User talk:Malcolm C Munro

Welcome!

Hello, Malcolm C Munro, and welcome to Wikipedia! Thank you for your contributions. I hope you like the place and decide to stay. Unfortunately, one or more of the pages you created, such as User:Malcolm C Munro/IFOPA, may not conform to some of Wikipedia's guidelines, and may soon be deleted.

There's a page about creating articles you may want to read called Your first article. If you are stuck, and looking for help, please come to the New contributors' help page, where experienced Wikipedians can answer any queries you have! Or, you can just type helpme on this page, and someone will show up shortly to answer your questions. Here are a few other good links for newcomers: I hope you enjoy editing here and being a Wikipedian! Please sign your name on talk pages using four tildes ( ~ ); this will automatically produce your name and the date. If you have any questions, check out Questions or ask me on my talk page. Again, welcome! Wuh Wuz  Dat  19:11, 22 August 2010 (UTC)
 * Starting an article
 * Your first article
 * Biographies of living persons
 * How to write a great article
 * The five pillars of Wikipedia
 * Help pages
 * Tutorial

Speedy deletion nomination of User:Malcolm C Munro/IFOPA
A tag has been placed on User:Malcolm C Munro/IFOPA, requesting that it be speedily deleted from Wikipedia. This has been done under section G11 of the criteria for speedy deletion, because the page seems to be unambiguous advertising which only promotes a company, product, group, service or person and would need to be fundamentally rewritten in order to become an encyclopedia article. Please read the guidelines on spam as well as FAQ/Business for more information. You may also wish to consider using a Wizard to help you create articles - see the Article Wizard.

If you think that this notice was placed here in error, you may contest the deletion by adding  to the top of the page that has been nominated for deletion (just below the existing speedy deletion or "db" tag - if no such tag exists then the page is no longer a speedy delete candidate and adding a hangon tag is unnecessary), coupled with adding a note on the talk page explaining your position, but be aware that once tagged for speedy deletion, if the page meets the criterion, it may be deleted without delay. Please do not remove the speedy deletion tag yourself, but don't hesitate to add information to the page that would render it more in conformance with Wikipedia's policies and guidelines. Lastly, please note that if the page does get deleted, you can contact one of these admins to request that they userfy the page or have a copy emailed to you. Wuh Wuz  Dat  19:11, 22 August 2010 (UTC)

Yes. please post them here (no need to include the whole page; once we have seen the DOCTYPE, html xmlns, head, and base href we know we are getting the real page.

Here are my logs.

I sent:

GET / HTTP/1.1 Host: www (dot) ifopa (dot) org Connection: close Accept: */* User-Agent: WebBug/5.0

And the server returned:

HTTP/1.1 200 OK Date: Thu, 17 Oct 2013 00:42:26 GMT Server: Apache P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Powered-By: TMX-194.19 Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: ca565f6e2059dc6fd822a132c14d48f2=4bb87938fe78d8f95edcaca1f1485240; path=/ Last-Modified: Thu, 17 Oct 2013 00:42:26 GMT Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 67b7 &#60;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http&#58;//www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&#62; &#60;html xmlns="http&#58;//www.w3.org/1999/xhtml"&#62; &#60;head&#62; &#60;base href="http&#58;//www (dot) ifopa (dot) org/" /&#62;

And so forth, delivering your main page just as it should.

Then I sent:

GET / HTTP/1.0 Accept: */* User-Agent: WebBug/5.0

And the server returned:

HTTP/1.1 302 Found Date: Thu, 17 Oct 2013 00:42:45 GMT Server: Apache Location: http&#58;//www.server285.com/ Content-Length: 209 Connection: close Content-Type: text/html; charset=iso-8859-1 &#60;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&#62; &#60;html&#62;&#60;head&#62; &#60;title&#62;302 Found&#60;/title&#62; &#60;/head&#62;&#60;body&#62; &#60;h1&#62;Found&#60;/h1&#62; &#60;p&#62;The document has moved &#60;a href="http&#58;//www.server285.com/"&#62;here&#60;/a&#62;.&#60;/p&#62; &#60;/body&#62;&#60;/html&#62;

If you send those exact characters using TELNET, you will get the exact same result.

