User talk:A. B./September 2007

Thank you
Hello! Thank you for the message. I'll be waiting for him :). Don't worry. See you --Humberto, Mex. 18:35, 1 September 2007 (UTC)


 * Reference:
 * es:Usuario Discusión:Humberto, Mex.
 * -- A. B. (talk) 02:28, 12 September 2007 (UTC)

Defender of the Wiki Ribbon
as always, great work!--Hu12 23:39, 3 September 2007 (UTC)


 * Thanks! This makes my day. -- A. B. (talk) 01:54, 4 September 2007 (UTC)

Looking for advice
A.B., sorry to bother you - I really appreciated your helpful advice the fake "official sites" at WT:WPSPAM the other day. I've run across the same (or a similar) problem and it's a little too big for me to handle alone, though I'm definitely willing to help. Look at the contribs of this IP, working their way through 'L' on a list of models/actresses. These sites are pure, 100% copyvio. I've watched similar sites in the past - it looks like they currently don't contain Google ads, but these will turn up on the pages later, I guarantee it. If you follow the links pages through a couple of layers, you will find hundreds of these copyvio pages.

A couple of stupid questions - how do I find out an AdSense ID for a site? And do I have to be a subscriber to Domain Tools to use the history lookup features? (Still trying to figure out that part.) Are there any real actions that can be taken here, and what sort of a case do I have to put together to get action? I'm not a professional spam fighter, I just try to do the right thing by reporting when spam turns up in articles in my watchlist. I'm definitely willing to help work on this, I'm just not sure how to get started or what path to follow. I appreciate any time you can spare me. With respect - Videmus Omnia Talk  14:48, 7 September 2007 (UTC)


 * First, I'm no pro -- just another volunteer who finds the really hard cases interesting puzzles to sort out.


 * If there are no Google ads, there's no adsense # to find. The spamdexing world is a complex ecosystem of different people registering domains, developing sites, building traffic, milking sites, etc. There are site sales going on throughout that whole development chain. Some players just register potentially popular domains for resale. Others develop sites to sell. Take a look at this link to get a feel:
 * http://www.sitepoint.com/marketplace/search.php?searchstring=wikipedia


 * So as you've noticed, a site with no ads may get a ton of them a little later. It's all about the site-owner's "monetization" strategy -- selling sites to others, harvesting ad revenue, selling worthless books and marketing schemes, commissions off referrals to others' sites, etc. The guy you've fingered is not doing all this out of love, trust me. He'll either add some ads or sell the sites to someone who will. That, or he'll use ad-less sites to drive traffic and/or search engines to other sites he owns.


 * As for tracking down this guy's other sites, I'd start with the links he conveniently left at the bottom of his pages
 * www.laraflynnboyle.org/videos.
 * www.laraflynnboyle.org/news.html
 * www.laraflynnboyle.org/downloads.html
 * www.laraflynnboyle.org
 * www.laraflynnboyle.org/links.html -- conveniently summarizes the links on the other laraflynnboyle.org pages


 * When this tool's working, it's useful to see if this user is cross-wiki spamming:
 * http://tools.wikimedia.de/~luxo/contributions/contributions.php?
 * The tool's down today. If the spam has been posted cross-wiki, then it should be blacklisted across all Wikimedia Foundation projects by listing it at: meta:Talk:Spam blacklist. You can also look for links on other wikipedias by using:
 * http://tools.wikimedia.de/~eagle/linksearch
 * Note that a link's presence on another project does not automatically make it cross-wiki spammed. Some smaller projects import articles or pieces of articles (such as whole external links sections) from bigger projects like en.wikipedia or de.wikipedia which they then translate and adapt over time.


 * For something this big, I'll start out with a text editor page open and copy all the domains I find to that page. The same with user names and IPs. When I've got all the info I can find easily, then I'll create a user subpage like User:A. B./Sandbox16 to paste this data into for further analysis. I encapsulate the user accounts and spam domains into these homemade templates I developed (I like them a little more than the standard official templates):
 * {{User:A. B./spam}
 * Does this show up on any of the Veinor suppages from Jan-May 2007 of links added to Wikipedia? If so, the subpage will show who added it. (Note sometimes, the additions are just vandal reversions of page blanking and may be very innocent)
 * Google doesn't fully index the Veinor pages so I've included the standard Wikipedia search, which is not always very useful.
 * X-wiki spam search links
 * Google search the domain name (where else does it show up?)
 * The domain tools links are very handy
 * See User:A. B./spam for full details on usage.
 * {{User:A. B./IPwhois}
 * Does this IP appear on any Internet blacklists (note, results require interpretation!)
 * Google search IP to see where else it's been used
 * Look for x-wiki contributions
 * Traceroute, whois, etc.
 * See User:A. B./IPwhois for full details on usiage
 * {{User:A. B./UserSummary}
 * Similar to the above. Note sometimes that spammers use the same user names on seo forums, etc, so it's always interesting just to Google search the user name. That may turn up other domains or just some insights into just how good or bad faith the user is editing Wikipedia with. (Example, discussing how to spam us in some SEO forum probably means he knows our rules and we don't need to go through 3 more warnings before blacklisting his domains).
 * See User:A. B./UserSummary for full details on usage.


