UESPWiki:Administrator Noticeboard/Vandalism/Archive 1

A UESPWiki – Sua fonte de The Elder Scrolls desde 1995
Semi Protection
This is an archive of past UESPWiki:Administrator Noticeboard discussions. Do not edit the contents of this page, except for maintenance such as updating links.

Repeat vandal - multiple IPs

Just had a repeat vandalism incident to Oblivion:Weapons. First User:84.71.27.192 came on and made a bunch of offensive edits, I warned and reverted. Then User:84.66.192.58 came on and made the same edits. Both IPs are located in the same area (London, UK), so it's pretty obvious they're the same person. I'm recommending at least a temporary block on them both, and possible further investigation. (If this person has access to 2 IPs, they may have access to more, and will probably just come back again if these 2 are blocked.) There seems to be an argument with somebody on www.deviantart.com that is related to this, I didn't want to get too far into it, but it might be worth contacting their administrators as well. --TheRealLurlock Talk 16:16, 16 February 2007 (EST)

Welp, you're familiar with UESPWiki:Blocking_Policy, which generally requires a warning first. However, mitigating factors are that they vandalized the same page repeatedly and then repeated vandalism after you undid it. Personally, I would not object to a temporary block. --Wrye 16:36, 16 February 2007 (EST)
I did warn first. The fact that they used a different IP to repeat the vandalism after the warning doesn't change anything. There should be almost no doubt that they are the same person, (both in London, both made practically identical edits to the same page), thus usually blocking policy would still apply, I'd think. --TheRealLurlock Talk 17:07, 16 February 2007 (EST)
Yep, I agree that based on Lurlock's evidence it is safe to assume that the same person made the two sets of edits, and therefore treat the two IP addresses as a single user. And the edits are unquestionably vandalism. And the timing makes it look very likely that the user received the first warning, then chose to get a new IP address to circumvent the warning. So repeated vandalism after a warning = block. But Daveh beat me to the punch on enacting the blocks :( --Nephele 17:18, 16 February 2007 (EST)

Okay, who pissed off Turkey?

Not sure why, but we've just had the second attack from a "hackers" group in Turkey. (See Special:Contributions/85.99.81.84 and Special:Contributions/81.213.238.147) Both IPs were traced to locations in Turkey, and both used the same basic M.O. on the same page. I blocked them both - didn't see much need for a warning when they even refer to themselves as "hackers". How they consider editing a talk page on an open wiki to be "hacking" is beyond me, but what I wonder is where these people came from? (I haven't checked, but I don't think we have any legit editors from Turkey - don't even think there's a Turkish-language version of this game out there.) Just wondering why they decided to target our site, and whether they've been just doing this to lots of people, or what. Don't want to start an international incident here, just thought it was awfully strange... --TheRealLurlock Talk 10:22, 8 March 2007 (EST)

A quick Google search for one of the IPs also turned up a similar edit on www.unmaintained-free-software.org, another wiki. I'll bet these guys are really proud of themselves for this, though I can't imagine why... --TheRealLurlock Talk 10:29, 8 March 2007 (EST)
Maybe there was a program about wikipedia on turkish TV and now every 12-year-old trying to feel like a "gangsta" is out looking for wikis to "hack" (snicker). -- JustTheBast 10:39, 8 March 2007 (EST)
Lurlock, you missed Special:Contributions/85.98.46.184. Anyways, I've been looking into the whole thing, and according to [1], we can report the abuse to abuse@ttnet.net.tr if we want to. Personally, I think the best course of action is to ask Daveh to report the offending IPs, if they vandalize anything else. If vandalism continues afterwards, I'd recommend just blocking the ISP's entire spectrum. --Ratwar 10:55, 8 March 2007 (EST)
Okay, add Special:Contributions/81.213.197.200 to the list. Four times to one page, all from Turkey, same basic MO. If it wasn't a talk-page, I'd consider semi-protecting it. Incidentally, found another wiki they've "hacked": This site apparently hasn't noticed it yet, and this page was previously "hacked" (actually created) by yet another IP: 81.215.185.202. (This one hasn't touched our site yet, but it's the same "oncuTurk" team that hit us on other IPs.) I think what we're looking at here is two or more rival groups of vandals, otherwise why would they be "hacking" pages created by other "hackers"? I'm going to report this to DaveH and see if he feels like doing something about it. --TheRealLurlock Talk 09:51, 15 March 2007 (EDT)

They often commit these crimes although if you ask me, this one is pretty funny. Claiming to "hack" a wiki page is rather hilarious, I'll make sure to share this story with some friends. At first I was feeling guilty thinking I ignited this because of my user page and something I added to Narina Carvain's page. I didn't add anything offensive except mentioning "Armenia" twice yesterday. Turkish hackers usually hack pages about the armenian genocide and pages mentioning their lack of human rights but there's none of that here so I guess it's 12 years old that finally heard about the concept of wikipedia.Vartan 09:50, 16 March 2007 (EDT)

Since the first of these "hacks" happened 11 days ago, I think it's safe to say your edits had nothing to do with it. --TheRealLurlock Talk 10:22, 16 March 2007 (EDT)

Wow, these guys have been busy. Just did a Google search for "oncuTurk": Over 5000 hits, all just other wikis they've "hacked". Most of them aren't nearly as diligent as we are about dealing with vandalism. I definitely think a complaint to their ISP is in order, though I'm not sure how much good it would do. I wonder if there's any place you can go to report things like this to the wiki-community in general. Some sort of cross-wiki vigilantes who might go around to hundreds of wikis and revert vandalisms like this. Certainly, I've never seen a single group responsible for this much damage over such a large number of sites. I wonder if the Turkish government or police would be interested in doing something about this, as it's clearly a very wide-spread attack. Unfortunately, I have no idea how to go about starting an investigation like this... --TheRealLurlock Talk 10:10, 20 March 2007 (EDT)