Or you can simply use WebBug, as I have suggested multiple times, and then try to figure put why you are getting different results with TELNET.

As for how I know the server285.com website is malicious, does ifopa (dot) org own and control server285.com?

If so, did you purposely put up an imitation of the ifopa main page there, except with "Product and Services Database" replaced with "Product and purchase generic viagra Services Database"?

If so, did you configure server285.com to give different results for different user agents -- specifically serving up a normal page with no Viagra links when the user agent is "Googlebot/2.1 (+http&#58;//www.google.com/bot.html)" ?

If so, did you take down the imitation page shortly after I started analyzing it?

Somehow I doubt that the real ifopa (dot) org was interested in selling me "herbal Viagra". --Guy Macon (talk) 02:55, 17 October 2013 (UTC)

IFOPA website redirects to a malicious website
I am commenting out all links to the ifopa website per discussion at Wikipedia talk:WikiProject Spam/2013 Archive Jan 1. If you have any contacts with that organization, please inform them that their official website is now selling counterfeit generic viagra. --Guy Macon (talk) 20:23, 26 January 2013 (UTC)


 * I have contacted IFOPA; their web hosting company has completed addressing the issues. I will now restore the ifopa link removed. Thanks very much for your assistance with this. Much appreciated. Malcolm C Munro (talk) 18:20, 29 January 2013 (UTC)Malcolm Munro.


 * Please have IFOPA contact me. Either you got some bad info or their web hosting company is incompetent. The problem has not been fixed. Reverting your change to the IFOPA page now. --Guy Macon (talk) 18:35, 29 January 2013 (UTC)


 * (...Sound of crickets...) --Guy Macon (talk) 02:53, 31 January 2013 (UTC)


 * BTW, the spammers appear to have removed the spam links in an attempt to evaid detaction, but the page is still compromised, and an HTTP 1.0 request still redirects to a page controlled by the spammers. --Guy Macon (talk) 02:53, 31 January 2013 (UTC)


 * Web page still compromised. Any luck contacting IFOPA? --Guy Macon (talk) 17:19, 6 February 2013 (UTC)

I'm told that IFOPA's web company is "rebuilding" the entire site as the "only way to address the problem". I gave them your contact information, and from the reply I received, I inferred they had contacted you for an explanation of what was happening. Apparently not however. I will check with IFOPA regarding progress. — Preceding unsigned comment added by 68.147.245.108 (talk) 18:19, 6 February 2013 (UTC)


 * No message. I know that the Wikipedia "email this user" page Special:EmailUser/Guy Macon works.


 * It is hard to be sure what is going on third hand, but the standard way to fix such a problem is to restore the entire site from a backup taken before the site was compromised. Whoever wrote the HTML for the page should have backups, as should the hosting company. --Guy Macon (talk) 06:25, 7 February 2013 (UTC)

I have been unsuccessful in restoring our URL to the info box. How do I do this? Thanks.
 * I believe that the previous issues with the IFOPA website have been addressed. I would now like to re-insert our URL. Please advise. Malcolm C Munro (talk) 20:52, 10 October 2013 (UTC) Malcolm C Munro


 * And you decided to go ahead and restore the link without any talk page discussion ten minutes before asking for advice here? That is unacceptable behavior.


 * As of 10 October 2013 the IFOPA website still redirects to a malicious website. I check it every month or so. I cannot tell whether your restoring the link simply means that you are not competent enough to understand the issue whether you are associated with whoever redirected the IFOPA website to a malicious website, but either way I am going to start treating any such restore without talk page discussion as as vandalism. Do it again and you are likely to be blocked from editing Wikipedia. There will be no further warnings. --Guy Macon (talk) 22:24, 10 October 2013 (UTC)


