Talk:Spam blacklist/Archives/2005-05
Proposed additions
Done
boenicke-keramik.de
- www.boenicke-keramik.de - A small pottery puts its URL in a lot of articles, using dial-up and proxy IPs.
- http://de.wikipedia.org/w/index.php?title=Winterfeld&diff=prev&oldid=4717430
- http://de.wikipedia.org/w/index.php?title=Kuhfelde&diff=prev&oldid=4717649
- http://de.wikipedia.org/w/index.php?title=Spezial:Contributions&target=141.76.1.121
- http://de.wikipedia.org/w/index.php?title=Spezial:Contributions&target=217.184.1.1
Pjacobi 15:42, 2005 Mar 3 (UTC)/de:User:Pjacobi/de:User:Pjacobi
diecarolinger.de, khg-edith-stein.de
- diecarolinger.de and khg-edith-stein.de. added on request of german wikipedians via IRC. --Elian 00:36, 26 Mar 2005 (UTC)
translation spam
I cannot check for multiple-project-spam (option seems to be deactivated?), but I guess this one spreaded more than huwiki: see this diff. url's listed there. --grin 18:02, 1 Jan 2005 (UTC)
amelatine.com, francebrazil.com
Hi there, I would like to see www.amelatine.com and www.francebrazil.com (the last one is less critical) added to the blacklist please. It appears to have been mass inserted in Frech-speaking wikipedia articles about South America a couple of times (or more) by various IPs (an example can be found here). Thanks in advance, best regards,
-- AlNo 10:07, Mar 16, 2005 (UTC)
- I listed the former because it seems to come from range and spammed to several articles. The latter seems to be posted only from one IP to only one article. Would you like to block this IP first by fr.admins? --Aphaia | WQ2翻訳中 | talk 10:54, 16 Mar 2005 (UTC)
- Thanks for your help. I posted a message to the talk page of 2 IPs from which the most spam originated. I hope that will be enough to stop them, they have not yet been listed on the vandal list page on fr: but I can do that too.
- -- AlNo 13:29, Mar 16, 2005 (UTC)
- Archived. silsor 14:10, May 17, 2005 (UTC)
hoelle-saale.de
should be added. It was written in the article many times by an alternating IP and removed by different people. Some of the affected edits: [1] [2] [3] [4] [5]
Thank you for adding this - i wrote a statement to the discussion of the article. --Ncnever 12:59, 6 May 2005 (UTC)
- Yes, it's really a problem... The IP kept us up working for many weeks; the latest versions of the Artikel about [de.wikipedia.org/wiki/Halle_(Saale) Halle] are just reverts (Danke Ncnever!). --Rdb/de:Benutzer:Rdb 13:41, 12 May 2005 (UTC)
- Archived. silsor 14:10, May 17, 2005 (UTC)
25340.rapidforum.com
Spam link to an internet forum which has been added (and reverted) many times by various IPs to several articles about roulette in the german WP (see for exammple [6]). --Rdb/de:Benutzer:Rdb 22:40, 12 May 2005 (UTC)
- No examples at that URL. silsor 16:35, May 15, 2005 (UTC)
- The article had a typo in the lemma and was displaced. Here [7] you can find the history. The link is added since a few months, here are all the links i found: [8], [9], [10], [11], [12], [13], [14], [15]. de:Benutzer:BLueFiSH.as / 84.59.58.134 23:09, 15 May 2005 (UTC)
- Archived. silsor 14:10, May 17, 2005 (UTC)
- The article had a typo in the lemma and was displaced. Here [7] you can find the history. The link is added since a few months, here are all the links i found: [8], [9], [10], [11], [12], [13], [14], [15]. de:Benutzer:BLueFiSH.as / 84.59.58.134 23:09, 15 May 2005 (UTC)
handycool.de
Link is added permanently in article de:Mobiltelefon: [16], [17], [18], [19], [20], [21], [22], [23], [24] and many many more. I think this should be enough examples. If there are any questions, i will answer them. Thanks! de:Benutzer:BLueFiSH.as/62.225.79.103 13:02, 15 May 2005 (UTC)
- Since it's only one article, has protection been used? silsor 16:35, May 15, 2005 (UTC)
- I changed the request to match the whole domain and I took a deeper look in the history of the article. The link was inserted for the first time on march 18th, 2004. It pointed directly to the domain with no special sub-page. In june 2004 ([25]) the link pointed directly to a faq about cellular phones. At this time there were only 4 weblinks and the faq had/has a certain value.
