Wiki Spam Report

J

Jim Weirich

Wiki Spam Report
----------------

I thought I would take some time and report on the wiki spam situation
on RubyGarden. As I hope you have noticed, the wiki has been
remarkably spam free. This email will tell you what measures we have
taken to get to this point.

But first ...

Some Numbers
------------

Over the past 10 days, we have had:

93 updates to the wiki page, all (AFAICT) spam free.
(although I might have missed spotting some).

46 updates to the wiki tarpit. Of those, we had ...
3 innocent updates
2 questionable updates
1 update by me
40 spams

The Mechanism
-------------

Spammers are automatically routed to a wiki tarpit. The tarpit is an
(almost) exact copy of the real RubyGarden wiki. Making changes to
the tarpit looks as if you are making changes to the real wiki. And
since spammers get their pages from the wiki, it looks like (to them)
that they have successfully spammed our site.

However, everyone else never gets to see the spam.

By tricking the spammers into thinking they are successful, they don't
put any additional effort into bypassing our spam detection criteria.
This is important! When we explicitly denied them access to the wiki,
then went to great lengths to figure out how to get around the
restrictions. I haven't seen any of that kind of probing with the
tarpit.

Detecting Spammers
------------------

The current spammer detection logic is based on two observations:

(1) Spammers almost never use an IP address that has reverse lookup
enabled. This effectively means that it appears (to the wiki
software) that your host name looks like a numeric IP address.

(2) Spammers almost never set user preferences on the wiki.

So if both of these conditions are true, we treat the access as a spammer
and send it to the tarpit.

Now this isn't perfect, but that's OK. We also have a explicit ban
list for spammers who pass one of (1) or (2) above. And we have an
explicit allow list that overrides the automatic spammer detection.

Innocent Users
--------------

Can innocent users get trapped by the Tapit? The short answer is yes.
However, we are monitoring the tarpit and will attempt to rescue such
users.

In the past 10 days, there were at least 3 page updates that were from
innocent users. One guy (bless his heart) even removed some spam from
the tarpit for us.

When I see innocents trapped in the tarpit, I add their IP address to
the allow list and manually update the wiki with their changes (if
they are significant).

Detecting the Tarpit?
---------------------

The tarpit is deliberately designed to look like the original wiki, so
it is sometimes difficult to tell when you are trapped. Here's some
suggestions.

You are probably in the Tarpit when:

* there are a lot of recent updates made with numeric IP addresses
rather than host names.

* a lot of the pages have spam.

Although neither of these suggestions are foolproof. I refresh the tarpit
from the real wiki occasionally (to keep it looking realistic).
Immediately after a refresh it is /very/ difficult to tell the difference.

If you think you are trapped by the tarpit, send me
([email protected]) an email with your IP address and I will check
the logs. If you are trapped, we can add your IP address to the allow
list.

If you are worried about getting caught in the tarpit, just make sure you
have your user preferences set when accessing the tarpit (click on the
preferences link from any wiki page).

Summary
-------

I am pretty happy with the current wiki situation. In fact, the
tarpit has been so successful, that I am considering lifting the ban
on lower case http. The ban currently isn't buying us any benefits
and is rather annoying (I'll make it so both upper and lower case
work).

Thanks for your time.
 
D

David G. Andersen

That is a very cool idea! But I am afraid this posting is the reason
why http://www.rubygarden.org/ruby currently is under attack from a lot
of spammers.

Are you sure you didn't slip into the tarpit? :) It looks fine
from here.

-Dave wonders if it might not be nice to have multiple
spammer / legitimate user detection heuristics, though.
 
E

Edgardo Hames

Wiki Spam Report
----------------

I thought I would take some time and report on the wiki spam situation
on RubyGarden. As I hope you have noticed, the wiki has been
remarkably spam free. This email will tell you what measures we have
taken to get to this point.

What does spam look like on a wiki site?

Thanks,
Ed
 
J

James Britt

Edgardo said:
What does spam look like on a wiki site?


The junk I'm accustomed to seeing are pages devoid of any Ruby content,
but filled with links to sites apparently hawking Natural Nigerian Rolex
Enhancements.

James
 
C

Curt Sampson


It looks like the sandbox is not working for 221.197.18.150. If you look
at RecentChanges, he's changed a lot of pages to add what seems to be
mostly Chinese links to chinese websites. I've set preferences, and I'm
still seeing it.

cjs
 
J

Jim Weirich

It looks like the sandbox is not working for 221.197.18.150. If you look
at RecentChanges, he's changed a lot of pages to add what seems to be
mostly Chinese links to chinese websites. I've set preferences, and I'm
still seeing it.

Curt is looking at the RubyGems wiki hosted by RubyForge (which has little to
no spam protection ... hopefully that will change in the near future).

The tarpit is for the RubyGarden wiki.
 
M

martinus

It was fine again after about 5 minutes, it sees that the system really
works
And no, i didn't slip into the tarpit :)

martinus
 
M

Martin DeMello

Jim Weirich said:
46 updates to the wiki tarpit. Of those, we had ...
3 innocent updates
2 questionable updates
1 update by me
40 spams

Very gratifying :)

martin
 
S

slonik AZ

Each act of applying a change to a Wiki can be seen as a "message".
One can use email spam filter (with some modifications, of course) as
a first line of defense. If a proposed wiki change looks as spam to
"modified email spam filter" a user is confronted with a set of
challenges such as read letters from a distorted bitmap, answer silly
questions like Who invented Ruby?... etc.
Alternatively, spam filter decides to silently forward the change to
the Tarpit and also notify Wiki admin of the change if the probability
of this message to be a legitimate one is higher that certain
threshold.

--Leo--
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,965
Messages
2,570,148
Members
46,710
Latest member
FredricRen

Latest Threads

Top