[SAC] another ongoing spam storm

strk · May 4, 2016, 8:52am

On Wed, May 04, 2016 at 10:44:11AM +0200, Sandro Santilli wrote:

On Wed, May 04, 2016 at 10:24:39AM +0200, Even Rouault wrote:

> Instead of custom solutions, what about installing
> SpamFilter – The Trac Project ? I think this has been mentionned
> recently. This would seem to be the appropriate solution. Or at least
> something to try.

Could you please see if a ticket for this already exist and, if not,
file one ?

I found there's also a "Trac Spam" section on the wiki, in case you
want to add something:
https://wiki.osgeo.org/wiki/Trac_Instances#Trac_Spam

--strk;

rouault · May 4, 2016, 8:58am

Le mercredi 04 mai 2016 10:44:11, Sandro Santilli a écrit :

On Wed, May 04, 2016 at 10:24:39AM +0200, Even Rouault wrote:
> Le mercredi 04 mai 2016 10:20:49, Sandro Santilli a écrit :
> > On Wed, May 04, 2016 at 10:04:06AM +0200, Even Rouault wrote:
> > > Le mardi 03 mai 2016 23:02:45, Martin Spott a écrit :
> > > > On Tue, May 03, 2016 at 08:04:24PM +0200, Sandro Santilli wrote:
> > > > > And:
> > > > These have been removed from OSGeo LDAP.
> > > > I'll try to come up with a more convenient command line solution
> > > > this weekend, until then I'll be at your service as time permits.
> > >
> > > GDAL wiki just got spammed by "shadabmallick" 4 times in 5 minutes.
> > > Sigh... From my memories, it seems the spam contains the names
> > > "notron", "adnap", "eefacm", "gva" (I wrote them in reverse order to
> > > avoid undue advertizing) + "antivirus". Wondering if there's a way
> > > to have a blacklist of words disallowed in wiki pages ? We don't
> > > care about antivirus, do we ?
> >
> > I'm using SQL words matching to find spammers for blocking and
> > cleaning. Maybe I could try using table constraints to completely
> > forbid creating such pages. Not sure how trac code would react
> > to such constraint determined failures. If you want to test
> > ping me in #telascience and we can play with that idea.
>
> Instead of custom solutions, what about installing
> https://trac.edgewall.org/wiki/SpamFilter ? I think this has been
> mentionned recently. This would seem to be the appropriate solution. Or
> at least something to try.

Could you please see if a ticket for this already exist and, if not,
file one ?

Spamfilter was mentionned in https://trac.osgeo.org/osgeo/ticket/1121 .

--strk;

--
Spatialys - Geospatial professional services
http://www.spatialys.com

strk · May 4, 2016, 9:19am

On Wed, May 04, 2016 at 10:58:09AM +0200, Even Rouault wrote:

Spamfilter was mentionned in #1121 (Spam on GeoNetwork WIKI in trac - please block user) – OSGeo .

Mentioned is not the same as targetted.
Ticket #1121 is about blocking a user ('NewtonKing'), who's still
existing, btw.

Reading the ticket is instructive though, expecially comment:4

--strk;

strk · May 4, 2016, 9:51am

And:

+('NewtonKing'),

--strk;

On Wed, May 04, 2016 at 10:46:29AM +0200, Sandro Santilli wrote:

On Tue, May 03, 2016 at 11:02:45PM +0200, Martin Spott wrote:
> On Tue, May 03, 2016 at 08:04:24PM +0200, Sandro Santilli wrote:
> > And:
>
> These have been removed from OSGeo LDAP.
> I'll try to come up with a more convenient command line solution this
> weekend, until then I'll be at your service as time permits.

Today I found these other accounts:

  +('dahiyankur'),
  +('8009875476'),
  +('anshu166'),
  +('bolandoe'),
  +('dahiyankur'),
  +('kumar1212'),
  +('mackhill88'),
  +('nehajay'),
  +('rajababa'),
  +('shadabmallick'),
  +('turbotax'),
  +('wilson91'),

I've put your IRC-mentioned commandline on the wiki:
SAC:LDAP - OSGeo
but it isnt clear to me if a password is always needed or only
from some machines or with some privileges (see the initial paragraph
on the wiki).

strk · May 4, 2016, 9:56am

And:

  +('fasfafaraa'),
  +('kirti44'),
  +('lolapola'),
  +('microprocessor'),
  +('microprocessor '),
  +('mozillaseven'),
  +('mozillathree'),
  +('nattu'),

--strk;

On Wed, May 04, 2016 at 11:51:32AM +0200, Sandro Santilli wrote:

And:

+('NewtonKing'),

--strk;

On Wed, May 04, 2016 at 10:46:29AM +0200, Sandro Santilli wrote:
> On Tue, May 03, 2016 at 11:02:45PM +0200, Martin Spott wrote:
> > On Tue, May 03, 2016 at 08:04:24PM +0200, Sandro Santilli wrote:
> > > And:
> >
> > These have been removed from OSGeo LDAP.
> > I'll try to come up with a more convenient command line solution this
> > weekend, until then I'll be at your service as time permits.
>
> Today I found these other accounts:
>
> +('dahiyankur'),
> +('8009875476'),
> +('anshu166'),
> +('bolandoe'),
> +('dahiyankur'),
> +('kumar1212'),
> +('mackhill88'),
> +('nehajay'),
> +('rajababa'),
> +('shadabmallick'),
> +('turbotax'),
> +('wilson91'),
>
> I've put your IRC-mentioned commandline on the wiki:
> SAC:LDAP - OSGeo
> but it isnt clear to me if a password is always needed or only
> from some machines or with some privileges (see the initial paragraph
> on the wiki).

strk · May 4, 2016, 10:39am

And:

  +('prachi123'),
  +('lardenspams'),
  +('gmail2'),
  +('karmmsee855'),
  +('rampa013'),
  +('gocirero'),
  +('rahul456'),
  +('jejus'),

--strk;

On Wed, May 04, 2016 at 11:56:05AM +0200, Sandro Santilli wrote:

And:

  +('fasfafaraa'),
  +('kirti44'),
  +('lolapola'),
  +('microprocessor'),
  +('microprocessor '),
  +('mozillaseven'),
  +('mozillathree'),
  +('nattu'),

--strk;

On Wed, May 04, 2016 at 11:51:32AM +0200, Sandro Santilli wrote:
> And:
>
> +('NewtonKing'),
>
> --strk;
>
> On Wed, May 04, 2016 at 10:46:29AM +0200, Sandro Santilli wrote:
> > On Tue, May 03, 2016 at 11:02:45PM +0200, Martin Spott wrote:
> > > On Tue, May 03, 2016 at 08:04:24PM +0200, Sandro Santilli wrote:
> > > > And:
> > >
> > > These have been removed from OSGeo LDAP.
> > > I'll try to come up with a more convenient command line solution this
> > > weekend, until then I'll be at your service as time permits.
> >
> > Today I found these other accounts:
> >
> > +('dahiyankur'),
> > +('8009875476'),
> > +('anshu166'),
> > +('bolandoe'),
> > +('dahiyankur'),
> > +('kumar1212'),
> > +('mackhill88'),
> > +('nehajay'),
> > +('rajababa'),
> > +('shadabmallick'),
> > +('turbotax'),
> > +('wilson91'),
> >
> > I've put your IRC-mentioned commandline on the wiki:
> > SAC:LDAP - OSGeo
> > but it isnt clear to me if a password is always needed or only
> > from some machines or with some privileges (see the initial paragraph
> > on the wiki).

strk · May 4, 2016, 2:19pm

And:

+('falaana2016'),

--strk;

On Wed, May 04, 2016 at 12:39:11PM +0200, Sandro Santilli wrote:

And:

  +('prachi123'),
  +('lardenspams'),
  +('gmail2'),
  +('karmmsee855'),
  +('rampa013'),
  +('gocirero'),
  +('rahul456'),
  +('jejus'),

--strk;

On Wed, May 04, 2016 at 11:56:05AM +0200, Sandro Santilli wrote:
> And:
>
> +('fasfafaraa'),
> +('kirti44'),
> +('lolapola'),
> +('microprocessor'),
> +('microprocessor '),
> +('mozillaseven'),
> +('mozillathree'),
> +('nattu'),
>
> --strk;
>
> On Wed, May 04, 2016 at 11:51:32AM +0200, Sandro Santilli wrote:
> > And:
> >
> > +('NewtonKing'),
> >
> > --strk;
> >
> > On Wed, May 04, 2016 at 10:46:29AM +0200, Sandro Santilli wrote:
> > > On Tue, May 03, 2016 at 11:02:45PM +0200, Martin Spott wrote:
> > > > On Tue, May 03, 2016 at 08:04:24PM +0200, Sandro Santilli wrote:
> > > > > And:
> > > >
> > > > These have been removed from OSGeo LDAP.
> > > > I'll try to come up with a more convenient command line solution this
> > > > weekend, until then I'll be at your service as time permits.
> > >
> > > Today I found these other accounts:
> > >
> > > +('dahiyankur'),
> > > +('8009875476'),
> > > +('anshu166'),
> > > +('bolandoe'),
> > > +('dahiyankur'),
> > > +('kumar1212'),
> > > +('mackhill88'),
> > > +('nehajay'),
> > > +('rajababa'),
> > > +('shadabmallick'),
> > > +('turbotax'),
> > > +('wilson91'),
> > >
> > > I've put your IRC-mentioned commandline on the wiki:
> > > SAC:LDAP - OSGeo
> > > but it isnt clear to me if a password is always needed or only
> > > from some machines or with some privileges (see the initial paragraph
> > > on the wiki).
_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
Sac Info Page