- On march 19th, 2005, the link and many others were removed because the section of weblinks was a omnium-gatherum of weblinks of all kinds. In DE:WP we have the rule, that the weblink should enhance the arcticle, but many of the links were only ad and/or to improve the google page rank. So the links were cleaned out to the standard of 5 links. (Now there only 3 links in the article.)
- Only 4 days later the link was added again: [26], but now directly to the domain, not to the faq. I counted that the link was added 20 times after the removal in march. This makes a every-third-day-average.
- The article was never protected and a protection makes imho no sense because there is no edit-war. The ip adds the weblink, we remove it, and a few days later the weblink is added again. It is annoying to constantly remove this link. An attempt to make a communication with the ip was (as far as i know) not made. I presume that this would be ignored. The ip is a dynamic ip from the Deutsche Telekom AG and thereby you cannot talk to or ban a specific ip.
- I hope you can understand what i tried to write. I rarely write so much text in english and in an other window i have a dictionary to look up some words. Thanks again! de:Benutzer:BLueFiSH.as / 84.59.58.134 22:48, 15 May 2005 (UTC)
13288888888.com
Repeated vandalism, most of the time targeting BerlinOS, but also sometimes on the english WP (and probably other Wikimedia sites). See e.g. [27], [28], [29]. Ahoerstemeier 08:48, 17 May 2005 (UTC)
- Should also include 1177888888.com (see e.g. Ahoerstemeier 09:03, 17 May 2005 (UTC)
- We used to have a filter that blocked URLs with 5 or more numbers in them, but it caused problems. I've reactivated it and set the threshold and 6 or more numbers. silsor 13:56, May 17, 2005 (UTC)
- Archived. silsor 14:11, May 17, 2005 (UTC)
- Apparently still not working - see [31] Ahoerstemeier 08:19, 23 May 2005 (UTC)
- I removed that one because I was getting email from other people with numeric domains. I've blocked that one spam domain specifically instead now. silsor 16:12, May 23, 2005 (UTC)
- Apparently still not working - see [31] Ahoerstemeier 08:19, 23 May 2005 (UTC)
- Archived. silsor 14:11, May 17, 2005 (UTC)
- We used to have a filter that blocked URLs with 5 or more numbers in them, but it caused problems. I've reactivated it and set the threshold and 6 or more numbers. silsor 13:56, May 17, 2005 (UTC)
zymq.com
http:// www.zymq.com/: a commercial site selling Chinese Cultural artifacts. Keeps spamming (from multiple IPs) pages like en:Culture, with plausible-looking link descriptions. I've been keeping an eye out for it, but I'm about to take a 3-week semi-break from Wikipedia (reachable, but pretty inactive), and so I'm asking for a more lasting solution. -- Jmabel
- Added this site as well as taichifollowme.com, which was spammed by the same IP and is registered by the same person. silsor 14:31, May 20, 2005 (UTC)
massive Linkspamming in german WP
At least following entries were created by a link spammer:
- http://de.wikipedia.org/wiki/Diskussion:Tadalafil
- http://de.wikipedia.org/wiki/Diskussion:Cialis_februar
It contained following domains:
- www.ebusiness-cards.org
- www.globalflights.org
- www.voip-guide.org voip
- www.secure-network.info
- www.globalflights.org
- www.ecar-rentals.com
- www.ebackground-checks.com
- www.secure-network.info
- www.cruise-guide.org
- www.wedding-knot.com
- www.predictive-dialers.org
--Gunter.krebs 12:53, 30 May 2005 (UTC)
- Thank you, added. silsor 14:35, May 30, 2005 (UTC)
spkpfh.de