 * I look at site ownership at domaintools.com (yes, you need a free registration). This sometimes needs interpretation -- the site-owner may use a service like privacy guard or enom to mask the ownership. Or the listing may just show the hosting service like yahoo or whoever. Also, sometimes the site owner does his own obfuscation as a perusal of these domains will show; compare
 * http://whois.domaintools.com/aamnashariffwow.com
 * http://whois.domaintools.com/allseasons.us
 * Look at the phone number (no such area code), NYC street address and e-mail address for "Steve"
 * All the sites on this page share just two or three Adsense IDs but lots of different whois personnas. When in doubt, follow the money!


 * The domaintools page links to an aboutus.org page -- that's handy, too, especially:
 * List of related domains
 * Caveat: requires interpretation! This is just aboutus.org's bot's guess of related domains. It doesn't mean the sites share ownership!
 * If a domain is red-linked, go to it anyway and refresh your browser -- that may force the text to appear. If nothing else, you can still visit the actual site or plug it into domaintools.com even if it's redlinked on aboutus.org
 * "What links here"
 * Same caveats as for the "List of related domains" feature
 * Any whois data (but may not be up to date if domain recently sold)
 * Edit history if someone else besides Aboutus' bot has edited page. IP addresses may have also been used on Wikipedia.


 * What I'm describing can consume several hours and is only worth it if the problem is pretty big. It's not worth it if you end up with several hours work poured into a list of 50 other domains, none of which have been spammed. It is worth it if someone's hitting us with dozens of links from dozens of domains over many weeks or months.


 * I hope this helps. I've got to run; no time to proof so watch our for typos. Feel free to ask more questions. -- A. B. (talk) 16:25, 7 September 2007 (UTC)


 * P.S. Do you think any of this would be useful to others?


 * Take a look at the partial list at User:A. B./Sandbox16 for an example of what I mean. -- A. B. (talk) 05:07, 8 September 2007 (UTC)
 * Oh, wow - are those the links from the sites I told you about? It's worse than I thought. What can I do? I don't have a lot of free time this weekend, due to work, but should be able to jump in more in a few days. Your advice above is awesome, by the way - you really should think about writing an essay on using off-wiki tools for investigating complex spammer cases. Videmus Omnia Talk  17:26, 8 September 2007 (UTC)


 * "What can I do?"


 * This one is huge and it's it's tricky. Here are random observations, comments and questions:
 * The site owner uses a domain privacy service ("Moniker"), so it's impossible to see who really owns these.
 * Why are there "holes in the alphabet" in our list of spam domains? There are lots of domains we've found that start with "c", but none with "p". Does our spammer just not have any "p" sites yet? Or has he just not spammed them yet? Or have we just not found his spamming yet?
 * The site owner adds domains in "clumps". Typically he adds 15 to 30 in one session with one IP, which is then not used again.
 * The "Links" page on each spam site summarizes all the links listed on various other pages on the site.
 * "Links" pages are also organized in "clumps"; 10 or 20 sites in a series will all share an identical list of sites on their Links pages. There are usually 30 domains per Links page.
 * "Links" pages never point to sites in the same "clump" as the pointing page. In other words, the Links page for adriannepalicki.org will never have links for any other sites in the clump that contains adriannepalicki.org.
 * I haven't found any evidence of x-wiki spam.
 * Some of the domains appear on lists of domains expiring last spring. Our guy apparently registered them later this year after the original ownership lapsed. Maybe something about this accounts for the "clumpiness"; that or it's just the way our guy likes to work.


