Spambot nailed September 6, 2005
Posted by Andy Roberts in : Wiki , trackback
Spambots are evil nasty things at the best of times, but the one which kept attacking my ukcider wiki was particularly vexing. Not only did it edit a range of useful pages and replace them with a long list of links to all the usual gambling, pron and medicines pay-per-click sites but it also started creating new pages and editing them as well.
It took me 20 minutes or more to revert everything after such an attack, which began happening twice per day, especially when I was away on holiday. Banning the IP address would work if I happened to catch it in teh act, but the bot was running from a DHCP server client which meant the address kept changing. This was a serious situation which threatened the viability of the wiki. Many people helped out by reverting pages and deleting the spam but there’s only so much time and patience which can be devoted to such a pastime. meanwhile the mySQL database was expanding at a ridiculous rate taking me way beyond the quota I can afford to pay for.
So my first priority was to find a way of shrinking the database back down after cleaning up a spam attack.
DELETE FROM `old` WHERE `old_user_text` REGEXP ‘69.50*’
followed by a COMMIT and OPTIMIZE TABLE ‘old’ wipes out 90% of the excess and a few more queries take care of the rest.
The biggest breakthrough was acheived by finding a Community Of Practice for mediawiki developers and implementers. After lurking for a few days and checking all through the FAQs I explained my problem, quoting version details and asked how to block a range of IP addresses, since I had a feeling this ought to be possible but when I tried I hadn’t been allowed to.
The answer I received pointed left a few things for me to find out for myself but one evening I was particularly satisfied to have cracked it.
On 9/2/05, Andy Roberts wrote:
> Thanks for the prompt reply, Mike.
>
> With your information I googled for “defaultsettings.php” and found
> it in the ‘includes’ directory. I then copied the line
>
> $wgSysopRangeBans = false; # Allow sysops to ban IP ranges
>
> to my localsettings.php file and changed false to true.
>
> This then enabled me to block 69.50.0.0/16 which I hope will get me
> over one longstanding and persistent problem.
>
> I shall remain susbscribed to this helpful mailing list in order to
> keep up with developments in the forthcoming struggles against
> spambots, particularly if some kind of shared blacklist or bot
> detection strategy evolves.
The solution I found has killed one spambot stone dead and given the ukcider wiki a much needed reprieve, but other bots wil doubtless come along and some might even be able to evade IP range blocking. The longer term solution is probably going to involve rapid edit throttling and URL detection against blacklists. Mediawiki Plugins are being developed in this direction but I will need to learn more about remote backups of the database since I’ll need to upgrade the mediawiki software already in order to take advantage of the newer stuff.
is an online professional who initiated DARnet 
It’s got something against your UVwiki page as well - I deleted two or three lots of spam on there too over the holidays.
Thanks, I’ve reverted that page several times as well. I’d happily abandon the page but have no admin access to do so on that one. Maybe mister “I continue to develop the hotseat” will do something.
Well done for defeating the bot. Can you share the link to the community of practise site?
It’d be good to hear your experiences of learning how to upgrade mediawiki too. I’m using two different versions, and the newer one has quite a lot of good new features which make editing the template a lot simpler.
Frankie
I’m hoping to get away without having to bother with the upgrade until Xmas or later.
Here’s the mailman list:
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Why can’t they use the same kind of spam protection that these comments do? Create a graphic that is only human-readable, containing some scrambled text, and require the text to be entered. Surely that’s not easy for spambots to crack?