Spams repeatedly, dozens of times and for months now on my talk page, under various IPs (example: http://de.wikipedia.org/w/index.php?title=Benutzer_Diskussion:AndreasPraefcke&diff=5906358&oldid=5905217, history: http://de.wikipedia.org/w/index.php?title=Benutzer_Diskussion:AndreasPraefcke&action=history - look for "some comments"), also on my talk pages on en: (http://en.wikipedia.org/w/index.php?title=User_talk:AndreasPraefcke&action=history) and commons: (http://commons.wikimedia.org/w/index.php?title=User_talk:AndreasPraefcke&action=history), blocked in the meantime because of the spkpfh spams, the commons talk page showing no signs of it by now since the history has been cleared of the spammed versions. In the meantime they have also found my User talk:AndreasPraefcke on meta... I would like to have at least one working talk page without these abusive rants appearing daily (and often even a couple of times a day). --AndreasPraefcke 14:22, 19 May 2005 (UTC)
- Reviewed and blocked, despite the political connotations. Be aware that this may not stop the spam. silsor 15:06, May 19, 2005 (UTC)
- As I suspected our spammer has just changed the format of the links, so I'll take the domain off the blacklist. This behaviour is still inexcusable but you'll have to go elsewhere to take care of it, I'm afraid. silsor 18:24, May 21, 2005 (UTC)
- Thanks. I wasn't sure how the block list works (I couldn't find any explanation), so I thought it might help. Alas, it was worth a try. By the way, could you block my user page and talk page on meta? It's really enough for me to have to take care of my German one (all other projects are blocked). The links to the de.-pages are already there. Thanks in advance. I tried to ask any meta.-sysop yesterday in the wikipedia chat, but no one answered my query there. --AndreasPraefcke 21:20, 21 May 2005 (UTC)
p2l.info
There seems to be a spam bot attacking www.the-gdf.org - We are a wiki that contains the current specifications of the Gnutella Protocol. We've been attacked several times with spam that points to p2l.info Here are several diffs
http://www.the-gdf.org/wiki/index.php?title=Current_events&curid=1011&diff=0&oldid=514 http://www.the-gdf.org/wiki/index.php?title=Help:Contents&curid=1013&diff=503&oldid=502 http://www.the-gdf.org/wiki/index.php?title=Gnutella_Developers:Community_Portal&curid=982&diff=0&oldid=491 http://www.the-gdf.org/wiki/index.php?title=Gnutella_Developers:About&curid=1007&diff=485&oldid=479
This has been going on since about two weeks now, all these diffs are only from today. We found this Spam Blacklist extension, and we wanted to contribute by requesting p2l.info to be added to the BlackList.
The GDF 12:11, May 23 2005 (UTC) http://www.the-gdf.org/wiki/index.php?title=Current_events&curid=1011&diff=0&oldid=514
- Thank you, added. silsor 16:29, May 23, 2005 (UTC)
- I fixed it, changed pl2 to p2l -- Tim Starling 05:36, 24 May 2005 (UTC)
- Woop. silsor 15:57, May 24, 2005 (UTC)
p2l.info
This spam bot is currently attacking www.signpuddle.net - a wiki for written sign langauge. It only creates new pages, attack several times an hour, and uses many different IPs. I installed the SpamBlacklist, but it was still attacking. I added a personal list and that seems to have stopped it. This seriously needs to be added to the blacklist.
- Sorry, there was a typo in the original addition. This should be blocked here now. silsor 15:42, May 26, 2005 (UTC)
azzacash.com
This spam bot is just like the p2l.info one - posts intensly from a wide variety of IP addresses advertizing prescription drug sites like buy-fioricet.1.azzacash.com.
http://www.uuism.net/uuwiki/index.php?title=UUWiki:Community_Portal&curid=738&diff=2979&oldid=2972 http://www.uuism.net/uuwiki/index.php?title=UUWiki:About&curid=728&diff=2980&oldid=2974 http://www.uuism.net/uuwiki/index.php?title=Current_events&curid=739&diff=2978&oldid=2973
Seconded - I'm pretty sure it IS the p2l people; that was the only one I'd ever been spammed by and as soon as I started blocking them I got the azzacash garbage instead.