 * Rest assured the problem is my marginal (correction: very marginal) understanding of Wiki editing etc. Anyway, as you can see from some of the above, I have been trying for the past year to get somebody to correct this situation, including getting our Web service company to rebuild our entire web site. But you are now telling me the IFOPA website still redirects to a malicious website.  Could you tell me more specifically which link from the IFOPA website is redirecting and I'll forward that to our web company for their attention?  Last, I respectfully request that you view any similar future gaffes on my part as indicative my well-intentioned but admittedly less-than-competent efforts to improve our rare disease website and not vandalism.  Please also be aware that I have made a personal financial contribution during Wikipedia's annual financial appeal to show my appreciation for the service that Wikipedia provides in enabling people in our rare disease community to be aware of the activities of the International FOP Association.  I look forward to hearing from you and thanks very much for your attention. Malcolm C Munro (talk) 17:55, 11 October 2013 (UTC)


 * Sorry if I was a bit too harsh. I can see that we are on the same side. Your making the change and removing my warning not to make the change before discussing it annoyed me. Please don't do that again.


 * I can't point you to a bad link because none of your links are bad. You have one line in one configuration file that tells your server to send everything to a malicious website under a very specific set of circumstances having to do with older browsers. I can get more technical if I ever get in touch with someone who will understand what I am saying. I would guess that roughly 10% of your visitors get redirected. As long as this is true I cannot allow Wikipedia to send them there. I could fix this in about a minute if I had access to your servers.


 * You really should stop trying to ask someone to fix this. Let me do it. I am an expert in this sort of thing. You should be asking one question, over and over: "Have you contacted Guy Macon? Guy says he hasn't heard from you." Call whoever the president of the FOP organization is and keep calling him back every day as long as I keep saying nobody has talked to me. Tell her/him that you have an expert who normally charges over $200 an hour who is willing to help him/her for free. And don't bother with that web service company. Clearly they know how to make good looking web pages but know nothing about configuring a web server other than uploading the pages to it. Otherwise they would have read my explanation at Wikipedia talk:WikiProject Spam/2013 Archive Jan 1 and fixed it. --Guy Macon (talk) 07:30, 12 October 2013 (UTC)


 * OK, I have written to both the chairman of the board of IFOPA and our operations manager for permission to have you access our Web server. If they approve, I'll send you the OM's e-mail address so that you can communicate with her directly.  I hope this is satisfactory. Again, thanks very much. Malcolm C Munro (talk) 17:46, 12 October 2013 (UTC)

If they don't want me to have access, they can pick anyone who has the skills to understand me and I will tell that person how to fix it. In fact, I will do that right here and now. You can skip the rest of this if you are not into configuring web servers.

If you access http://www (dot) ifopa (dot) org/ using HTTP 1.1, everything is normal.

If you access http://www (dot) ifopa (dot) org/ using HTTP 1.0, it redirects you to malicious website server285.com

You can verify this with WebBug, available at http://www.cyberspyder.com/webbug.html

We know from the responses we see using WebBug that ifopa (dot) org is running on an Apache server.

Apache servers have two configuration files that can cause this to happen; httpd.conf (controlled by the server owners) and .htaccess (controlled by IFOPA).

If this is being done in httpd.conf (which I doubt), then everybody who has a website on that server is compromised, and I will advise IFOPA to move to a reputable hosting provider such as pair.com.

If, as I expect, this is being done in .htaccess, I expect to see the following in the .htaccess file.

There will be a RewriteCond (re-write condition) directive that uses the REQUEST_PROTOCOL variable to see if the request is HTTP/1.0.

There will be a RewriteRule (re-write rule) directive that uses a 302 redirect to send the request to the malicious server.

The easy way to find the above is to search for "server285".

Disabling that command should fix the problem.

After it is fixed, IFOPA should change the password that allows someone to modify the .htaccess file.

This will lock me out and, more importantly, will lock out whoever inserted the malicious redirect.

Other interesting findings:

ifopa (dot) org is at 64.14.78.145 at SAVVIS Communications Corporation.

server285.com is at 64.14.68.84, also at SAVVIS Communications Corporation.

According to http://www.sitesview.us/i/64.14.78.145 no other sites are on 64.14.78.145, just IFOPA.

According to http://www.sitesview.us/i/64.14.68.84 has 20 other wensite on it. I checked a couple with WebBug and they had the same http 1.0 redirect.

