Change Log

... being a description of goings-on on Kaminski Wiki. Like Recent Changes, but narrated. :-)

2006-08-08
It was so cute! 196.202.33.242 replaced the home page with " HaCkEd by D3nGeR ". It certainly takes formidable skillz to 'hack' a publicly editable wiki! :-)

2006-07-07
A couple of odd posts to Kaminski Wiki and Saladin Crusaders Bin Laden: (20060704114436 81.25.36.82 port-82-adslby-pool36.infonet.by) (20060704115116 81.25.36.82 port-82-adslby-pool36.infonet.by) (20060707134345 81.25.33.124 port-124-adslby-pool33.infonet.by).

The first two were insertions of the editing link to that page, the second was to url.com. I've reverted them all out.

Eaton, by the way, is working like a champ, although it's blocking mostly spam to mt-comments and mt-tb, which attracts many more spam robots. It turns out that the IP blackhole created over time helps cover the wiki, too, though.

2005-11-11
Installed Eaton (internal version #3) around Kaminski Wiki. The same script, which has a regexp content filter and an IP address filter, is also wrapping mt-comments and mt-tb.

2005-11-10
A set of odd posts to Wiki Spam and Wiki Black List of the form:

Summary: dfekuggxhn Text: nrgcctc.oapldqa.com

Summary: vtgisxvzjd Text: agmuvau.inivonv.com

Summary: amiziihyay Text: umwtoyd.rqsrkpi.com

(there were more, but the logs were truncated due to a full disk quota)

The posts came through an open proxy at 207.63.100.162 (city-of-chicago-filter2.illinois.net).

2005-08-08
Yay! Wujin Lin from http://www.oilpainting.ws sent me a nice email apologizing for using Kaminski Wiki for SEO, saying he stupidly listened to free advice about SEO, and promised never to do it again. He asked to be removed from Wiki Black List, and I've done so. -- Pete

2005-07-08
59.57.138.134 removed oilpainting.ws from Wiki Black List. I reverted it. -- Pete

2005-06-29
83-65-7-162.sh-wien.inode.at added a link to "ritalin.batcave.net" to *76* pages. Somebody was busy! batcave.net is a free web hosting service, and I sent them an abuse report because they ask earnestly for reports on their main website.

The page that loads from ritalin.batcave.net redirects to "www.topsearch10.com/search.php?aid=36476&q=ritalin". I'm still undecided about sending abuse reports to inode.at, or to topsearch10 about their affiliate #36476 -- I wonder if it would do any good.

2005-05-09
There was a junk edit to the Kaminski Wiki page from 82.211.136.2 (nss6-gw2.planetsky.com), which may be an open proxy. Change reverted. -- Pete

2005-02-10
68.37.145.5 (bgp476904bgs.summit01.nj.comcast.net) removed babyoliverboutique\.com tuttibella\.com ccc-cn\.org hostmerit\.com lj8\.net from Wiki Spam. Absent further discussion or explanation, I restored them. -- Pete

2005-02-09
The PHP page sees lots of action. It's sometimes hit from various IP addresses by something that doesn't really change anything, but which still generates a changed line in the page. Then on 2005-02-07 and today, a bot hit it around 50 times. On the 7th, it was "gambling.adygeya.ru. : 85.96.49.192 (dsl85-96-12736.ttnet.net.tr)". Today it was "hobby.armenia.su. : 83.27.245.141 (bdd141.neoplus.adsl.tpnet.pl)". Hmm. Anyway, it's too bad for them it's so easy for me to delete this junk.

2005-01-21
The 202 domains in my Wiki Black List starting with "acne1care4skin.chat.ru" and ending with "wmutualmortgage.chat.ru" (and some related page-zeroing) are kind of interesting. They were posted from proxies or zombies:


 * 63.245.23.249
 * 64.43.1.59	smtp.meridianrail.com
 * 64.164.190.2	adsl-64-164-190-2.sgvarc.org
 * 68.48.242.62	pcp736510pcs.reston01.va.comcast.net
 * 80.248.1.3
 * 200.68.70.105	dns1.daweb.com.ar

Because the spammers are hosting the spamvertised domains on free hosting services that might host legitimate sites, too, I set my initial internal blacklist to just the subdomains. That worked for a day, until they started using other subdomains, so now I've switched to the root domains of the free hosting services, thereby squelching some potentially real links. Oh, well....

