Wikipedia talk:WikiProject Spam/2017 Archive Nov 1

billywr.com

 * links


 * pages


 * accounts

Ongoing spamming by dynamic IP, ongoing for for over a month. --- Barek (talk • contribs) - 20:15, 1 November 2017 (UTC)
 * Blacklisting request submitted at WP:SBL. --- Barek (talk • contribs) - 22:05, 1 November 2017 (UTC)
 * MER-C 02:47, 2 November 2017 (UTC)

healthbeautyguide.in
Not sure how to deal with this one... I came across it on this post in the reference desk by a brand new editor. Smells like spam to me, but since it was not added to an article, I'm not sure if it would be appropriate to remove the link, remove the entire post, or just let it be.

Incidentally, the previous instances of this link were added to the Reference Desk as well by another new editor (here). This editor's only other post (in the Help Desk) was also full of spammy links. –FlyingAce✈hello 17:21, 1 November 2017 (UTC)
 * Yep, it's spam. The spam is deliberately construed that way to look like a legitimate question, receive a genuine response and hence deter removal. You can tell they're spamming because the description text for the link just so happen to be keywords for search engines. MER-C 02:25, 2 November 2017 (UTC)
 * Thank you! I see you have removed the links now. Now I know how to handle such cases in the future. :) –FlyingAce✈hello 17:59, 2 November 2017 (UTC)

holistichealingnatural.com



 * Spammers

Blacklisted. MER-C 07:57, 4 November 2017 (UTC)

catlitterexpert.com


Bunch o' fresh commits from luckycrew, cloaked as "adding data" / "adding ref". One older entry (2 weeks ago) from Rohanda1Parker, no edit summary, but the ref text implied it was from New York Times. Not sure if that was pasting or intentional cloaking. Or stolen content :) Anyhow, did an EL search, none came up, but wanted to report in case the domain comes up again. Not watching this page. tedder (talk) 04:08, 25 October 2017 (UTC)
 * This domain came up in a large checkuser-confirmed sockfarm. MER-C 04:12, 30 October 2017 (UTC)
 * Blacklisted. MER-C 08:16, 4 November 2017 (UTC)
 * Blacklisted. MER-C 08:16, 4 November 2017 (UTC)

holidaystonepal.com



 * Spammers

Blacklisted. MER-C 07:47, 8 November 2017 (UTC)

Hospitals and clinics
It's difficult for me to assess what should or shouldn't be in those articles but link spamming is obviously rampant there. Some instances are in  tags when not external links. — Paleo Neonate  – 14:55, 1 November 2017 (UTC)
 * Related articles prone to spam (including other links)
 * The usual approach taken with lists like these is no article, no listing. I've had to indefinitely semi-protect some lists due to this kind of spamming, but these three aren't active enough to justify it. MER-C 02:20, 2 November 2017 (UTC)
 * I was bold and cleaned up those lists for now. Thanks, — Paleo  Neonate  – 04:30, 10 November 2017 (UTC)

Spam hidden in citation cleanup - findatopdoc.com

 * Chronological order, quoting edit summaries
 * - 30 March, "fix bare citations, add journal doi"
 * - 31 March, "cited doi, pubmed id for verification, updated book isbn"
 * - 14 April, "Link+PMID"
 * - 17 April, "isbn+google book+doi cited+ "
 * - 17 April, "cite doi, ISSN, ISBN, google book link +"
 * - 28 April, without edit summaries
 * - 23 May, "Filled in 3 bare reference(s) with reFill "
 * Related discussion: Conflict_of_interest/Noticeboard/Archive_93
 * I've cleaned it up, but wanted editors to be aware that the ip's were hiding their REFSPAM in edits that also clean up references. Has anyone seen spamming like this before? The COIN discussion is tangentially related: International Association of Healthcare Professionals, a vanity "professional organization", runs findatopdoc.com. --Ronz (talk) 23:49, 9 November 2017 (UTC)
 * I recall filing a SPI on this behavior that found hundreds of socks, but I cannot remember the exact name. It's not new. If you see this domain again, let me know and I will blacklist it. MER-C 06:00, 10 November 2017 (UTC)
 * Thanks. --Ronz (talk) 15:39, 10 November 2017 (UTC)
 * Thanks. --Ronz (talk) 15:39, 10 November 2017 (UTC)