http://www.freebsdwiki.net/index.php?title=Help:Contents&curid=882&diff=2795&oldid=2794&rcid=1353 http://www.freebsdwiki.net/index.php?title=Current_events&curid=1402&diff=2798&oldid=2793&rcid=1352
- "azzacash" added to the blacklist. Thank you for the report. silsor 15:43, May 26, 2005 (UTC)
Almost certainly the p2l people. Besides the similar MO, some of the IP addresses were identical or in the same netblock. Besides blacklisting azzacash, I banned /16 blocks for those addresses with an expiry of 40000 hours. Sucks for any legitimate users on those blocks, but this is ridiculous. :-(
round-robin domain spamming
Within 6 hours of blacklisting azzacash, I had attacks from a bot blasting out repeated edits to "Current Events" for subdomains at all of the following:
badazz\.org d\.la silk\.com prout\.be bluelinecomputers\.be blueline\.be kyuran\.be nux\.at have-more-fun\.net compblue\.com phre\.net is13\.de thamaster\.de ic5mp\.net user-mode-linux\.net debianbase\.de onlinepeople\.net opank\.com ezua\.com ns1\.name plorp\.com ygto\.com aus\.cc nazari\.org bounceme\.net bestdeals\.at ns01\.us z0rz\.com egi\.biz myserver\.org blrf\.net dnyp\.com trickip\.net soliday\.org byinter\.net a\.la zapto\.org findhere\.org servequake\.com fw\.nu rutan\.org ugly\.as dynu\.com informs\.com b33r\.net ddns\.ms epac\.to 3-a\.net trickip\.org ruwe\.net 2mydns\.com 2myip\.com x24hr\.com pcanywhere\.net 2mydns\.net portx\.net dcclan\.co\.uk pacehillel\.org rawcomm\.net softguy\.com al0ne\.info waw\.pl
This is a very active spambot. Examples:
http://www.freebsdwiki.net/index.php?title=Help:Contents&oldid=2806 http://www.freebsdwiki.net/index.php?title=Help:Contents&oldid=2802 http://www.freebsdwiki.net/index.php?title=Help:Contents&oldid=2800
Sigh. I blacklisted all of the above domains on my own local copy; but this is getting really and truly ridiculous. I fear somebody may have to come up with a better anti-spammer AI for the wikis if this keeps up.
- Awesome. Unfortunately many of those domains are top-level hosts that host many sites, including some legitimate ones. These appear to be small sites that open a frame to a search in UmaxSearch.com, who would seem to be the basic perpetrators of this spam. This is where this blacklist currently breaks down, so there's not a lot we can do about it. silsor 22:25, May 26, 2005 (UTC)
- That is correct; a lot of them are - sorta like no-ip.com, which you guys are already blacklisting (and I approve of). I personally chose to blacklist the "lots of tiny little sites nobody bothers to get a real domain name for" subdomain type hosts that the Russian mafia types I seem to be having trouble with are using anyway, but I can understand not everybody would. Maybe sometime next month I'll get a chance to hack whitelisting into the php module so it's easier for other wiki admins to blacklist the hosts and still allow specific links. (Maybe alligators will fly, too, but who knows? =) --Freebsdwikinet 04:42, 27 May 2005 (UTC)
Not done
hpv[0-9]*.com.cn, hpv[0-9]*.cn
Random wikipedia spam from china, see [32]
- http://www.hpv''[0-9]*''.com.cn (hpv80, hpv120 etc)
- http://www.hpv''[0-9]*''.cn
- and others.
Okay, see [33] for searching, probably some fscking chinese viagra clone, let them die all. --grin 10:49, 9 Dec 2004 (UTC)
- Are there any recent examples of this spam? silsor 21:33, Mar 3, 2005 (UTC)
- Archived. silsor 14:10, May 17, 2005 (UTC)
rap.de
More than 20 edits by an IP with [34] in deWP. ST ○しろまる 13:13, 14 Mar 2005 (UTC)
- The spam blacklist is for cases when blocking doesn't work. What happened after this IP was blocked by the de: admins? silsor 17:57, Mar 14, 2005 (UTC)
- rap.de is probably the largest German hip-hop web magazine. mass-insertion of links from any site is to be frowned upon, but it would be nonsense to blacklist this site, as it has a lot of valuable content (interviews, etc.) regards, Hoch auf einem Baum 23:28, 14 Mar 2005 (UTC)
- Archived. silsor 14:10, May 17, 2005 (UTC)
gardening.msk.su, .*-.*.spb.ru
These should be added to the "Russian spam section" (spambot):
As before, these can't be blocked at all using IP blocks; each series of spam edits lasts only a minute or two and uses a fresh IP.