 * IPs adding these links:
 * 128.241.xxx.xxx IPs are registered to NTT America, Inc., which now owns Verio and a bunch of other ISPs in the U.S.
 * 207.195.xxx.xxx IPs are registered to Global Tac, LLC . Traceroutes pass through] ntt.net. When I look at http://www.globetac.net, I find a one-page web site. A Google search on "globetac.net" turns up almost nothing. It covers a big block of IPs: 207.195.240.0 - 207.195.255.255. A Google search on the street address in Delaware turns up a Mailboxes Etc. location, among others. Then again, maybe "Global Tac" is just one of the ISPs NTT took over.
 * In desperation, I searched to see what similar IPs had any talk page comments:
 * http://en.wikipedia.org/w/index.php?title=Special%3AAllpages&from=128.241.0.0&namespace=3
 * I then checked the contributions for each see if any were our spammer (most were not). I found these spam IPs:
 * These lead to sites similar in layout to the ones we've found -- except they seem at first glance to be for porn stars.
 * These lead to sites similar in layout to the ones we've found -- except they seem at first glance to be for porn stars.
 * These lead to sites similar in layout to the ones we've found -- except they seem at first glance to be for porn stars.
 * These lead to sites similar in layout to the ones we've found -- except they seem at first glance to be for porn stars.
 * These lead to sites similar in layout to the ones we've found -- except they seem at first glance to be for porn stars.


 * Requests:
 * You know the "sex symbol" article space and I don't -- can you check edit histories for articles in the alphabetical gaps ("P" for instance) and see if any links have been added by IPs in either of these two IP ranges? If so, can you start tracking down those sites?
 * I know even less about the porn star article space and I did not follow-up on the IPs I found above (128.241.105.241, etc.) Can you start running these down? I've set up a separate section of my user page since the spammer see keep his porn and non-porn sites and edits separate


 * Here's the main way I generate the list I've generated so far:
 * I used a text editor off-line with good find/replace/automation features to reduce the workload
 * I used my homegrown templates (don't use "subst" in this case):
 * I did not find AboutUs or domaintools especially helpful in this case. (That's unusual)
 * I made up a list of all the links from the Links page on one of the sites. Then I worked my way through the sites, adding more links to my list from the Links page on each new site.
 * When I couldn't find any more, I added what I had to this subpage. Then I used the Linkwatcher links to see if any of these links had been added and if so, by whom.
 * Linkwatcher is very unreliable and misses a lot!
 * As I found new IPs, I checked all the links they added, expanding my list further.
 * For domains on my list that I had not seen added by any of my known spam IPs, I used the "linksearch" links to see if there were any links in articles. If so, I determined who added them, then looked at their contributions, etc., continuing to expand my list.
 * Obviously, I removed spam links as I found them.
 * I've pretty much come to a brick wall (except for those new porn IPs I just found). The next step for the non-porn stuff is to check the alphabetical gaps.
 * Obviously, I removed spam links as I found them.
 * I've pretty much come to a brick wall (except for those new porn IPs I just found). The next step for the non-porn stuff is to check the alphabetical gaps.


 * Feel free to update and work from my user subpage:
 * User:A. B./Sandbox16


 * Note any sites known to have been spammed with the notation, "spam removed" (after deleting the link).


 * I occasionally share my computer with others and would prefer to not work on the porn sites.


 * Thanks! -- A. B. (talk) 20:19, 8 September 2007 (UTC)


 * After some programming of first USer:Shadow1 (Linkwatcher, AntiSpamBt), and then of me (COIBot), I found that there were 4 IPs missing in the ranges. These overlapped nicely with the letters you were missing in your list, and with some reverse thinking, I have updated your sandbox.  At the bottom there is a full regex list, which can be inserted into the blacklists (though I think it is wise to see first if mainspace is clean).  Thanks for all the hard work (also in other spam-cases)!  Hope to see you around!  --Dirk Beetstra T  C 01:40, 9 September 2007 (UTC)

OK, let me try what we did. What the linkwatchers, Shadowbot and COIBot now do is, that they resolve the IP of every link that gets added, and they react appropriately on that.

When sorting out the resolved IPs of the urls (which we needed for the blacklisting), I noticed that they seemed to be in three ranges of 8 IP addresses, but in the last IP-address range there were 4 missing. When I typed one of the missing IPs in my browser, I indeed got redirected to a page of one of the women, but with a letter that we did not have in the list. The page links to a links-page, and from these I took a significant number of missing domain-names. Repeating the trick of resolving all the IPs now resulted in three complete ranges of 8 IPs ('/24'). I suspect that the spammer has 3 ranges of 8 IPs, on which he hosts a number of domains each (10-20?). I guess we've got him now. --Dirk Beetstra T C 11:51, 9 September 2007 (UTC)


 * Bear with me.