This team has also done their share of damage, over 2000 hits. Same story. The others (Omer and Uzman) were harder to look up, as they are apparently common names in Turkish. --TheRealLurlock Talk 10:22, 20 March 2007 (EDT)

If there's only been the few edits I'm happy to leave them be with their delusions of 'hacking'. If they start doing more vandalism I have no problems in approaching their ISP about it. It would probably be best if I was the one notifying the ISP for this and any other similar things. Thanks for tracking the source of this down... -- Daveh 12:16, 20 March 2007 (EDT)
Damn these people and no, reporting that kind of behavior to their ISP or any Turkish agency won't do any good, as you all probably know, Turks are very proud people and no matter what: they are always right. I don't know if you've heard about it but they blocked access to Youtube because there were some materials on there they didn't like (Cyprus, Armenian genocide, etc etc...). Isn't there a way to automatically revert all pages changed from Turkish IPs? --Vartan 15:40, 21 March 2007 (EDT)

UZMan is back, just reverted and blocked 88.254.52.54. Quickly reverted by an anonymous benefactor, but just posting here to let people know that they're not done annoying us yet... --TheRealLurlock Talk 14:26, 22 April 2007 (EDT)

Yes I know this thread is ancient just wanted to point out something I noticed. Lurlock posted saying they didn't think there was a Turkish Language version of Oblivion. Turkey while having its own language has a large population of Arabic and Greek speaking citizens. Most likely the "hackers" mentioned in here were familiar with one of those versions. Lord Eydvar 05:11, 28 February 2012 (UTC)

New spam-bot?

I think we may be dealing with a new spam-bot. Take a look at the conversation on User talk:1173725057. It seems to specifically look for red-links, and create pages to fill them, unlike the previous ones which create pages in places nobody cares about. I've blocked the user and added the sites it used to the Spam Blacklist, but that may not hold it for long. Do we have a plan to deal with this sort of thing? First of all, I thought new accounts couldn't create pages except in Talk namespaces. Four of those pages it created were in non-Talk namespaces. (The other 4 were not, but whatever.) The weird thing is, I can't figure out what these bots are hoping to accomplish by putting a bunch of non-displaying links onto a page like that. Are the search-engine web-crawlers really dumb enough to fall for that? Because it's not like they're expecting our visitors to click those links if they go to such lengths to hide them. Is there a way we can block the display="none" tag? (I mean, there's already wiki-markup tools to do that, so there's no reason to use it.) Just throwing out suggestions. --TheRealLurlock Talk 16:23, 12 March 2007 (EDT)

I'm guessing that the account was created more than three days ago, which is why it was able to create new pages. You could experiment with adding style=display:none in some form to the Spam Blacklist page, but it might be really difficult to get all the possible permutations to be recognized (style="display:none", style='display:none', style='align:left;display:none', etc.). Even at Daveh's level I'm not sure there's much more that's available: specific html tags, i.e. <div>, can be blocked but I'm pretty sure that parameters such as style can't by default be blocked, and especially not specific arguments (i.e. display:none) for those parameters. My guess is that now that editors know to look out for this, we just treat it like any spam: any editor who finds it blanks the page (for real), and when an admin is available, it gets deleted. --Nephele 00:33, 13 March 2007 (EDT)
Interesting...while there is no built-in support for validating specific attribute values, it shouldn't be too hard to add it if needed. I'd likely just add some special handling to check for display:none in the validateTagAttributes() function in Sanitizer.php. I won't do anything just yet but if this begins to become more frequent or cause a problem just let me know. -- Daveh 12:26, 20 March 2007 (EDT)

Proxy Vandalism

Alright, I'd just like all the administrators to be aware that we have a vandal using what appears to be multiple proxies to vandalize the wiki. The addresses have been moving, and coming from several different countries (Brazil, Korea, Japan, Taiwan). The vandalism is characterized by removing plus signs, mostly on Oblivion NPC pages, see 1, 2, 3, 4, 5, 6, 7, and 8. The vandal has also engaged in partially deleting pages after a '&' is used, see 1, 2, and 3. The other strange behavior he has engaged in reposting information from the ShakenMike incident see here. Known IPs connected to this user include, 200.238.102.162, 211.189.26.81, 221.117.91.186, 200.238.102.170, and 163.18.31.224 Does anyone have any idea how to deal with this guy? -Ratwar 18:00, 11 April 2007 (EDT)

First, I'd say that the user now qualifies for a permanent block. He/she has continued to vandalize the site even after the initial one-week block. So I think that any other IP addresses that are used for vandalism matching this pattern (in particular the + signs on NPC pages, which is a pretty distinctive pattern) should be immediately and permanently be blocked. I'll go through the existing blocks on the earlier IP addresses and change them at some point before they expire.
But I'm not too sure what to do about the potential for this user to keep finding new IP addresses. I think all we can do is continue to fix any problems that appear until he/she gets bored. Post the basic "blocked" message on the user talk pages but otherwise don't interact with this person in any way (i.e., complaining on one of their talk pages is likely to just entertain the person and encourage more vandalism). This is supported by the fact that activity seemed to escalate after my initial caution messages. We have numbers, time, and motivation on our side. Eventually even the most determined vandal will get bored if nothing comes of the vandalism. --NepheleTalk 18:38, 11 April 2007 (EDT)
Add two more IPs to the list, both deleted plus signs on Oblivion NPC pages:
--NepheleTalk 21:50, 11 April 2007 (EDT)

