Justin Forder wrote:
There are ~1821 pages on the Wiki, and ~1171 have been updated in
January. An Anonymous Coward with IP address 87.248.161.196 changed at
least 783 pages (I and others have probably corrected some of his/her
work) between 14:18 and 16:21 on 13th January. That's more
than one page every 10 seconds, on average. It's not feasible for normal
Wiki users to detect and correct this volume of change by hand.
On the 14th someone posing as the Instiki Importer, but with IP address
82.131.14.155, made a smaller number of changes. I have reversed those
(actually now I see I missed one on the 14th, and that there were a
couple of changes from that address on the 12th).
There are now 744 spammed pages out of 1835. The oldest is 10th January
(it's possible that there was spam before that which has now been
removed). The spam is still coming, but slowly now.
The spammer at IP address 82.131.14.155 has just changed from posing as
Instiki Importer to posing as *me*! (This is the guy whose changes I
reversed at the weekend.)
For the record, any changes I make are from 217.169.11.194.
The spam I have seen is very uniform in its nature. Scanning for its
signature and automatically rolling back the changes would be easy on
the server side - it's much slower and more laborious from the client. I
have been tending to edit rather than roll back, as earlier versions
turned out to contain spam in a large number of cases. Editing requires
a little care - the div containing the spam links is usually right at
the end of the useful content, but sometimes it isn't, and sometimes
it's truncated. Some have !OK! in front of the div, and some don't.
Spam signatures:
1) <div id="wiki1883" style="overflow:auto; height: 1px; ">
This has all its URLs in the pp.ru domain, expressed like this:
![ innocent nude | http://innocent-nude.corp-option.pp.ru ]
2) !OK!<div style="overflow:auto; height: 1px; ">
This has URLs in many different domains, expressed like this:
<a href="http://www.u-blog.net/xzfat/";>fat hairy ladies </a>
Both share the style="overflow:auto; height: 1px; ", which is what I
used to arrive at the figure of 744 spammed pages given above.
There are 27 instances of <div id="wiki1883" - these have been coming
back in the last couple of days after I removed nearly all of them at
the weekend. The person placing these works slowly - a page a minute or
slower.
There are 728 instances of !OK! - some of these have already had the
associated div removed. Some pages have both styles of spam.
The !OK! guy works fast but hasn't been active since the 13th. January.
the LighttpdConfig page was causing a Rails Application Error until I
rearranged the <pre> and <code> tags to nest properly - and to get to an
Edit page required manually typing in the URL to create a new version.
The RailsAcademy, and the Tutorial pages are in a similar state.
Both the RailsAcademy and Tutorial pages came back to life after I took
the spam out. I don't think there are any broken pages left... but it
would be good to get rid of pages with titles like:
on%0D%0AContent-Type%3A+text%2Fplain%3B+charset%3D%22us-ascii%22%0D%0AMIME-Version%3A+1.0%0D%0AContent-Transfer-Encoding%3A+7bit%0D%0ASubject%3A+forenoon%2C+from+the+early+morning%2C+the+square%0D%0Abcc%3A+charleslegbe%40aol.com%0D%0A%0D%0Aa6499b8075b6f8f4da1e7ae3545f7f51%0D%0A.
regards
Justin
_______________________________________________
Rails-core mailing list
Rails-core@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/listinfo/rails-core