When I first investigated this, the malicious website was serving up something that looked just like the real ifopa (dot) org website but with spam links. For example "Product and Services Database" on the first page was "Product and purchase generic viagra Services Database" and sent you to a viagra spam site. Now it isn't doing that. It stopped right after I reported it to several anti-spam organizations. Perhaps the bad guys are just are laying low, or maybe someone nuked the master that was controlling a bunch of malicious websites. --Guy Macon (talk) 03:37, 13 October 2013 (UTC)


 * OK, thanks Guy. I'll wait to see how the chairman responds (probably not before Tuesday) and take it from there. At the very least, I think I know how to make direct contact with someone who would have access to the site, even if the office wont provide you with access. I'd then just forward to him/her what you provided above. Much appreciated. Malcolm C Munro (talk) 16:54, 13 October 2013 (UTC)


 * Guy, when I requested access for you, the IFOPA Operations Manager instead directed my query to our Web service company, complete with your instructions above to fix the problem. She then sent me their response:

RESPONSE: We looked at the site for the issue Guy says he found but cannot reproduce any error nor is server285.com a malicious site. Your site is hosted on the server with this hostname. If you try to access directly the IP of your domain name (http://64.14.78.145/), you would be redirected to http://www.server285.com. This is normal as only your DNS name IFOPA (dot) ORG will display the site.

We would need Guy to provide a more detailed explanation why this hostname is considered malicious. We monitor our servers 24/7. If any abuse is detected on our servers, immediate actions are taken for the particular case to get resolved. We believe that the output of the tool that is suggested (WebBug) is not reliable. We initiated telnet requests on both protocols (HTTP 1.0 and HTTP 1.1). They do return the correct data from your site. There is no redirection to server285.com. - Guy, I can provide the telnet returns if that will help. In light of the above, please advise, and thanks once again. Malcolm C Munro (talk) 16:44, 16 October 2013 (UTC)

Let's deal with each of the above one at a time.

First, the malicious server issue:

I saw what I saw. Where the ifopa main page is supposed to have a link labled "Product and Services Database", it had a link labeled "Product and purchase generic viagra Services Database". You can see where I reported it at Wikipedia talk:WikiProject Spam/2013 Archive Jan 1

Another user said he could not see the spam link, which led me to experimenting with HTTP 1.0 and HTTP 1.1. You can see how we figured it out at the above link. When I checked it a month later, the spam link was gone but I still saw the 302 redirect with a HTTP 1.0 request.

Next, is my tool flawed?

I wanted to type in character-by-character the same input that I have posted several times already, but the sever times out faster than a human can type. I tried piping a text file to telnet, but couldn't make it work. So I looked for another tool:

http://web-sniffer.net/ shows the 302 redirect. Try http://www (dot) ifopa (dot) org/ yourself. Interestingly, if you send a HTTP 1.0 request with a host header it does not redirect. The host header is not required in 1.0 and some older browsers do not send it. That may explain your telnet results.

If you say that you control server285.com and have scanned it recently, I am inclined to conclude that whatever causeg the viagra links has been resolved, and let it back on Wikipedia. There is a huge difference between a 302 to an unknown website and a 302 to a vhost at your ISP. BTW, have you considered putting something up at server285.com to show that it is yours? The WHOIS shows that it is registered to someone in the Village of Eremia (Kyustendil District) in South-Western Bulgaria, but our geolocation tools say it in in Boston Massachusetts...

Two final things:

When you get the 302, it redirects to the exact same URL. That's just weird. How does a Apache not throw a 500 error?