Caught another one. Full list so far. Bold indicates IPs already identified by Wikipedia as open proxies. Add to this as more appear:


TheRealLurlock Talk 23:14, 11 April 2007 (EDT)

New issue. An edit similar to these was just done by a non-IP address: YzuVqh. I reverted and blocked it, but it seems the bot may be evolving. Can somebody run a Checkip on that account and see if it matches one of the previous ones? --TheRealLurlock Talk 15:03, 17 April 2007 (EDT)

Yep, your hunch was dead on. The account was using 61.144.122.45, and while running Checkuser noticed that DzdKxq had also just connected using that same IP address. I'm going to check the settings on that IP's block and ensure that it doesn't allow account creation or non-anonymous logins. --NepheleTalk 17:46, 17 April 2007 (EDT)

Two more. This time, one of them went after a %. So that's now three symbols these things go after. This is truly bizarre. Anyhow, reverted, blocked, added to the list. We might consider breaking this whole discussion off onto its own page if it gets much longer... --TheRealLurlock Talk 09:21, 18 April 2007 (EDT)

Ugh, even more of them. This is getting ridiculous, can't we do something about this? --TheRealLurlock Talk 09:28, 18 April 2007 (EDT)

Starting a list of dummy accounts as well as IPs... --TheRealLurlock Talk 09:49, 18 April 2007 (EDT)
I just scanned through Wikipedia's page on open proxies. Unfortunately, their long list of open proxies is not in numerical order, so it's not too easy to compare our list to theirs. But in a quick scan I was able to find two of our IP addresses on their list. And another open proxy was used by the anti-admin vandal a couple nights ago. I think proactively blocking all of those IPs (including new account creation and non-anonymous users) might be in order. If there's some agreement that this should be done, I can probably work out a way to go through that whole list semi-automatically and block them all without it taking hours of our time. Actually, as a first step, I'll create a sorted list of wikipedia's IP addresses and post it for easier comparison with our list. --NepheleTalk 10:08, 18 April 2007 (EDT)
Sounds like a good idea - if even Wikipedia won't let them post (and they're usually more lenient than we are), I'd say it makes sense to block them proactively. Incidentally, did you checkip on that last one: Fh1Y5s? If it's one of our previously known ones, we should probably go back and make sure that all of those addresses are fully blocked from non-anonymous and creating accounts. I'm not sure if this is connected to the anti-admin vandal or not - the other edits have all been very random and pointless, and that one definitely seemed personal, though I personally don't believe that Aristeo was actually responsible for that. (Though possibly somebody was trying to make it look like him, for reasons passing understanding. But there is a reason that one went after you, Wrye, and Ratwar, and not me or the other people with Admin access. I'd be very curious to know what actually caused that, but that's a different subject.) --TheRealLurlock Talk 10:24, 18 April 2007 (EDT)
Yep, I did a Checkuser and blocked the IP, too, already (traced to somewhere in Korea); I just added it to our IP list as well. So the 397 IPs listed by Wikipedia are now all listed User:Nephele/Sandbox/7. I don't think the plus sign vandal is related to the anti-admin vandal. What I was trying to imply is that if two different vandals have both recently chosen to use those open proxies, then they do seem to be an increasing problem. --NepheleTalk 10:35, 18 April 2007 (EDT)
The last one was IP 203.145.131.158 again. --NepheleTalk 10:41, 18 April 2007 (EDT)
I highlighted the ones on that list that matched IPs on our list - 10 matches. We have a couple they missed as well. Might be worth reporting to someone at WP in the interests of community service. --TheRealLurlock Talk 10:45, 18 April 2007 (EDT)
I just posted the 7 IPs on our list that Wikipedia doesn't have over on meta.wikimedia.org, which is apparently a cross-wiki project devoted specifically to cataloging open proxies. You might want to check out their list as well, and see how it stacks up against Wikipedia's. --TheRealLurlock Talk 10:58, 18 April 2007 (EDT)
I think two of the extras in our list are probably not open proxies (200.238.102.162, 200.238.102.170) but are likely to be this vandal's home IP addresses, based on where the original attacks started coming from. But probably the few remaining misses are open proxies that wikipedia hasn't caught yet, especially since wikipedia generally seemed to have other IPs from the same domain already listed. --NepheleTalk 11:05, 18 April 2007 (EDT)
Well, I'm ready to go ahead and block all of those IPs. I know I haven't given people much time to respond to the idea, but I mentioned it before and didn't get any objections. And I'd prefer to just get this done and hopefully decrease the amount of work and effort that we all need to put into dealing with this. So, warning: the recent changes log is about to get swamped with block requests :) --NepheleTalk 11:12, 18 April 2007 (EDT)
Blocking done. At some point I should probably add a notice to the talk page of each of these accounts to make it clear that they were blocked because they are open proxies, but I'll wait until later to do that overload. So normal UESP editing can resume ;) --NepheleTalk 11:44, 18 April 2007 (EDT)

Sadly, it appears that our beloved plus sign vandal has returned after a brief vacation. I've found two new anon edits that fit his description: 199.164.125.138 and 83.11.33.11. I think we may need to update our open proxy block. --Ratwar 17:57, 12 June 2007 (EDT)

Yep, he's been active for the last week or so now. If someone can find a list of proxies that he appears to be working from this time around, I could do another en masse proxy block. But none of the recent IPs are ones listed at Wikipedia or its metaproject. Otherwise we're stuck with good old revert-and-block. --NepheleTalk 17:31, 14 June 2007 (EDT)
Another one from 216.110.12.175. You have to wonder why he's doing this in particular... --Rpeh 02:18, 17 June 2007 (EDT)
And another. This time from 203.113.15.234 --RpehTalk 08:35, 22 June 2007 (EDT)

The contributions of 203.113.15.234 are actually very interesting. There are a couple examples of classic plus-sign vandalism [2] [3]. There are also a couple examples of the latest spambot [4] [5]. Finally, there's one example of a new type of edit being made by this bot [6].

