to Mozilla and the browser string it appears in is clearly IE. See Mozilla China.

Spammer Relations

I knew I had seen a spammer from the CHINA RAILWAY TELECOMMUNICATIONS CENTER before when the chunmeng.com spammer arrived. I just realized it was Spammer #2, googlebaidu. Their IPs are so close I wonder if they know each other or are somehow related. Their UAs, styles, and URL spammed for make it seem they are not the same spammer. Is the Railway just a good place for spammer to spam from? --Joe - 2004-11-24 16:38 UTC

At least the Chinese Railways have quite a big address space: 61.232.0.0 - 61.237.255.255. So they probably also have a huge number of open proxies (although Chinese spammers don't seem to need open proxies). Another possibility, of course, is that the railway folks also act as an ISP and have leased some numbers to spammers. – Manni - 2004-11-25 12:04

---

Does anyone else notice anything wrong with this UA:

  Mozilla/6.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

IE 6 normally identifies itself as Mozilla/4.0 (compatible; …). After a bit or research I still can't figure out if its fake or just really rare from a beta or something.

This is interesting: http://www.projecthoneypot.org/harvester_useragents.php