deal with link spammers

(You probably already knew this but ...)

Trac should already have support for this (using CAPTCHA) - see the 'spam-filter' section of the TracIni docs :

http://trac-hacks.org/wiki/TracIni

got hit again.. both TracWiki and WikiStart this time. And this time the account wasn't self-deleted yet.

mikel: thanks, I'll check that out.

I like this approach: http://www.exaile.org/trac/wiki/HackingTracAccountManager

I'm experimenting with it now, and if it works on another trac instance I use, I'll apply it here.

I've implemented that hack, now there is a 2+2=? question on the create-new-account page. Somebody let me know if it causes problems.

Now we just wait and see if the new bar is high enough to cut down on the noise..

Nope, not high enough. A creep using the username 'baker' created an account at 1:56 this morning and proceeded to add pill adds to every wiki page they could find. I think this is an actual human, given that they weren't modifying more than a handful of pages per minute (I'd expect a bot to run faster).

I'll change the challenge question to something else and see how long it takes for them to come back.

for reference, it took me 15 minutes to revert all the spammer's changes. It'd be awfully nice if Trac offered a "revert all change made by user X" button.

we were hit again, 8/18 by user 'sems'.

and again 8/20, just the WikiStart page, by 'robiknode'. I'm looking for an SQL command that will delete all wiki entries made by a given user.

and again, by 'myaso'. I'd cleaned all the previous pages except for SandBox, and I was amused to see that the spammer replaced all the previous spam links with new ones (rather than just appending their links to the existing page). All of the links appear to go through compromised university accounts.

awesome, 'DELETE FROM wiki WHERE author = "myaso";' gets rid of all of those pages with a single command.

copy of the SandBox page with spam links inside

hit again today, 12:04pm, by 'bsyao'. All cleaned up.

and again yesterday, 00:52 to 00:57, by 'becool'. All cleaned.

and again yesterday, 23:06, user 'finecool'.

again today, 11:56, user 'finemsn'

again yesterday, 9/21, 9:24, user 'listall'

again today, 'robiknode', 9/22/07 13:42

again today, 10/01/07 21:21, user bbtwoone about 8 seconds per page, 10 minutes total

again today, 10/10/07 11:48, username 'taker'

again 10/16 23:56 and a second bunch 10/18 16:00, by 'bbtwo2'.

again 10/22 14:19 user 'nicer'

again 10/30 1:06 user 'ttbakertt'

again 11/01 11:10-11:36 user 'bbbaker'

again 11/03 11:50 user 'bbbaker' (they re-used the same username as last time)

also, they deleted their own account at some point after they finished spamming. whoever you are: please stop doing this!

again, 11/05 15:24 user 'chiper', they came back 11/06 14:15

another batch: tikitaki 11/14 16:21, tiktaktoe 11/13 13:18, tuper 11/12 12:38, toper 11/09 19:49

again, 11/19/07 11:09 tiptoptop

again 11/29 19:26 and 11/30 16:09, user tipitapi

again 12/03 00:31 ythg2434

again 12/07 07:02 'qq', only three pages this time, must be a different script

again 12/09 04:02 user 'sssss', only four pages

again 12/10/07 22:05:26 user 'qw', only the WikiStart page, probably a human instead of a script

again 12/14/07 10:09 user 'tyjsmd83', lots of pages, certainly a script

again 12/17/07 07:48 user 'qq', only three pages

again 12/18/07 1:14/1:56 user 'qq' again, four pages

Incidentally, we started getting some link spam on the Tahoe trac instance, and the 'sssss' spam (on 2007-12-16 06:27:19) came from IP address 89.218.124.244, which turns out to come from Kazakhstan. The 'qq' spam (on 2007-12-10 01:27:13) came from 91.90.22.82, which comes from the Ukraine.

Note to self: fix or work around the reverse-proxy limitations that currently prevent buildbot trac from logging the IP address of the clients who change wiki pages. The fact that these spammers seem to be coming from such out-of-the-way machines (and not from US zombies) suggests that it might be possible to do some IP address filtering to fix this problem.

again 12/21/07 03:19, user 'ssssss', only three pages. This occurred within 60 seconds of the same username spamming the tahoe page, so I think somebody has a script that hits multiple tracs at once.

again 12/24/07 22:51 asdklkjh88, all pages

again 12/11/08 12:59 user 'sdf44'. The rate seems to be slowing, if that's any comfort..

oops, I meant 1/11/08 12:59, not 12/11/08.

and again, 1/17/08 20:41 user 'sdf44'

double dose: 1/24 04:22 user '34ythgnb', and again 1/28 11:35 user 'helper'

the sneaky jerk, they did it again 10 minutes after I cleaned up the last batch. 1/28/08 11:55, user 'helper'

2/1/08 4:49 and 2/2/08 8:18, one page each time, user 'dif'

02/02/08 22:34:06 user 'dif', just one page

02/09/08 06:14 user 'sdfsdfsf', all pages

02/16/08 11:23 user 'sf223213', all pages

2/25/08 11:53 user ttrmon, all pages

2/28/08 04:11 user 'fdikqw', all pages

3/4/08 02:09 user 'gloooom', all pages

we went a whole month without wiki spam.. I think that person finally gave up. However we just started getting a new kind: ticket comment spam. The same person hit the Tahoe trac too (allmydata.org). They're advertising a bunch of chinese hotels.

04/07/09 06:43 user 'sell', about 5 tickets.

The SQL expressions to search and destroy are:

SELECT * FROM ticket_change WHERE author == "sell";
DELETE FROM ticket_change WHERE author == "sell";

user TPEslave -- only changed #270.

sigh, they're back, user 'hloper', adding comment spam to all wiki pages, about 6/11/08

ticket comment spam, user 'add', on ticket #77, 6/30/08 06:45

ticket comment spam, user 'sell', on ticket #130, 5/4, 5/9, 7/3

and, if not exactly spam, some bizarre bot-like comments on #270 by user 'TPEslave', 5/11 and 5/23

ticket comment spam, more iron stuff, user 'add', ticket #77, 7/19/08 06:05

wiki spam, just one page, 7/30/08, user 'meduza'

New spam: on page TracGuide by meduza: line 30 added: buy movies

plus ticket 130 last comment by user "add" 2008-08-03

removed a couple more, users 'meduza', 'china', 'add'.

bbl: thanks for the weeding! I'd like to avoid having these cretins' links still around, so if you wouldn't mind, don't include a copy of the full URL in the description that you post here.

Every once in a while I go through the sqlite DB and delete the rows from the 'ticket_changes' and 'wiki' tables, so don't be surprised if the spam that you undid appears to vanish completely later on :).

thanks,

-Brian

Removed more ticket spam from user 'add', for some reason they're fond of #77 and #130. They've started copying text from other projects' bugs into their additions, to make them harder to spot. Sigh.

A new wiki spammer, username 'marcello44', one page, 9/18/08 07:09

Maybe http://trac-hacks.org/wiki/RecaptchaRegisterPlugin might work a bit better?

Another one: rrtoper on 11/05/08 (You might also want to remove the reversal by cyberj the following day)

got the rrtoper ones, thanks!

I'm not sure if recaptcha would help much.. I'm assuming that there's a human who creates an account, then they give the username/password to their bot. So a one-captcha-per-registration barrier might not slow them down very much. I'm willing to give it a try, though.

More rrtoper I'm afraid (on Nov 24)