From these edits I think it's safe to conclude that the plus sign vandal is really just a different incarnation of one of our regular spambots. The edits being made by the plus sign vandal are all changes that would be made if a wiki page was put through a URL filter or decoder:

  • + signs are used in URLs instead of spaces, so + signs get translated into spaces
  • & signs are used to separate URL arguments, so an & sign is assumed to mark the beginning of the next argument, and everything from that point is discarded
  • Codes like %27 and %2C are used to encode various types of punctuation, so those codes get replaced by the corresponding punctuation

I'd speculate that the bot behind this is just constantly scanning wiki pages (opening them in edit mode then hitting submit). Sometimes, for whatever reason, it decides to replace the scanned page with spam. Many times it decides to not do anything to the page, and therefore just sends back the decoded version of the page. 90% of the time, the page is completely unaltered and so the wiki software just ignores it as a null-edit. But if the page does contain any type of URL coding, the result is plus-sign vandalism.

The insights don't necessarily help too much with figuring out what to do about the bot, though. It confirms that we should continue to permanently block any anonymous IP that makes edits matching these patterns, since the IP address is being used by a spambot. I'm also thinking of starting to block IPs that make edits like [7]. The edit doesn't need to be reverted, because it doesn't actually damage the page, but it's clearly another part of this bot's MO; I think if we can block open-proxy/zombie/malicious IPs earlier rather than later we're likely to prevent the IP from later being used for something that really does qualify as vandalism.

Also, blacklisting the spam websites seems to be the most effective way to end a specific round of spamming. Until the website is blocked, the bot seems to just keep going through its never-ending list of IP addresses and trying to post the spam over and over again. We've only let the bot get away with a handful of spam posts before blacklisting, but the major hit to CSWiki a couple weeks ago clearly shows that the bot will make hundreds of edits (using different user names, and presumably also different IPs, nearly every time) if given the chance. Within a couple days the spammer comes up with some new websites to advertise, but at least it temporarily halts the onslaught. FYI, my attempts to tweak the Spam Blacklist coding to target the link label (#Weird spammer targets...) have failed: the code relies upon built-in wiki functions that produce a list of the URLs only. To alter the link labels would require either completely rewriting the Spam Blacklist code, basically starting from scratch, or else making major modifications to core wiki fucntions.

If anyone wants to research what other wikis like Wikipedia are doing to halt this bot, it would be great to find out whether there are new tools out there that could help. And I'm open for discussing other ideas people may have... although I'm admittedly somewhat cautious about ideas that have a negative impact on legitimate wiki editors, but are likely to have a minimal effect on the spambots.

From what I've read in PC Magazine and elsewhere, this is just part of a much larger problem in the last year affecting the entire internet, with botnets infecting home computers and using them to generate spam of all varieties. It's a problem at a very large scale, and unfortunately there may not be much in the way of easy solutions :( --NepheleTalk 14:41, 22 June 2007 (EDT)