strk · May 4, 2016, 3:54pm

And (mapbender and proj4js under attack):

+('ajayrudelee'),
+('anisingh3'),
+('ayank'),
+('c1528071'),
+('chromeseven'),
+('cohnema'),
+('daber123'),
+('dinesh02'),
+('forprabhat3'),
+('gmail4'),
+('james45124'),
+('monusharma'),
+('mozillatwo'),
+('polakson25'),
+('rampyariseo91'),
+('ranatunga'),
+('ravissss'),
+('samarraj2'),
+('saurav110'),
+('twchelpline'),
+('user05'),
+('vicky'),
+('websupport'),
+('willium'),

--strk;

On Wed, May 04, 2016 at 04:19:06PM +0200, Sandro Santilli wrote:

And:

+('falaana2016'),

--strk;

On Wed, May 04, 2016 at 12:39:11PM +0200, Sandro Santilli wrote:
> And:
>
> +('prachi123'),
> +('lardenspams'),
> +('gmail2'),
> +('karmmsee855'),
> +('rampa013'),
> +('gocirero'),
> +('rahul456'),
> +('jejus'),
>
> --strk;
>
> On Wed, May 04, 2016 at 11:56:05AM +0200, Sandro Santilli wrote:
> > And:
> >
> > +('fasfafaraa'),
> > +('kirti44'),
> > +('lolapola'),
> > +('microprocessor'),
> > +('microprocessor '),
> > +('mozillaseven'),
> > +('mozillathree'),
> > +('nattu'),
> >
> > --strk;
> >
> > On Wed, May 04, 2016 at 11:51:32AM +0200, Sandro Santilli wrote:
> > > And:
> > >
> > > +('NewtonKing'),
> > >
> > > --strk;
> > >
> > > On Wed, May 04, 2016 at 10:46:29AM +0200, Sandro Santilli wrote:
> > > > On Tue, May 03, 2016 at 11:02:45PM +0200, Martin Spott wrote:
> > > > > On Tue, May 03, 2016 at 08:04:24PM +0200, Sandro Santilli wrote:
> > > > > > And:
> > > > >
> > > > > These have been removed from OSGeo LDAP.
> > > > > I'll try to come up with a more convenient command line solution this
> > > > > weekend, until then I'll be at your service as time permits.
> > > >
> > > > Today I found these other accounts:
> > > >
> > > > +('dahiyankur'),
> > > > +('8009875476'),
> > > > +('anshu166'),
> > > > +('bolandoe'),
> > > > +('dahiyankur'),
> > > > +('kumar1212'),
> > > > +('mackhill88'),
> > > > +('nehajay'),
> > > > +('rajababa'),
> > > > +('shadabmallick'),
> > > > +('turbotax'),
> > > > +('wilson91'),
> > > >
> > > > I've put your IRC-mentioned commandline on the wiki:
> > > > SAC:LDAP - OSGeo
> > > > but it isnt clear to me if a password is always needed or only
> > > > from some machines or with some privileges (see the initial paragraph
> > > > on the wiki).
> _______________________________________________
> Sac mailing list
> Sac@lists.osgeo.org
> Sac Info Page

--

() Free GIS & Flash consultant/developer
/\ strk's services

Alex_M · May 4, 2016, 5:28pm

On 05/04/2016 05:19 AM, Sandro Santilli wrote:

On Wed, May 04, 2016 at 10:58:09AM +0200, Even Rouault wrote:

Spamfilter was mentionned in https://trac.osgeo.org/osgeo/ticket/1121 .

Mentioned is not the same as targetted.
Ticket #1121 is about blocking a user ('NewtonKing'), who's still
existing, btw.

Reading the ticket is instructive though, expecially comment:4

--strk;
_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/sac

I tried to install it yesterday, easy_install threw an error. So if
someone wants to try another way to install go for it. Wasn't clear if
it's maintained or not...