 * First of all, here's the sign on my street:
 * http://www.simplesignshop.com/images/150/slow_children_sign.jpg


 * What does it mean, "resolve the IPs"? Does that mean find the IP of the web site/host? Or the user IP that added the link?


 * If it helps, the domaintools entry for each site lists the IP as well as other sites hosted at that IP. You have to pay to get the entire list, but they give you a "teaser" of 3 or 4. I noticed that there were about 10 or so domains per IP. So here's an example:
 * http://whois.domaintools.com/adriennejanic.net
 * Go to the server data section:
 * "IP Address: 207.218.202.112"
 * Click the little "R" button to the right:
 * http://www.domaintools.com/reverse-ip/?hostname=207.218.202.112


 * Anyway, thanks so very, very much! -- A. B. (talk) 13:16, 9 September 2007 (UTC)


 * Heh. Sorry, forgot you were just a volunteer too.  If you type a domainname in the address-bar of your browser, the domain is sent to a DNS (Domain Name Server), that returns to your computer the IP of the machine.  Then the browser checks if the IP is alive (pings), and if so sends a request for the document (everything after the domain).  The first step is what I meant with resolving the IP.  What we do with the bots is just that, we ask a DNS to send us back the IP of a domain.
 * It is indeed possible to do the reverse (guess it must be a bit dependent on how the servers are defined, but if it can be done one way, it must be possible to do it reverse as well), but also that that is only for a couple of times for free. It would be nice to know here what we still are missing (see my latest addition to the Sandbox).
 * By the way, we command the bots on irc, I don't know if you have access to that (you need Mirc or the Firefox plugin Chatzilla, or something similar). We can be found on irc.freenode.net, channel #wikipedia-spam-t .. it might be nice to have a chat every now and then, and to show you what is going on in real time.  See you around.  --Dirk Beetstra T  C 13:38, 9 September 2007 (UTC)

Sadly, you can't edit your Sandbox 16 anymore without removing most of the data. I hope you have no specific problem with that. Just to know, all three bots pick up the edits:


 * [17:04:11]  Marion Cotillard http://en.wikipedia.org/w/index.php?title=Marion_Cotillard&diff=156946280&oldid=154786500 en:User:207.195.245.237 http://www. marioncotillard.org http://www. marion-cotillard.org
 * [17:04:14]  WARNING! en:user:207.195.245.237 (en:Special:Contributions/207.195.245.237) has added 3 links.
 * [17:04:16]  WARNING! Link http://www. marioncotillard.org resolved to blacklisted IP address 207.218.230.182 on http://en.wikipedia.org/w/index.php?title=Marion_Cotillard&diff=156946280&oldid=154786500
 * [17:04:27] Reverted to 154786500 on Marion Cotillard (http://en.wikipedia.org/w/index.php?title=Marion_Cotillard&diff=156946280&oldid=154786500)(resolve 207.218.230.182).
 * [17:05:07]  ALERT! Monitored link www. marioncotillard.org (rule: 207.218.230.182 - reason: marioncotillard.org resolves to 207.218.230.182 -> IP-revolving and domain changing spammer) added by en:user:207.195.245.237/en:special:contributions/207.195.245.237 ( http://en.wikipedia.org/w/index.php?title=Marion_Cotillard&diff=156946280&oldid=154786500  ) (report 3/3; 19/13)
 * [17:08:21]  Autoreport: Reporting statistics of link marioncotillard.org; 1 records (see m:User:COIBot/LinkReports/marioncotillard.org & en:Wikipedia:WikiProject Spam/LinkReports/marioncotillard.org).

(Links broken on purpose) This is what Shadow1 and me wanted to know, all is now blacklisted. I hope mainspace is clean. (Only 'bad' thing is, the linkwatcher seems to be lagging for a handful of minutes. We will have to look into that.)  Happy hunting! --Dirk Beetstra T C 16:27, 10 September 2007 (UTC)


 * I disabled all the blacklisted links on User:A. B./Sandbox16 in about 2 minutes with a text editor -- it's now editable again. -- A. B. (talk) 17:31, 10 September 2007 (UTC)

Thanks!

