jducoeur: (Default)
jducoeur ([personal profile] jducoeur) wrote2006-06-01 09:31 am
  • Add Memory
  • Share This Entry
Entry tags:

There are very few categories of people who I would line up against a wall and have shot...

... but Russian spammers have managed to make their way into that list.

I just discovered that the Rolls Ethereal have been vandalized -- utterly, meticulously and very intentionally destroyed -- by a spammer. Special. Not going to be simple to recover, either, since the bad data is interleaved with the good in the logs. In theory, I can fix this; in practice, it hasn't been done before, and some of the tools I need don't exist yet (I added the logging facility a long time ago, but not the tool to recover from the logs), so a bunch of time that was going to be spent on wiki-tech instead has to be spent on the Rolls. What fun.

Anybody know a good captcha package for Perl that I can drop in here?
Flat | Top-Level Comments Only

[identity profile] cvirtue.livejournal.com 2006-06-01 01:34 pm (UTC)(link)
Man, that sucks. Condolences.

[identity profile] patsmor.livejournal.com 2006-06-01 02:04 pm (UTC)(link)
Yes, sucks substantially. I'm just sorry I can't be of any use in restoring it.
jducoeur: (Default)

[personal profile] jducoeur 2006-06-01 07:08 pm (UTC)(link)
Thanks. This is mostly down to improving my tools, putting in some real security measures. I've managed to avoid the need for that for over a decade now, because there hasn't been any motivation for anyone to vandalize the Rolls on a small scale. But now, with these big automated spam farms being run by blithering idiots who don't know how useless it is, I don't seem to have any choice.

(Of course, the first step is going through the logs, and removing all the spam entries. Fortunately, this turns out to be remarkably easy -- I think I'm managing pretty high accuracy at a scan rate of about 3 entries per second...)
tpau: (Default)

stupid other login

[personal profile] tpau 2006-06-01 01:40 pm (UTC)(link)
what did they do to them? andis it in russian?
jducoeur: (Default)

Re: stupid other login

[personal profile] jducoeur 2006-06-01 04:49 pm (UTC)(link)
Not in Russian per se, but there are a fair number of links back to Russian sites according to the person who pointed it out to me, and the style matches the wikispam that is (AFAIK) mostly coming out of Russia these days...
tpau: (Default)

Re: stupid other login

[personal profile] tpau 2006-06-01 04:50 pm (UTC)(link)
what IS wikispam?
jducoeur: (Default)

Re: stupid other login

[personal profile] jducoeur 2006-06-01 04:59 pm (UTC)(link)
See other comment...
jducoeur: (Default)

Re: stupid other login

[personal profile] jducoeur 2006-06-01 04:58 pm (UTC)(link)
Oh, and as for what they did -- lots of stuff. It looks like they were originally just adding sporadic bogus entries that would link to their paid websites. Then, probably sometime recently, someone went through and automated the whole thing, deleting all the real entries and adding literally tens of thousands of bogus ones pointing to their customers.

It's standard wikispam stuff: they stuff a real website full of their BS, all as interlinked as they can get it, to drive up the Google ratings of their customers. Unclear how well it actually works, but it's big business nowadays. It's why wikis are in a constant arms race against the vandals these days...
jducoeur: (Default)

Re: stupid other login

[personal profile] jducoeur 2006-06-01 07:05 pm (UTC)(link)
Followup: and as I go through the DB, a remarkably large number of the entries even *say* that they are from Ukraine or Russia. Heaven only knows what they think they're gaining by admitting it...
tpau: (Default)

Re: stupid other login

[personal profile] tpau 2006-06-01 07:11 pm (UTC)(link)
they may be putting real names and adressesintowhat htey htik is a searchable db,, thus spreadignthemj aroudnteh net? no idea. they might also just be bored 13 year olds in russia with little better to do.

remember currently russia has no enforsible laws, noone enforcing anythign and almost no acountability. whee
jducoeur: (Default)

Re: stupid other login

[personal profile] jducoeur 2006-06-01 07:45 pm (UTC)(link)
Yep -- AFAIK, that's why it's become a haven for these spammers.

Speaking of which: is "Koshkitko" a real Russian name? Or does it mean something? It's showing up in the name field of a large number of the bogus entries, and I'm curious whether it's the hack-handle of the person behind those particular entries...
tpau: (Default)

Re: stupid other login

[personal profile] tpau 2006-06-01 07:46 pm (UTC)(link)
it can be a name, Ukranian in origin judging by the 'ko' ending...

[identity profile] herooftheage.livejournal.com 2006-06-01 02:50 pm (UTC)(link)
I take it restoring a backup from a date before but as close to the vandalism as possible is not a viable option?
jducoeur: (Default)

[personal profile] jducoeur 2006-06-01 04:55 pm (UTC)(link)
Unfortunately, it wasn't a single incident -- it appears that they originally noticed it a while ago, and then gradually vandalized it over some time, interleaves with genuine changes. So there's no single clean snapshot. (The danger of the Rolls being as well-automated as they are is that I don't need to pay a lot of day-to-day attention to them -- this has probably been brewing over the course of several months, although I suspect that the real wipeout was within the past few days.)

Fortunately, I long ago implemented a detailed logging tool, which tracks all changes. So the theory is that I should be able to edit all of the undesired modifications out of that log, apply it to the last known clean backup, and get a clean state. The only snags there are that (a) the last known clean backup was a *long* time ago, so there's a lot of data to hand-screen, and (b) the tool for applying the log entries hasn't been written yet.

So there's a fair pile of scutwork that needs to be done before I have a clean DB again. Worse, I need to add a good deal of infrastructure to make sure this doesn't happen again, which is going to be a pain in the ass. (Sadly, I think I'm going to have to make the Rolls at least lightly moderated...)

[identity profile] learnedax.livejournal.com 2006-06-01 07:01 pm (UTC)(link)
There are a couple of captcha packages on CPAN, but I have no experience using any of them. CGI::Application::Plugin::CAPTCHA looks promising.

Are the source IPs of the changes filterable in some way? All associated with domains in *.ru where nothing else is, or the like? That'd speed things up considerably...
jducoeur: (Default)

[personal profile] jducoeur 2006-06-01 07:10 pm (UTC)(link)
Odds are that I could do some sort of filtering based on the source IPs (I do capture the domain name or IP address when possible), but it wouldn't be as accurate as doing it by hand. And I suspect that it's going to be faster to edit the file by hand than to build an automated solution -- both the spam and the real entries are remarkably distinctive in look and feel, with the result that it is proving a surprisingly quick between-edits job...
laurion: (Default)

[personal profile] laurion 2006-06-01 07:15 pm (UTC)(link)
Not readily available for perl, but you want to drop in http://www.kittenauth.com/

*grin*
jducoeur: (Default)

[personal profile] jducoeur 2006-06-01 07:48 pm (UTC)(link)
Oh, that's delightful. Moreover, it might even be modestly effective, if the database of pictures and categories is large enough. (But like captchas, it appears to have serious accessibility problems...)

Accessibility

[identity profile] metageek.livejournal.com 2006-06-02 01:26 pm (UTC)(link)
I suspect you'd need to have an alternative approach for accessibilty; maybe something like an A:B :: C : ? test.
Flat | Top-Level Comments Only