Still More: Recent incarnations of this bot that I've noticed include 203.162.27.90, 203.162.27.92, 203.162.27.94, and 203.162.27.95; I haven't done a full scan of the subnet (it'd be nice if the Contributions page accepted wildcards), but it looks as if the entire 203.162.27.X subnet, if not all of 203.162.X.X, ought to be blocked. (Actually, APNIC says that the IP range 203.162.16.0 - 203.162.31.255 is registered to an internet company based in Viet Nam; I'd suggest looking over that entire IP range.) DisplacedAvenger 15:09, 9 July 2007 (EDT)
Until I read your message, I'd completely forgotten that at some point in the distant past I'd seen some mumbo-jumbo about how to block ranges of IPs. So I looked it up on Wikipedia's admin guide, and sure enough, blocking ranges is a wiki feature. The only question is whether or not Daveh has enabled it on UESP.
To test it out, I've just tried adding a block to all of 203.162.27.X. Since I don't know whether it will work, I'd rather stick to just that one subnet for now, and see whether or not it appears to have been effective. And if any other admins notice this message, it would be helpful if, for now at least, none of the individual addresses in that subnet get blocked. If this range block has worked, then it won't be necessary; if the range block has not worked, the only way to find that out is if the one of the IPs makes another edit. (Note, though, that .90, .92, and .93 have already been blocked)
Then the next question is, if this worked, should we block the rest of this IP range? If I've done my math properly, doing a block on 203.162.16.0/20 should correspond to that exact IP range (for info on how the notation works, see Range blocks). However, looking through the block logs, there haven't been any hits from that net outside of the 203.16.27.X subnet. On the other hand, I doubt we have too many editors in Vietnam. Also, if this works, it's something to keep in mind in future: if anyone notices a pattern with multiple hits coming from one subnet, we should be able to just block the whole subnet. --NepheleTalk 21:47, 9 July 2007 (EDT)
Not sure if this helps, but I found a good way to keep track of all the proxies. Go into advanced search, and un-check everything but "User" and "Search Talk Pages" for namespaces, then search the phrase "Multiple IP Addresses", which is the most unique phrase I could find in the text of the standard warning used for the plus-sign vandal. Here is my results. It gets a few false hits, but pretty much most of what's in those search results is plus-sign vandals who've been blocked. (Assuming that the blocking admin remembered to add the block-notice, and I know that we used to not do that every time.) I was considering modifying the block notice to add a category, so we could have one surefire page with all of them. Of course, since it's subst'ed, all of the existing block-notice pages would be unaffected. Unless somebody wants to change them all (sounds like a good job for a bot...). But it would at least keep all future offenders organized. Any thoughts? --TheRealLurlock Talk 23:04, 9 July 2007 (EDT)
If we're going to starting blocking IP ranges, the bigger problem is how to keep track of those range blocks, because there is no longer a single IP address whose talk page can be flagged.
And I was wondering whether you realized that you'd blocked the IP addresses that I'd been specifically leaving unblocked so that I can test whether or not the range block works (namely 203.162.27.91 and 203.162.27.94). The block that I did (to 203.162.27.0/24) should already be preventing those IPs from making any edits. But the only way I can confirm whether or not that range block is working is if redundant blocks are not added to the individual IP addresses. --NepheleTalk 23:22, 9 July 2007 (EDT)
Oops. Sorry, I don't think too much about it - I see plus-sign vandalism I just block it automatically now. We're getting around ten of these things per day now, so it's just become instinct. Anyhow, if they continue at the same rate, I'm sure there'll be ten more tomorrow that you can test your range-block on. Otherwise, you can go ahead and un-block the ones I blocked as a test, though I'm not sure how much good it'll do, as I've only rarely (and not recently) seen more than one plus-sign style edit from the same IP, even if it took most of a day for an Admin to block it. I guess the only way we'll know if it worked is if the number of these edits is drastically reduced after doing it. Crossing fingers here... --TheRealLurlock Talk 01:22, 10 July 2007 (EDT)
Okay, with 15 attacks before breakfast today, I think we can safely say that this range-block is either not working, or too narrow to effectively block things. How wide can we make this thing before we start getting collateral damage and blocking legit users? Because this is just getting ridiculous. --TheRealLurlock Talk 11:18, 14 July 2007 (EDT)
The range block was only implemented to block addresses that start with 203.16.27. There was never any intention of trying to block every instance of the spambot using the range block, because it appears to be a bot that is infecting computers across the world and do not match any one IP address pattern. Even when the block was implemented only maybe 6 of the hundreds of spambot attacks to that point matched the address. The range block was put in place because it looked possible that every computer in that particular subnet had been infected by the spambot, and a single range block is less work than 255 individual IP address blocks. Since the range block was put in place there have not been any more attacks from addresses starting with 203.16.27.*, but I'm really not sure what that means since the addresses we know had been infected were individually blocked (and several of those addresses had already made multiple edits, and therefore without any block it seems safe to assume that they would have continued to be repeat offenders).
As for further action, range blocks are not a general solution to this problem. If there is a pattern where multiple IP addresses within a specific range are making edits, then perhaps another range block would be useful for those specific IPs.
The only other new idea that has been brought up in the last month is implementing an extension like ConfirmEdit (see Captcha). Nobody else has expressed any interest in the extension, though. Also, it frankly won't stop most of these edits, because most are much too similar to legitimate edits, unless we want to start having to force every single edit on the site to require a captcha confirmation. It would be able to stop any actual spam and probably could stop edits that delete large parts of pages, but that's all. --NepheleTalk 12:03, 14 July 2007 (EDT)
Actually, the ConfirmEdit extension would have one other major advantage: it would stop the creation of all these spambot user accounts. In particular because the spambot users are marking edits as minor. As long as the spambot is creating accounts, it is not possible to effectively monitor recent changes by turning off hide minor edits. --NepheleTalk 12:50, 14 July 2007 (EDT)

New Proxy Spammer

I've identified a new spammer. Right now, I believe that the word "template" as a marker for attacking pages. The attacks originally came from Japan, but then started coming from South Korea. --Ratwar 21:19, 27 April 2007 (EDT)

Related IPs

Could we just add a bunch of those sites to the Spam Blacklist? Seems like that'd block most of it pretty easily... --TheRealLurlock Talk 21:54, 27 April 2007 (EDT)
Sounds good to me, but I have no idea how to go about doing that. --Ratwar 21:57, 27 April 2007 (EDT)
I just added one. A lot of the sites that were being used seemed to be obscure sub-domains from .edu sites, but I blocked one obvious one that was used in every post. Check out UESPWiki:Spam Blacklist if you want to add more, should be simple enough to figure out, if they happen to come back. --TheRealLurlock Talk 22:01, 27 April 2007 (EDT)
There may be a connection between this one and the previous proxy vandal. Just reverted a change by 221.117.91.186, which was similar to these, but I then noticed that this same IP had previously been blocked by Nephele as a plus-vandal. She only blocked it for a week, and it's since expired - I made it permanent. Not sure if they're related or just happened to find the same open proxy, but it's blocked now either way. --TheRealLurlock Talk 18:15, 29 April 2007 (EDT)

Another troublemaker

I suspect these three are related:

They all have very similar IP address, so I'm guessing this person was using a school computer lab somewhere. (Traced them to somewhere in New York.) I'm thinking some blocking is in order, but I want to get some other opinions. Any thoughts? --TheRealLurlock Talk 23:02, 13 May 2007 (EDT)

Given that this person returned today and made two new edits (one using 64.12.116.15, and another with a new IP, 64.12.117.13, where the actual edit was legit but the edit summary was completely inappropriate), I've now gone ahead and blocked all four IP addresses. For now it's just the standard second-offense one-week block which will hopefully be enough to discourage any more idiocy. --NepheleTalk 21:25, 15 May 2007 (EDT)

Weird spammer targets...

