[MediaWiki-l] Off topic: Wiki spammer is using spoofed IP addresses???

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[MediaWiki-l] Off topic: Wiki spammer is using spoofed IP addresses???

Al Johnson
I am surprised to see that a spammer is spoofing his IP address.  I got some spam from 200.90.74.226 - "226" is out of range for IPs and so isn't even a valid IP address.  I confirmed that the number is not a wiki username and the apache log shows the same IP.  It appears maybe the spammer's script has a bug and not range-checking the generated numbers which made it obvious that the IP is spoofed; otherwise I would have never noticed.

I thought IP spoofing was a fairly sophisticated tactic and didn't expect to see a common wiki spammer using it, or am I wrong?  I'm also surprised apache even allowed the connection, much less the Amazon AWS firewall.  Am I missing something?

Al
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Off topic: Wiki spammer is using spoofed IP addresses???

Benjamin Lees
On Fri, Oct 24, 2014 at 3:25 PM, Al <[hidden email]> wrote:

> "226" is out of range for IPs and so isn't even a valid IP address.
>

I don't think that's correct.  The max is 255, not 225.
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Off topic: Wiki spammer is using spoofed IP addresses???

John Doe-27
In reply to this post by Al Johnson
The IP address belongs to CANTV Servicios which I have seen a LOT of spam
from recently

On Fri, Oct 24, 2014 at 3:25 PM, Al <[hidden email]> wrote:

> I am surprised to see that a spammer is spoofing his IP address.  I got
> some spam from 200.90.74.226 - "226" is out of range for IPs and so isn't
> even a valid IP address.  I confirmed that the number is not a wiki
> username and the apache log shows the same IP.  It appears maybe the
> spammer's script has a bug and not range-checking the generated numbers
> which made it obvious that the IP is spoofed; otherwise I would have never
> noticed.
>
> I thought IP spoofing was a fairly sophisticated tactic and didn't expect
> to see a common wiki spammer using it, or am I wrong?  I'm also surprised
> apache even allowed the connection, much less the Amazon AWS firewall.  Am
> I missing something?
>
> Al
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Off topic: Wiki spammer is using spoofed IP addresses???

Arcane 21
Spammers might be using something similar to the IPfuck Firefox/Chrome extension, which fakes an IP address instead of allowing the real IP to be recorded, not sure how we can defend against that sort of thing at present.

> Date: Fri, 24 Oct 2014 16:25:42 -0400
> From: [hidden email]
> To: [hidden email]; [hidden email]
> Subject: Re: [MediaWiki-l] Off topic: Wiki spammer is using spoofed IP addresses???
>
> The IP address belongs to CANTV Servicios which I have seen a LOT of spam
> from recently
>
> On Fri, Oct 24, 2014 at 3:25 PM, Al <[hidden email]> wrote:
>
> > I am surprised to see that a spammer is spoofing his IP address.  I got
> > some spam from 200.90.74.226 - "226" is out of range for IPs and so isn't
> > even a valid IP address.  I confirmed that the number is not a wiki
> > username and the apache log shows the same IP.  It appears maybe the
> > spammer's script has a bug and not range-checking the generated numbers
> > which made it obvious that the IP is spoofed; otherwise I would have never
> > noticed.
> >
> > I thought IP spoofing was a fairly sophisticated tactic and didn't expect
> > to see a common wiki spammer using it, or am I wrong?  I'm also surprised
> > apache even allowed the connection, much less the Amazon AWS firewall.  Am
> > I missing something?
> >
> > Al
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
     
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
OQ
Reply | Threaded
Open this post in threaded view
|

Re: Off topic: Wiki spammer is using spoofed IP addresses???

OQ
That extension only fools misconfigured webservers, You dont blindly accept
X-Forwarded-For, VIA, or Client-IP as the 'real' IP

On Fri, Oct 24, 2014 at 4:34 PM, Arcane 21 <[hidden email]> wrote:

> Spammers might be using something similar to the IPfuck Firefox/Chrome
> extension, which fakes an IP address instead of allowing the real IP to be
> recorded, not sure how we can defend against that sort of thing at present.
>
> > Date: Fri, 24 Oct 2014 16:25:42 -0400
> > From: [hidden email]
> > To: [hidden email]; [hidden email]
> > Subject: Re: [MediaWiki-l] Off topic: Wiki spammer is using spoofed IP
>       addresses???
> >
> > The IP address belongs to CANTV Servicios which I have seen a LOT of spam
> > from recently
> >
> > On Fri, Oct 24, 2014 at 3:25 PM, Al <[hidden email]> wrote:
> >
> > > I am surprised to see that a spammer is spoofing his IP address.  I got
> > > some spam from 200.90.74.226 - "226" is out of range for IPs and so
> isn't
> > > even a valid IP address.  I confirmed that the number is not a wiki
> > > username and the apache log shows the same IP.  It appears maybe the
> > > spammer's script has a bug and not range-checking the generated numbers
> > > which made it obvious that the IP is spoofed; otherwise I would have
> never
> > > noticed.
> > >
> > > I thought IP spoofing was a fairly sophisticated tactic and didn't
> expect
> > > to see a common wiki spammer using it, or am I wrong?  I'm also
> surprised
> > > apache even allowed the connection, much less the Amazon AWS
> firewall.  Am
> > > I missing something?
> > >
> > > Al
> > > _______________________________________________
> > > MediaWiki-l mailing list
> > > To unsubscribe, go to:
> > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> > >
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Off topic: Wiki spammer is using spoofed IP addresses???

Chris Steipp
In reply to this post by Arcane 21
On Fri, Oct 24, 2014 at 1:34 PM, Arcane 21 <[hidden email]> wrote:
> Spammers might be using something similar to the IPfuck Firefox/Chrome extension, which fakes an IP address instead of allowing the real IP to be recorded, not sure how we can defend against that sort of thing at present.

MediaWiki doesn't trust the XFF header unless it's from a trusted
proxy, so the user's real IP would be reported.

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Off topic: Wiki spammer is using spoofed IP addresses???

Jeremy Baron
In reply to this post by Arcane 21
On Oct 24, 2014 4:34 PM, "Arcane 21" <[hidden email]> wrote:
> Spammers might be using something similar to the IPfuck Firefox/Chrome
extension, which fakes an IP address instead of allowing the real IP to be
recorded, not sure how we can defend against that sort of thing at present.

you're doing something wrong if you're vulnerable to this.

http://ipflood.paulds.fr/ says:
> when sending a request to a server you will provide several information
about your IP address : three of them come from the Application Layer and
the last one comes from the Transport Layer. This last one I can't modify :
you wouldn't get the answer to your request if that was done. But the three
others can be overwritten without any consequence to your browsing...

( https://addons.mozilla.org/en-US/firefox/addon/ipflood/ is the same thing)

See also https://meta.wikimedia.org/wiki/XFF_project

-Jeremy
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Off topic: Wiki spammer is using spoofed IP addresses???

Al Johnson
In reply to this post by Benjamin Lees
DOH!  My apologies...  dang old brain of mine.


>________________________________
> From: Benjamin Lees <[hidden email]>
>To: Al <[hidden email]>; MediaWiki announcements and site admin list <[hidden email]>
>Sent: Friday, October 24, 2014 1:54 PM
>Subject: Re: [MediaWiki-l] Off topic: Wiki spammer is using spoofed IP addresses???
>
>
>
>
>
>
>On Fri, Oct 24, 2014 at 3:25 PM, Al <[hidden email]> wrote:
>
>"226" is out of range for IPs and so isn't even a valid IP address.
>>
>
>
>I don't think that's correct.  The max is 255, not 225.
>
>
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l