Thanks,
Alex

strk · May 4, 2016, 6:24pm

And (ossim and geos under attack):

  +('gmail5'),
  +('chromeeight'),
  +('karmmsee855'),

--strk;

On Wed, May 04, 2016 at 05:54:06PM +0200, Sandro Santilli wrote:

And (mapbender and proj4js under attack):

+('ajayrudelee'),
+('anisingh3'),
+('ayank'),
+('c1528071'),
+('chromeseven'),
+('cohnema'),
+('daber123'),
+('dinesh02'),
+('forprabhat3'),
+('gmail4'),
+('james45124'),
+('monusharma'),
+('mozillatwo'),
+('polakson25'),
+('rampyariseo91'),
+('ranatunga'),
+('ravissss'),
+('samarraj2'),
+('saurav110'),
+('twchelpline'),
+('user05'),
+('vicky'),
+('websupport'),
+('willium'),

--strk;

On Wed, May 04, 2016 at 04:19:06PM +0200, Sandro Santilli wrote:
> And:
>
> +('falaana2016'),
>
> --strk;
>
> On Wed, May 04, 2016 at 12:39:11PM +0200, Sandro Santilli wrote:
> > And:
> >
> > +('prachi123'),
> > +('lardenspams'),
> > +('gmail2'),
> > +('karmmsee855'),
> > +('rampa013'),
> > +('gocirero'),
> > +('rahul456'),
> > +('jejus'),
> >
> > --strk;
> >
> > On Wed, May 04, 2016 at 11:56:05AM +0200, Sandro Santilli wrote:
> > > And:
> > >
> > > +('fasfafaraa'),
> > > +('kirti44'),
> > > +('lolapola'),
> > > +('microprocessor'),
> > > +('microprocessor '),
> > > +('mozillaseven'),
> > > +('mozillathree'),
> > > +('nattu'),
> > >
> > > --strk;
> > >
> > > On Wed, May 04, 2016 at 11:51:32AM +0200, Sandro Santilli wrote:
> > > > And:
> > > >
> > > > +('NewtonKing'),
> > > >
> > > > --strk;
> > > >
> > > > On Wed, May 04, 2016 at 10:46:29AM +0200, Sandro Santilli wrote:
> > > > > On Tue, May 03, 2016 at 11:02:45PM +0200, Martin Spott wrote:
> > > > > > On Tue, May 03, 2016 at 08:04:24PM +0200, Sandro Santilli wrote:
> > > > > > > And:
> > > > > >
> > > > > > These have been removed from OSGeo LDAP.
> > > > > > I'll try to come up with a more convenient command line solution this
> > > > > > weekend, until then I'll be at your service as time permits.
> > > > >
> > > > > Today I found these other accounts:
> > > > >
> > > > > +('dahiyankur'),
> > > > > +('8009875476'),
> > > > > +('anshu166'),
> > > > > +('bolandoe'),
> > > > > +('dahiyankur'),
> > > > > +('kumar1212'),
> > > > > +('mackhill88'),
> > > > > +('nehajay'),
> > > > > +('rajababa'),
> > > > > +('shadabmallick'),
> > > > > +('turbotax'),
> > > > > +('wilson91'),
> > > > >
> > > > > I've put your IRC-mentioned commandline on the wiki:
> > > > > SAC:LDAP - OSGeo
> > > > > but it isnt clear to me if a password is always needed or only
> > > > > from some machines or with some privileges (see the initial paragraph
> > > > > on the wiki).

Martin_Spott · May 8, 2016, 12:17pm

On Wed, May 04, 2016 at 08:24:21PM +0200, Sandro Santilli wrote:

And (ossim and geos under attack):

Removed all I saw in two EMail threads from OSGeo LDAP,

Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

strk · May 9, 2016, 12:02pm

On Sun, May 08, 2016 at 02:17:38PM +0200, Martin Spott wrote:

On Wed, May 04, 2016 at 08:24:21PM +0200, Sandro Santilli wrote:

> And (ossim and geos under attack):

Removed all I saw in two EMail threads from OSGeo LDAP,

I can still find some users which I reported in this message:

Message-ID: <20160506184740.GE27838@localhost>

For example: 'andrusmith4' and 'chrometen'
The 'andrusmith4' was found this morning to have authenticated
cookies. Is it useful if I send you the full list again for
double-checking it ? Or you can obtain it from TracSVN using:

grep '^(' /osgeo/tools/trac/emergency_clean.sql |
sed "s/('\(.*\)').*/\1/"

--strk;