This spammer-bot seems to be repeatedly targeting Daggerfall:Skills and User:FMan among other pages for some reason. FMan has been gone from the site for a while, so it's rather strange that his user page (and nobody else's) is a frequent vandalism target like this. Can anyone figure out what these pages have in common? I'm thinking it might be worth semi-protecting them to keep out the IP-editors... Strange. --TheRealLurlock Talk 14:22, 16 May 2007 (EDT)

I agree. I've already asked FMan if he'd like to have his user page semi-protected; I'm reluctant to do anything without his approval. What those two pages have in common, though, beats me....
I decided to get a bit more aggressive on the Spam Blacklist page this time around and added some of the product names as well as just websites to the list. I think it's safe to assume there's no legitimate reason for anyone to be discussing their pharmaceutical purchases on UESP. It's remotely possible that someone would want to mention their favorite cellphone music, but that word was so common in the spammer's list of links that I think blocking it will be very effective. If you disagree (or come across a situation where the spam blacklist is blocking any legitimate edit), let me know. --NepheleTalk 14:43, 16 May 2007 (EDT)
Well, since the Blacklist words are only blocked when they're in a URL, you can still talk about wellbutrin and ringtones all you want, just so long as you don't try to link to them. I agree though that it's not likely that there'd be any legit reason to do so... --TheRealLurlock Talk 14:51, 16 May 2007 (EDT)
Yep, I overlooked that part of the fine print until just now when I was revising the page's introduction. So that makes it even more unlikely that anyone would get tripped up by the blacklist. Although I did hit the blacklist once recently, because somebody had posted some images on blogspot.com (at Oblivion:Linux) and blogspot.com had been blacklisted. I'm in the process of trying to find the Mediawiki message that pops up so I can make it a bit more useful for any editors that do hit it, since it is very possible that more legit edits will get accidentally blocked. --NepheleTalk 14:59, 16 May 2007 (EDT)
I've been trying to work on the Spam Blacklist but, basically, at this point the blacklist still does not check words used in a link's label. So for a link [http://somelink somelabel] the blacklist checks "somelink" but not "somelabel". I gave Daveh one tweak to try to fix this last weekend, but the tweak did nothing. I've looked into things enough to now know why my first tweak didn't work, but it's going to take me a bit more time to come up with another tweak (and one that won't end up accidentally running the entire article through the blacklist).
So it's worth adding new labels to the blacklist, because I want to get the blacklist to check labels. But at the moment, they might not work. --NepheleTalk 14:26, 23 May 2007 (EDT)

More Repeated Vandalism

Someone's got something against the Roleplaying page. On June 4th, someone using IP 125.237.108.111 added several large blocks of text intended to insult people who enjoy role-playing, including some vulgarity; I reverted and warned. Then, on June 6th, the page was again vandalized, this time from IP 125.237.98.4. I happened to notice this (though Zoidberg beat me to the revert), and thought the changes were familiar; comparing the revisions, it looks like the exact same text was added both times.

I'm not sure what action, if any, should be taken at this point; these are the only two edits of that page from the 125.237.x.x subnet that I can find, and the only two edits that those specific addresses have made. But I do think the administrators ought to be aware of this repeat offender. — Unsigned comment by DisplacedAvenger (talkcontribs)

Thanks for the heads up, I went ahead and blocked both of the addresses for a week, since they both traced to exactly the same place.--Ratwar 17:19, 6 June 2007 (EDT)

Captcha

I've been working at CS wiki recently, and after their major spam attack they added a captcha system to limit spam. The captch kicks in only if an edit contains links to an external site (not for internal links). I'm sure that there are quite a few plusses and minuses, but didn't seem to bad in my experience so far. --Wrye 16:46, 22 June 2007 (EDT)

I just found an interesting page on Blocking Spam in Mediawiki. Among other things, it recommends the ConfirmEdit Mediawiki extension which is a Captcha system. It seems like something that might be worth looking into. And it's also the extension that's been installed at CS Wiki [8]. --NepheleTalk 17:32, 22 June 2007 (EDT)

More Spam

Hey I noticed on Oblivion Talk:Oblivion/ that 70.86.237.10 had posted some kind of spam, not really sure what. It consisted of some kind of advertisement for a link that didn't go anywhere. I quickly deleted it. Also, I think "he" created that page just for the purpose of spamming. Giamgiam 17:01, 2 July 2007 (EDT)