 * Congratulations and thanks for serving. I was happy to support you. -- A. B. (talk) 17:22, 7 September 2007 (UTC)

Barnstar!
I'll bet you've never heard this before :) Shadow1  (talk) 01:37, 12 September 2007 (UTC)


 * Thanks! Makes my day. --01:41, 12 September 2007 (UTC)

Spamstar of Glory
Thank you! I do my best. Let's hope nothing changes if I end up going to library school. ;) Katr67 20:47, 12 September 2007 (UTC)

RFA Thanks
  Click there to open your card! → → → Dearest A. B., Thank you for your participation in my RFA, which closed successfully with 96 supports, 1 oppose, and 3 neutrals. No matter if you !voted support, oppose, neutral, I thank you for taking the time to drop by. I'm a new admin remember, so if you have any suggestions feel free to inform me of them. I would like to give a special shout out to Hirohisat,  Wizardman , and  Husond , for there original co-nominations. Thank you once again and good day. Тhε Rαnδom Eδιτor

Credits
This RFA thanks was inspired by Phaedriel's RFA thanks. So unfortunatly this is not entirely my own design.

RfA thanks
Thank you very much for your support at my RfA. Regards, Jogers (talk) 09:40, 17 September 2007 (UTC)

Re: WikiProject spam
Thank you, I knew there had to be something like that, but for some reason I never found it. And thanks for helping svwiki out, too. /SvNH 05:03, 18 September 2007 (UTC)

Re: User talk:91.15.200.169
Hi - I tried to revert blanking of this page to an earlier version by yourself - but I can't seem to get the revert to take - maybe Twinkle is doing something funny? Anyway, you may want to check the history on User talk:91.15.200.169 and see if it needs reverting. It seems to have been blanked by an i.p. in the same sort of numeric range as the page subject, I suspect it may be the spammers blanking the warnings. DMcMPO11AAUK/Talk/Contribs 13:34, 21 September 2007 (UTC)


 * I'm sorry to be slow in responding -- it looks like someone fixed this while I was traveling. If you still need help, let me know.


 * Yes, it looks like the spammer or someone in his/her area was trying to eliminate the history of the spamming.-- A. B. (talk) 01:07, 23 September 2007 (UTC)


 * No problem, just wanted to make sure it got looked at by someone. :) DMcMPO11AAUK/Talk/Contribs 01:26, 23 September 2007 (UTC)

Re: Zecco
Re your message: I was mighty tempted to delete it just out of reflex action. =) Thanks for filling that article with something besides the discount broker. -- Gogo Dodo 17:05, 26 September 2007 (UTC)


 * That's why I left my "don't shoot" message.


 * Fixing the brokerage spam article problem this way actually led me to create and/or expand 4 more articles on other Nahouri departments:
 * Pô‎ (expansion)
 * Ziou‎
 * Gniaro
 * Tiébélé‎
 * I'm on a Burkina Faso roll today. So I guess a few useful articles came out of all this after all.
 * -- A. B. (talk) 17:33, 26 September 2007 (UTC)


 * P.S. Is your user name, Gogo Dodo, a Burkinabé name? The capital after all is Ouagadougou.

A Detective Barnstar for You!

 * I can't think of anyone more deserving. Great work! Videmus Omnia Talk  04:33, 28 September 2007 (UTC)


 * Thanks! -- A. B. (talk) 11:31, 28 September 2007 (UTC)
 * Very nice, as always well deserved!--Hu12 13:47, 28 September 2007 (UTC)


 * Thanks! -- A. B. (talk) 14:12, 28 September 2007 (UTC)

Minnesota Meetup
 Minnesota Meetup Sunday, 2007-10-07, 1:00 p.m. (13:00) Pracna on Main 117 Main SE, Minneapolis, Minnesota Map Please pass this on! RSVP here.  Spam delivered by Jonathunder 17:06, 30 September 2007 (UTC)

That list
Assuming your question at KM's RFA wasn't rhetorical, you were on the list because you opposed an RFA. Wikidrama, don't you just love it! No, me neither. Angus McLellan (Talk) 22:51, 30 September 2007 (UTC)


 * That's the "how", I suppose (i.e., how I got on the User:Kelly Martin/B list). That list has been described as a sort of "enemies list" yet it's hard to see how I could become an "enemy" merely by simply commenting "oppose based on comments above" in a barely successful RfA that closed 159/63/6. If that's the case, then Kelly Martin has a very low threshold for enmity


 * Call me naive, but in my corner of the real world I just don't see folks being that sensitive to disagreement or vindictive. I've got to believe there's an alternate explanation. I'd never heard of Sean Black before that RfA (nor had I heard of Kelly Martin or Giano).


 * I still don't know what Kelly Martin and her colleagues' intentions were in preparing the list or what folks on the list could expect to happen. I'd really like to hear what Kelly Martin has to say to me.


 * Anyway, thanks for the post. -- A. B. (talk) 23:13, 30 September 2007 (UTC)