You say that http://www (dot) ifopa (dot) org/ and http://www.server285.com are both at 64.14.78.145,,but my tracert does not agree:

Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\User>cd / C:\>tracert ifopa (dot) org Tracing route to ifopa (dot) org [64.14.78.145] over a maximum of 30 hops: 1   <1 ms    <1 ms    <1 ms  192.168.0.1 2    *      369 ms   483 ms  bras19-l0.lsanca.sbcglobal.net [151.164.186.19] 3  483 ms   172 ms    74 ms  12.83.97.57 4  347 ms   625 ms   769 ms  la2ca02jt.ip.att.net [12.123.30.17] 5  299 ms   108 ms   160 ms  208.174.194.65 6  381 ms   459 ms   557 ms  cr1-tengig-0-5-0-0.lay.savvis.net [204.70.198.5] 7  252 ms   932 ms   612 ms  cr2-bundle-pos-1.newyork.savvis.net [204.70.197.34] 8  554 ms   548 ms   250 ms  hr1-tengig-13-0-0.waltham2bo2.savvis.net [204.70.198.182] 9  783 ms   510 ms   201 ms  das1-v3006.bo1.savvis.net [209.202.187.54] 10  625 ms   952 ms   521 ms  64.89.38.2 11   90 ms   123 ms   257 ms  64.14.78.145 Trace complete. C:\>tracert server285.com Tracing route to server285.com [64.14.68.84] over a maximum of 30 hops: 1   <1 ms    <1 ms    <1 ms  192.168.0.1 2  419 ms   464 ms   513 ms  bras19-l0.lsanca.sbcglobal.net [151.164.186.19] 3  612 ms   450 ms   377 ms  12.83.97.61 4  538 ms   360 ms    88 ms  la2ca02jt.ip.att.net [12.123.30.189] 5  746 ms   808 ms   433 ms  208.174.194.65 6   14 ms    13 ms    42 ms  cr1-te-0-5-0-3.lay.savvis.net [206.28.97.245] 7  978 ms  1028 ms   453 ms  cr2-bundle-pos-1.newyork.savvis.net [204.70.197.34] 8  315 ms   394 ms   464 ms  hr1-tengig-13-0-0.waltham2bo2.savvis.net [204.70.198.182] 9  192 ms   201 ms   261 ms  das1-v3005.bo1.savvis.net [209.202.187.50] 10  999 ms   649 ms   350 ms  64.89.38.2 11 1533 ms  1200 ms  2273 ms  server285.com [64.14.68.84] Trace complete. C:\>

Note the subtle difference in entry 9 on each... --Guy Macon (talk) 06:31, 17 October 2013 (UTC)


 * Guy, I have forwarded your message to the IFOPA office for forwarding to our web guys. In the meantime, I also received comment from a tech-wise "friendly" whom I'll refer to as CBG (though he had not seen your above before commenting).  You may wish to refrain from responding to CBG's comments (below) until we have received a reply from our web guys to your comments above as our exchanges may get too confusing. Last, I feel that unless we can resolve this issue soon, we should live without the IFOPA's URL in our Wikipedia article, as having the link isn't justified by all the collective energies that are being invested.  It may be simpler to just state in the article's text that to access our website "please search for IFOPA on your favorite search engine" or something like that.

CBG's Comments: While Guy at Wikipedia is correct the HTTP 1.0 (in Web Bug only) does redirect to www.server285.com, which it should not, that server itself is not malicious (I assume it's because it's not the ifopa (dot) org domain that he's flagging it). It's basically the friendly name for the server on which I suspect ThinkLever hosts a bunch of sites (including the IFOPA).

I've checked the sites using a little online tool I occasionally use: http://sitecheck.sucuri.net/results/www (dot) ifopa (dot) org and http://sitecheck.sucuri.net/results/www.server285.com and it's reporting no issues with either. I think he is flagging it as you would not expect to see www.server285.com appear anywhere. So the question I would be asking is why is Web Bug able to pick it up and can ThinkLever do anything fix that to keep Wikipedia happy?