The page has been deleted and the IP blocked for spamming. Thanks for blanking the page. Generally, that's all you need to do (perhaps put in your edit summary "deleting spam"). An admin will find it and take care of deleting/blocking without you needing to post a message about it. --NepheleTalk 00:20, 3 July 2007 (EDT)
Ok, I'll keep that in mind from now on. I'm finding that I often forget to include an edit summary, so I changed my settings to prompt me when I do so. My short term memory is that of a goldfish. Burning two Eggo waffles consecutively in the toaster oven in a 25 minute period confirmed this for me. Giamgiam 04:17, 3 July 2007 (EDT)
Found another one. Apparently 71.106.245.20 thought it would be funny to change the word guild to "gay" on Oblivion:Fingers of the Mountain/Description. Luckily, Saruuk had already reverted it. I just wanted to let you know. Giamgiam 04:28, 3 July 2007 (EDT)
That type of vandalism falls into a very different category than spam, and at this point there's nothing administratively that needs to be done or should be done with user 71.106.245.20, so I'm not sure what you're trying to notify the admins about here. You may want to look over the articles on Vandalism and UESPWiki:Blocking Policy.
For people who have made a single stupid experiment/edit, the edit should be reverted. If somebody feels that the edit warrants it, a warning can be placed on the user's edit page; any editor can place that warning. Frankly, in a case like this where it's just one minor edit, it's almost more trouble than it's worth to warn them, because 95% of the time the IP address makes one single edit and then is never heard from again. But it's really just a judgement call on the part of whoever happens to notice the vandalism to decide whether they want to take the time to add a warning. An admin only needs to get involved if the editor has been warned and then continues to vandalize after the warning has been posted. Before then, absolutely any editor can do anything that needs to be done.
Even in the case of a repeat vandal, in general there's no need to add a notice on this noticeboard. All vandalism gets noticed by admins whether or not a notice gets placed here. By placing a notice here in most cases you're just adding to the work that needs to be done, both for yourself and for the responding admin who now has to respond here in addition to actually dealing with the vandalism. This page is mainly used for discussion of how to deal with repeat vandals or to notify admins of extreme and/or unusual cases. --NepheleTalk 10:18, 3 July 2007 (EDT)

Plus Sign Vandal without the plus sign vandalism

Take a look at this. It looks like the usual PSV edit... but in this case it has actually made an improvement. Do we block people for improving the site? :) --RpehTalk 06:22, 11 July 2007 (EDT)

Yep, or at least that's what I've been doing for the last few weeks. I've been leaving the edits in place, but blocking the IPs for matching the plus sign vandal's MO. Until there was a set of edits that clearly connected this to the plus sign vandal (and also to bot spamming), as detailed above under Proxy Vandalism, I'd just ignored edits like this. But now I'm taking it as an indication that the IP is under the control of this bot and therefore if left unblocked is as likely to later vandalize or spam the site as any of the IPs actually caught damaging the site. --NepheleTalk 10:47, 11 July 2007 (EDT)

New Vandal

Right now I have about three IPs, which I'm assuming is the same vandal changing IPs. His edits usually have some sort of slang in lowercase. His IPs are 66.229.71.238, 205.188.117.138, 68.58.82.73. By now, he would have finish. Just a heads-up. --Brandol 05:06, 31 December 2007 (EST)

Thanks for cleaning up those edits. However, other than the timing there's not much to make it clear that they're all the same editor, nor does it really change how to deal with the editor(s). Which is, basically, place a warning on each IP's talk page and wait to see whether the IP is used for repeated vandalism, at which point an admin will block the account. You are free to add warnings whenever you feel it's appropriate; see Messages for the standard warning messages. And adding the warning is more effective overall than making a post on this page: the first place an admin checks when seeing that an IP has vandalized a page is that IP's talk page to see whether the IP had previously been warned (i.e., we just look to see whether the IP's talk page link is red or blue). For more information, you might want to look at UESPWiki:Vandalism and UESPWiki:Blocking Policy. --NepheleTalk 12:43, 31 December 2007 (EST)

99Squires99

This user has been changing values on NPC's statistics pages... I can't say for sure if this is being done on purpose with the intent of vandalism or whether this user is simply *very* misinformed. One quick look at this user's contribution page points toward vandalism. Thanks.--Mptrj 03:55, 25 August 2009 (UTC)

Bots, I assume

There were a couple of anonymous users who vandalized a couple of pages. I assume they are bots, given that they replaced every page with the same text, so they probably should all be blocked. I know bots shouldn't receive warning, but I gave all of them a warning just to be sure. Talk Wolok gro-Barok Contributions 10:57, 15 September 2009 (UTC)

Thanks for reverting all that, Wolok! I've zapped them all for now, but I won't be able to do much more because I have to go to work. Hopefully it'll slow down :). Thanks again! –Eshetalk 12:26, 15 September 2009 (UTC)
Also, while I know you mean well with the warnings, you're actually making it more difficult for us to deal with them -- in particular, it's more work to make sure that all of the IPs have been blocked. Not to mention, it's more work for you ;) --NepheleTalk 14:42, 15 September 2009 (UTC)
So, when several editors with different IPs vandalizes the site, it is better if we do nothing at all? Except reverting the edits? Krusty 16:03, 15 September 2009 (UTC)
Usually you can tell. If the edit has bot like qualities (replacing sections with random strings of letters), then it might be best to not warn them and notify an administrator. You can also run searches with Google and see if anything suspicious pops up. It is partially a gut call, but for the most part you can differentiate humans from bots. –Elliot talk 16:06, 15 September 2009 (UTC)
I see. When the site was attacked this afternoon, I was at work and just reacted like usual - reverting and warning. Never even saw the long list of similar edits on the RC, just the six edits of blanking. Krusty 16:10, 15 September 2009 (UTC)
If you're not sure, or if you don't realize the edits might be from a bot, then add a warning message as usual. But at this point, anyone who has read this discussion can safely assume that an edit that replaces part of a page with doors.txt;10;15 is a nonsense bot. Just including "nonsense bot" in the edit summary of the undo is generally going to be enough to let an admin know that the IP needs to be blocked.
This is something we've been through a few times now: a nonsense bot will come up with some new, slightly different style of editing and will then suddenly make a ton of edits relatively quickly. Generally things slow down after a day or two. --NepheleTalk 17:32, 15 September 2009 (UTC)

Spam?