The couple of spamvertised domains I've visited redirect to searches to searchmeup.com. For instance, "wmutualmortgage.chat.ru" redirects to "www.searchmeup.com/search.php?aid=30820&q=washington+mutual+mortgage&said=mortgage".

It looks like somebody (affiliate #30820 in this case) is scamming the searchmeup affiliate program, umaxlogin.com. From the umaxlogin FAQ:


 * What is Umax Search?::"Umax Search is a Pay Per Click search engine where every search result carries a bid value. Results are sorted descending by bid values that are set by advertisers."


 * How does Umax Search affiliate program work?::"Traffic partners (webmasters) can send adult or non-adult traffic to Umax Search search engine and get 70% of the clicks that referred surfers initiate. Umax Search has a webmaster referral program which is recurring 5% of what referred webmasters make."

2005-01-20
I received an email from Paul Ecroyd purportedly of infoweb.co.nz saying someone he knows had spammed wikis with his domain name in an attempt to annoy him personally, and asking to be removed from Wiki Spam. Since it didn't happen on Kaminski Wiki, I can't adjudicate otherwise, so I've removed infoweb from that page.

2005-01-19
I want [rel="spammer", not rel="nofollow"].

2004-11-15
For a while now I've been using a new spam-cleaning technique, which is to snapshot the wiki database at known good points, then just restore from that backup when I need to clean out spam. It works well, and I'm pretty happy with it.

I've done another small thing which makes my workflow easier: a simple log file I can check over the web that captures the IP address and FQDN (if any) of anybody who does an edit. That way I can use that log file instead of having to download Apache logs and grep through them.

But I'm logging today because I posted a wiki spam abuse letter to Wiki Spam Report20041115. I've sent a few reports like this, when circumstances are such that it appears the report might actually get read and acted on. In this case, the spam was Chinese but came through a web proxy running at a elementary school in Korea (or so says the netblock), so I'm guessing there's some small chance someone there might read English and be motivated to close the proxy.

2004-09-11
Kind of interesting, a spammer (222.65.0.205, chinanet-sh, CHINANET shanghai province) using revision poisoning: alternately placing and removing their payload domain into a page to fill up a bunch of links via the page history. Luckily my blacklist script reaches back into history and munges links there, too, so it's no big deal, but it might be trickier for other folks.

Here's a snapshot of the fun (you can see in my blacklist process I reverted the affected page, Kaminski Wiki, before I got the blacklist/IP banning enabled):

Revision 121: View Diff. . September 12, 2004 1:36 am by Peter Kaminski Revision 120: View Diff. . September 12, 2004 1:26 am by 222.65.0.xxx Revision 119: View Diff. . September 12, 2004 1:26 am by 222.65.0.xxx Revision 118: View Diff. . September 12, 2004 1:23 am by 222.65.0.xxx Revision 117: View Diff. . September 12, 2004 1:23 am by 222.65.0.xxx Revision 116: View Diff. . September 12, 2004 1:23 am by Peter Kaminski Revision 115: View Diff. . September 12, 2004 1:21 am by 222.65.0.xxx Revision 114: View Diff. . September 12, 2004 1:21 am by 222.65.0.xxx Revision 113: View Diff. . September 12, 2004 1:18 am by 222.65.0.xxx Revision 112: View Diff. . September 12, 2004 1:18 am by 222.65.0.xxx Revision 111: View Diff. . September 12, 2004 1:18 am by 222.65.0.xxx Revision 110: View Diff. . September 12, 2004 1:18 am by 222.65.0.xxx Revision 109: View Diff. . September 12, 2004 1:15 am by 222.65.0.xxx Revision 108: View Diff. . September 12, 2004 1:13 am by 222.65.0.xxx Revision 107: View Diff. . September 12, 2004 1:13 am by 222.65.0.xxx Revision 106: View Diff. . September 12, 2004 1:13 am by 222.65.0.xxx Revision 105: View Diff. . September 12, 2004 1:13 am by 222.65.0.xxx Revision 104: View Diff. . September 12, 2004 1:10 am by 222.65.0.xxx Revision 103: View Diff. . September 12, 2004 1:10 am by 222.65.0.xxx Revision 102: View Diff. . September 12, 2004 1:08 am by 222.65.0.xxx Revision 101: View Diff. . September 12, 2004 1:08 am by 222.65.0.xxx Revision 100: View Diff. . September 12, 2004 1:08 am by 222.65.0.xxx Revision 99: View Diff. . September 12, 2004 1:08 am by 222.65.0.xxx Revision 98: View Diff. . August 17, 2004 10:27 am by Peter Kaminski

2004-09-04
Yikes! 205 domains from 60.25.119.199 (cncgroup-tj, CNCGROUP Tianjin province), and that's *after* coalescing the subdomains. -- Pete

2004-08-18
222.248.21.195 (topway, Shen Zhen Topway Cable Net) replaced the content of a number of pages with advertising links: Acme Novelty Library Book Shelf Change Log Charlie Wilson Kaminski Wiki/Discussion Quotations Sand Box Web Usability Wiki Black List Words-L.