I did double check ThinkLever's Telnet results and also checked by forcing Firefox to use HTTP 1.0 (the protocol of issue) when visiting www (dot) ifopa (dot) org and it does indeed appear that all is well and we are taken to the correct destination. This re-enforces the view that is it "just Web Bug" but... Web Bug is picking it up from somewhere which could do with being looked into. End of CBG's comments. Malcolm C Munro (talk) 17:09, 17 October 2013 (UTC)


 * CBG, did you test HTTP 1.0 as it is typically sent by old browsers or did you test HTTP 1.0 with an added HTTP-1.1-style host header? http://web-sniffer.net/ shows the 302 redirect when a standard HTTP 1.0 request (no host) is selected. --Guy Macon (talk) 19:28, 17 October 2013 (UTC)


 * Guy, here is the reply from CBG: "Let Guy know I just tried latest Firefox with advanced config set to 1.0, I suspect it is sending the headers.  I'm on his page I think. We just need to get ThinkLever to suss the right setting.  Advanced stuff this, though I think most browsers are 1.1 now". Still awaiting a reply to your previous message to the Web guys. Malcolm C Munro (talk) 23:33, 17 October 2013 (UTC)


 * Guy, I seem to be frozen out of the process, as our Operations Manager has chosen not to reply to my request to put you in personal contact with our web guys. I can sympathize as she is very busy organizing a major conference and says she cant spare any more time for this. My only option now seems to be to simply instruct folks to Google IFOPA and get the link in that manner. It will look kind of hokey but I don't see any other alternative.  What's your take on all this now? Malcolm C Munro (talk) 17:42, 28 October 2013 (UTC)

REMOVAL OF "MULTIPLE ISSUES" NOTICE REQUESTED I have addressed citation issues and removed the External Links section. If further issues remain, please provide more specific detail. If not, may we have the Multiple Issues notice removed? Malcolm C Munro (talk)

ArbCom elections are now open!
Hi, You appear to be eligible to vote in the current Arbitration Committee election. The Arbitration Committee is the panel of editors responsible for conducting the Wikipedia arbitration process. It has the authority to enact binding solutions for disputes between editors, primarily related to serious behavioural issues that the community has been unable to resolve. This includes the ability to impose site bans, topic bans, editing restrictions, and other measures needed to maintain our editing environment. The arbitration policy describes the Committee's roles and responsibilities in greater detail. If you wish to participate, you are welcome to review the candidates' statements and submit your choices on the voting page. For the Election committee, MediaWiki message delivery (talk) 14:26, 24 November 2015 (UTC)

ArbCom Elections 2016: Voting now open!
Hello, Malcolm C Munro. We welcome your contributions, but if you have an external relationship with the people, places, or things you have written about on Wikipedia, you may have a conflict of interest (COI). Editors with a COI may be unduly influenced by their connection to the topic, and it is important when editing Wikipedia articles that such connections be completely transparent. See the conflict of interest guideline and FAQ for organizations for more information. In particular, we ask that you please:


 * avoid editing or creating articles related to you and your family, friends, school, company, club, or organization, as well as any competing companies' projects or products;
 * instead, you are encouraged to propose changes on the Talk pages of affected article(s) (see the request edit template);
 * when discussing affected articles, disclose your COI (see WP:DISCLOSE);
 * avoid linking to the Wikipedia article or to the website of your organization in other articles (see WP:SPAM);
 * exercise great caution so that you do not violate Wikipedia's content policies.

In addition, you must disclose your employer, client, and affiliation with respect to any contribution which forms all or part of work for which you receive, or expect to receive, compensation (see WP:PAID).

Please take a few moments to read and review Wikipedia's policies regarding conflicts of interest, especially those pertaining to neutral point of view, sourcing and autobiographies. Thank you. -- Ed (Edgar181) 13:41, 30 May 2017 (UTC)


 * Edgar 181, please be advised that I was on the board of directors of this association when I created this article some years ago but I was then unaware of Wikipedia's conflict of interest policy. Apparently, as a fresh volunteer studying how to create an article, I did not come across the policy.  However, I have been off the board for several years now and I no longer have any relationship with this organization.  Therefore I believe that the conflict of interest no longer exists and I trust the extensive effort I have made in the current edits to remove subjective wording attests to this, and I am prepared to edit further if requested.  I continue to edit and update the article as my efforts to enlist someone else to undertake the editing have been unsuccessful.  I shall refrain from removing the template messages until such time as you or another editor comments, or someone else removes the messages.  Thank you very much for your attention. Malcolm C Munro (talk) 23:09, 11 June 2017 (UTC)