I wonder if this edit qualifies as spam, since the link does not appear to be UESPWiki-related. Tonyfoe does not sound as a "registered spammer" like Xiaoyuokok01 or Azci buy brahmi online cheap, but still... Talk Wolok gro-Barok Contributions 18:18, 6 October 2009 (UTC)

Technically spam even if the link is harmless (which I'm not going to test). -- Daveh 20:33, 6 October 2009 (UTC)
Yeah, I know that. I actually meant if this edit was a blockable offense. The link is harmless, but totally unrelated to UESPWiki. I just wondered whether Tonyfoe was a registered spammer. Talk Wolok gro-Barok Contributions 20:56, 6 October 2009 (UTC)
I'd warn, if he doesn't stop give him a temp block, then after that expires watch him closely, if he does it again, perma-block him. --ModderElGrande 10:53, 7 February 2010 (UTC)

Spam

Spammer adding links to some realtor's website on the mods page - not sure if that qualifies for a ban or not. I did press a warning here: http://www.uesp.net/wiki/User_talk:203.177.74.142 (not that bots read warnings).

G'day Walbert 15:38, 30 March 2010 (UTC)

Vandal Notice

ChampionQQ = permanently banned user Mike484 Dlarsh(T,C) 03:13, 23 June 2010 (UTC)

Section Protection

Sorry about leaving section protection on Mace Etiquette like I did last night. There was no admin available and 70.29.16.12 repeatedly edited incorrect info into that page. Later on, he created a new user Drnick and edited Bear Season with the same incorrect info. --Brf 12:38, 29 December 2010 (UTC)

Don't be sorry. While it is basically "against policy", sometimes it is the only solution; another strategy can be to let the "wrong info" hang around on the page for a couple of hours, then revert when the anon has left the building - although I realize it can be quite a challenge when other users keep reverting, basically starting an edit war. I blocked the anon and will keep an eye on the account. --Krusty 12:47, 29 December 2010 (UTC)

Spammer

Spammer 95.111.211.100

Done. --Krusty 15:45, 30 December 2010 (UTC)

AngieCrosby01

AngieCrosby01 (talk · contribs · page moves · block user · block log)

Done. --Krusty 06:02, 10 January 2011 (UTC)

Vandal :69.77.195.52

this Ip made vulgar edits to both shadowmere's page and my page after I warned him not to, he definitely deserves a block, here's his Ip again 69.77.195.52. --Pwnageincarnate 01:48, 17 January 2011 (UTC)Pwnageincarnate

Done for 3 hours; an Admin will have to make it longer if they feel it's necessary. Robin Hoodtalk 04:48, 17 January 2011 (UTC)
Just for the record; I almost chose to leave it at a 3-hour Block for now as the anon had about 2 minutes to read his warning and then stopped. My decision for the short 2-day block is based solely on the fact that he started harassing Pwnageincarnate, who handed out the warning in the first place. --Krusty 07:46, 17 January 2011 (UTC)
Yes, that was my thinking as well. Robin Hoodtalk 08:42, 17 January 2011 (UTC)

Spam bot

195.84.48.28 (talk · contribs · page moves · block user · block log)

Done. --Krusty 07:54, 2 February 2011 (UTC)

Is this ok?

The user ObsidianNoxid recently made several revisions to the Chameleon and invisibility pages that aren't at all helpful. I issued a Vandalism: Blanking warning, but I don't know if that's the correct course of action, or if more needs to be done. Thoughts? (His contrib log is here: Special:Contributions/ObsidianNoxid — Unsigned comment by Apollo Quinn (talkcontribs) on 15 April 2011

I think it's inexperience rather than intent. The edits were bad, but you can see what he was trying to do. rpeh •TCE 12:04, 15 April 2011 (UTC)
I didn't really understand it, which is why I didn't go for good faith. :/ Did I do the right thing though? Apollo Quinn 15:23, 15 April 2011 (UTC)
You left a polite message and links to help him out. You did the right thing ~ Dwarfmp 15:40, 15 April 2011 (UTC)

Oversight Request

Our friend the "N-word" vandal has paid a visit. Would it be necessary to oversight his recent edits? Also, the IP needs to be perma'd by an admin - currently the block is only in effect for four hours. --Legoless 17:07, 5 August 2011 (UTC)

Done and done. I don't think there's a problem using oversight here - this is why we installed it after all. rpeh •TCE 17:20, 5 August 2011 (UTC)

Ukrainian Spam-bot

So, anyone watching the Recent Changes has probably noticed a series of spam edits to the Admin Noticeboard page this morning. Just for kicks, I did an IP trace on them, and so far 2 out of 3 of them are from the Ukraine. (One claims to be from Pennsylvania, but I'd be surprised if it weren't somehow related.) At any rate, I figured I'd just document these here in case the information proves useful. Feel free to add to this list as more occur. --TheRealLurlock Talk 13:02, 19 January 2012 (UTC)

Pull Out the Banhammer!

This user: Special:Contributions/75.161.57.98. It doesn't look like anyone will get on any time soon, so odds are they'll be long gone by the time you read this. Just thought I'd mention it, just in case. • JATalk 01:39, 20 April 2012 (UTC)