-- Curps 22:51, 22 Mar 2005 (UTC)
- I don't think adding gardening.msk.su would help, since they usually register new domains for every round of attacks. Added *-*.msk.su though. silsor 15:42, Mar 23, 2005 (UTC)
- OK, PHP was unprotected again on en and was hit within a couple hours. Taking a more hardline stance against these spam domains. I went into the other wikis that use these as well and unlinked them. silsor 20:19, Mar 27, 2005 (UTC)
- Use of the filter .*-.*\.spb\.ru is incorrect - this filter rule is too broad. See upper #Requests for removal --Kaganer 18:38, 11 Apr 2005 (UTC)
- The only alternative to this filtering is permanently protecting important articles like en:PHP, otherwise they get hit with dozens of vandal spambot edits a day (just today the filter on spb.su was temporarily (?) removed, look what happened a couple of hours later: [47]). I know what spb.ru stands for, but if they host vandal spambot operators then they are a rogue domain, no matter how big or small they are. This problem has lasted for months, these spambots have hit other wikis and blogs, and clearly these Russian domains have no interest in doing anything about it. I hope we can implement whitelisting soon, but in the meantime these domains should definitely remain filtered. -- Curps 23:44, 13 Apr 2005 (UTC)
- Archived. silsor 14:10, May 17, 2005 (UTC)
no url supplied
Please add the following: [48], it was posted on the Icelandic Wikipedia. —Ævar Arnfjörð Bjarmason 20:29, 27 Apr 2005 (UTC)
- Any more examples? Did it happen on more than one page? More than one IP? silsor 14:15, May 17, 2005 (UTC)
Other discussions
Multi-wiki collaborative blacklist
There's a very good multi-wiki collaborative blacklist at http://www.emacswiki.org/cw/BannedContent . It's automagically collated from a number of different sources. Some sort of cooperation would probably be helpful for Wikimedia and other wikis. --Evan 22:48, 18 Mar 2005 (UTC)
- Chongqed.org also has a blacklist. In this case it is built up largely from their spam submission system. http://blacklist.chongqed.org/
- Submissions are checked, so it should be reliable list of regular expressions for spam all over wikidom. By submitting details of a spammer here, you also add the spammer to their database, which means you can 'chongq' them (steal search engine rankings from them by linking to the database) -- Halz - 25th Apr 2005
Can article titles be blocked by Regexp?
In german Wikipedia a troll tries to recreate a deleted article and uses Unicode tricks (substituting cyrillic letters of same appearance, special dots or even the simple large I vs small el trick) to create it under a large number of different names. The original name was de:K.D.St.V. Carolus Magnus, a recent attempt was de:K.D.Ѕt.V. CarоIuѕ Μaɡnuѕ, more attempts usually visible at the delete log [49].
As there are some latin letters which cannot be faked, I think it would be possible to find a regexp for blocking, if there is a software feature to block article titles by regexp.