Most of the edits had been flagged as minor edits, so they didn't show up in Recent Changes -- I had to grep the page database to find them. I removed the checkbox for minor edits from the edit screen, as I don't really use it anyway. -- Pete

2004-08-17
222.95.24.239 (chinanet-js, China Net Jiangsu Province) thought they could carefully hide their link in an existing link on the home page to avoid Recent Changes and diffs. They were wrong. -- Pete

2004-08-16
The nice person from netvision visited again, this time from cbl217-132-240-191.bb.netvision.net.il, zeroing pages and leaving the payload domain in the Summary, where it wasn't live. Same UA, libwww-perl/5.65. Pages hit: Wiki Black List, Words-L, Sand Box, Acme Novelty Library. -- Pete

2004-07-31
Linkspam from 211.161.2.177 (gwbn-bj-balizhuangdongli, Beijing Baliz Huang Dong Li Residential Community Broadband) on Wiki Black List. Google search string was <"gszc.freewebpage.org.">. -- Pete

2004-07-20
Removed 14 linkspam domains from Wiki Black List and Sand Box which had been added by 210.82.106.156 (huijingge-corp), Beijing. Google search strings were and <"bearings.freewebpage.org.spammer">. Considering finding someone to translate my edit disclaimer, "Please do not post advertising links or other link spam -- they will just be removed and your domain will be permanently added to a publicly posted blacklist," to zh-CN. -- Pete

2004-07-19
Restored Wiki Black List after 220.113.171.183 (gwbn-changsha-net3, Great Wall Broadband Network Service) replaced it with advertising. They had come to the page after a Google search on. -- Pete

2004-07-18
Restored Wiki Black List after 222.132.35.166 (cncgroup-sd, CNCGROUP Shandong province) had deleted all of it. Perhaps the same person as yesterday. They're persistent, if a little clueless about how easy it is to un-deface a wiki. They had linked in through http://wiki.apache.org/geronimo/WikiBlackList --Pete

2004-07-16
Restored Wiki Black List after 61.149.113.11 (cncgroup-bj, CNCGROUP Beijing province) had deleted much of it in revision 52, presumably trying remove the 61.149.114.93 domains. Interestingly, they'd reached the page after a Google search on "allinurl: 2881.com", which misspelled with the space like that returns pages that include the term "2881.com". -- Pete

2004-07-15
Restored "sonnerie-fun.com" to Wiki Black List, had been removed by "lalande-2-82-67-12-31.fbx.proxad.net". -- Pete

2004-07-14
The pattern " ilovehgp\.com" was removed from Wiki Spam by "roswebproxy2.core.hp.com". The change was reverted. Sorry, if you want something removed from spam lists, you have to email me with a good reason. -- Pete

2004-07-12
cbl217-132-115-90.bb.netvision.net.il is being a persistent little spammer, breaking down and adding a spam URL to Words-L without the "http://". The link wasn't live, and therefore, not subject to the Wiki Black List. Since I thought I'd entered them in editbanned, I looked at the Use Mod banning code, and on a quick review it looks like Use Mod prevents a banned user from asking to edit a page, but not from actually saving a page. Our netvision spammer's UA is libwww-perl/5.65 and is therefore presumably using a spamming kit that can POST without asking to edit, so, a little more code in the Wiki Black List... -- Pete

2004-07-08
Whee! 61.149.114.93 added 122 linkspam domains to Category Books. I duly added them to the 69 that already existed on Wiki Black List. The Google search string they used to find wiki pages was "Editing revision 5 of". -- Pete

2004-07-07
A nice person from 233-cust-102.venturenet.net added a whole bunch of wiki spam information to Wiki Black List. Since that page is set up to contain just the Kaminski Wiki blacklist, I moved the wiki spam information to a new page, Wiki Spam. -- Pete

2004-07-04
tp-s2-c108-3.router.hinet.net (211.72.108.3?) had posted a description of an English Literature class (no links, though) over Online Translation. I reverted the page to the previous version. -- Pete