Pjacobi 21:00, 2005 Mar 27 (UTC)
- The spam blacklist deals only with external links. silsor 21:18, Mar 27, 2005 (UTC)
Unable to revert vandalism
Hi, not sure if this is the rigth place, but:
en:Ambigram has been vandalised by replasing all links with nonsense, and trying to revert it sends me to the spam protection filter because one of the links is a numbers only link ( 01101001.com ). The page is a relevant link for the article. en:User:Demo 07:30, 19 May 2005 (UTC)
Edits delayed in ?action=raw
So, I'm using the load_lists script in SpamBlacklist, and it appears that the URL it fetches --- http://meta.wikimedia.org/wiki/Spam_blacklist?action=raw --- does not track the actual contents of the page. For example, azzacash was added yesterday, and is clearly visible on the Spam blacklist page, but the ?action=raw URL doesn't pick it up. I'm not sure where to report this --- it looks like a MediaWiki bug to me. -K
- It was only added 4 hours ago, but this still shouldn't happen. You can file a bug at http://bugzilla.wikimedia.org/. silsor 18:49, May 26, 2005 (UTC)
- I get a "Forbidden - Raw pages must be accessed through the primary script entry point." error when loading that URL, but this URL seems to work instead http://meta.wikimedia.org/w/index.php?title=Spam_blacklist&action=raw --Travisd666 16:28, 13 July 2005 (UTC)
Does anyone know why stanleyunwin.com is being blocked? It used to be in the Stanley Unwin article but is being filtered despite not appearing in this list and not looking like a spam link. Angela 00:03, 29 Apr 2005 (UTC)
- It was added recently by Yann, in what may have been an overzealous filtering. The domain "win.com" was filtering "stanleyunwin.com". Removed. silsor 03:50, Apr 29, 2005 (UTC)
- Is it supposed to work like this? fiji.com in the blacklist is also blocking alliancefiji.com. Angela 13:30, 1 May 2005 (UTC)
- Unfortunately yes. This can occasionally be prevented, though, by using filters like \.fiji\.com. silsor 16:34, May 1, 2005 (UTC)
- Since these are regex fragments, could we not use something like
(^|\.)fiji\.com
, or\bfiji\.com
to avoid them matching in the middle of words in this way? - IMSoP 12:31, 17 August 2005 (UTC)
- Since these are regex fragments, could we not use something like
- Unfortunately yes. This can occasionally be prevented, though, by using filters like \.fiji\.com. silsor 16:34, May 1, 2005 (UTC)
- Is it supposed to work like this? fiji.com in the blacklist is also blocking alliancefiji.com. Angela 13:30, 1 May 2005 (UTC)
IP list from Anarchopedia
95% of this IPs spammed Anarchopedia today. If you need more details, tell me what do I need to ask MySQL for deleted pages? --Millosh 19:28, 26 May 2005 (UTC)
24.239.248.21 61.185.19.77 61.205.205.42 62.90.251.129 62.139.105.29 63.145.115.131 66.47.217.98 66.160.69.101 66.178.21.203 69.50.184.211 69.50.187.93 81.115.31.217 81.144.146.194 82.129.167.165 82.129.167.171 82.194.62.22 148.235.92.153 148.244.150.57 161.200.255.161 193.188.105.22 195.175.37.71 200.162.244.20 200.164.88.146 200.165.76.250 200.247.92.130 201.9.127.141 202.47.247.130 202.154.157.205 203.64.76.228 203.144.143.2 203.177.60.237 210.68.141.70 212.92.8.103 213.175.169.2 217.29.240.36 217.196.166.105 219.240.37.28
- This spam blacklist blocks sites from being added by any user, not specific IPs from editing articles. silsor 19:52, May 26, 2005 (UTC)
- Email blacklists block sending email by any user. User who thinks that (s)he is not a (wiki) spammer should send an email. Note that this list is generated today (an the list still grows)! I'll try to make statistics about operating systems of that IPs tomorrow, but I think that we would get high percentage of Unix-like OSs. (The only other possibility is that IPs belong to infected Windows machines, but I don't think so...) --Millosh 20:21, 26 May 2005 (UTC)
- This spam blacklist blocks sites from being added by any user, not specific IPs from editing articles. silsor 19:52, May 26, 2005 (UTC)
blacklisted spam can be posted from DIV tags
Sadly, the drug spammers have found a loophole. See below:
I'll spare you the bajillion actual entries in the spam - they're all the ones I listed above in the comment titled "round-robin domain spamming." They're ALL blacklisted, but unfortunately they can be posted successfully when wrapped in a DIV tag as shown above. --Freebsdwikinet 03:15, 19 Jun 2005 (UTC)
- I tested this on enwiki using the exact HTML fragment above with a domain from our blacklist, but it was successfully blocked by the spam filter. Can you demonstrate with, say, predictive-dialers.org on en:User:Silsor/sandbox? silsor 06:29, Jun 19, 2005 (UTC)
If you are having problems with the spam list and aren't a spammer please include a link to the article you are having trouble saving and say which URL (without the leading http part) you are told is blocked. Any meta administrator can edit the spam blacklist.
For removals because they conflict with a known significant spammer, please include them in the whitelisting desired section so they can be specifically whitelisted later, while still keeping the generic block in place.