Effective lawmakers
Users and  both have widespread edits promoting a single lawmaker rating website. Neither has responded to talkpage comments/warnings. (All of the actual spam has been reverted.) --JBL (talk) 11:58, 10 November 2017 (UTC)
 * There's currently no overlap in their edits, but they do look like sockpuppets. I'd treat them individually for now, and request the individual account be blocked if there is any further spamming from either. --Ronz (talk) 15:49, 10 November 2017 (UTC)

knightstemplarcards.com



 * Spammers

MER-C 12:48, 9 November 2017 (UTC)


 * Handled on meta. --Dirk Beetstra T C 08:15, 12 November 2017 (UTC)

Islamic finder


Appears to be an anonymous company (web forms for contact, Godaddy domainsbyproxy whois protection, Amazonaws hosting) with various Islam resources including some "apps", the main one being some prayer reminder and local resources access one. The privacy policy mentions as usual that user privacy is important but that the application needs access to monitor the user's location, access the address books, call information and address book (so could theoretically also be spyware). They also have ad place purchase. There are currently (currently unknown by how many editors, COIBot appeared to also have trouble reporting about it). Leaving it here for others to assess if existing instances should be removed or if it should be blacklisted. Thanks, — Paleo Neonate  – 00:24, 15 November 2017 (UTC)

Anonymous IP


-- Ham105 (talk) 01:07, 15 November 2017 (UTC)
 * would you mind next time to explain a bit more what (you think) is happening? Thanks!  --Dirk Beetstra T  C 11:56, 20 November 2017 (UTC)


 * to User:XLinkBot/RevertList. --Dirk Beetstra T C 11:57, 20 November 2017 (UTC)


 * The account had linked the front page of a particular sports website to six Wikipedia articles. While this action now seems to have ceased, the external link was being added, for example, like this on The Ashes page:
 * [MyCricketHighlights2.us MyCricketHighlights] for every Match Highlights of Ashes.
 * In this case, the Ashes is a major sporting contest between England and Australia played every two years, but the current series does not start until the end of this week.
 * The external link provided no information or specific article on The Ashes. It was merely a link to a website about cricket with an implied promise of coverage. To me, this pattern of edits was WP:PROMOTION. -- Ham105 (talk) 13:16, 20 November 2017 (UTC)
 * That is also how I saw it. I revertlisted it, (new/IP) editors will get reverted and warned by XLinkBot on next addition.  --Dirk Beetstra T  C 13:17, 20 November 2017 (UTC)

moviesvala.com



 * Spammers

Blacklisted. MER-C 09:45, 22 November 2017 (UTC)

taxresolutioninstitute.com
Injected to celeb article ☆ Bri (talk) 03:55, 23 November 2017 (UTC) More refspam, says here it is a 3-4 person blog. ☆ Bri (talk) 04:08, 23 November 2017 (UTC)

webpronews.com
Do people consider this a spam link? Appears we use it a fair bit. Doc James (talk · contribs · email) 23:40, 24 November 2017 (UTC)
 * I cannot search deleted archives but fail to find any active or deleted Wikipedia entry about iEntry Network or Web Pro News. I also can't see any relevant WP:RSN archived discussion about its use as a reliable source.  It seems to be a tech blog with several posters and ad purchase.  I'm not sure how popular it is, other than the many links in the encyclopedia.  — Paleo  Neonate  – 09:35, 25 November 2017 (UTC)
 * If one of these sites came across my desk today, I'd revert quickly. Yet another faceless entity posturing as reliable published sources. There are tons of links at Wikipedia. Many of the older ones are dead. Does this constitute spam? Depends on if the links were added in good faith by ignorant users or not. But I trust no blog. Cyphoidbomb (talk) 01:28, 26 November 2017 (UTC)
 * maybe one for a mass cleanup, and XLinkBot for both ELs and references? If then any spammers show up (multiple XLinkBot warnings) we blacklist, otherwise this may teach those who are not aware of our policies and guidelines.  Blogger has a similar faith.  —Dirk Beetstra T  C 04:06, 26 November 2017 (UTC)

linkspam on Jetstream Express
Hello, just noticed that Jetstream Express was graced with a strange link promoting hotel vouchers, left by an anonymous user. I removed the link.


 * to User:XLinkBot/RevertList. --Dirk Beetstra T C 04:08, 26 November 2017 (UTC)

VPN spamming
This is an extension of Special:Permanentlink/809308041 and Special:Permanentlink/809310310.


 * Sites spammed





Stuff for global blacklisting:

Stuff for blacklisting:

Uncertain (please help in evaluating):

VPNs and webhosts:
 * Spammers
 * Special:Contributions/36.255.96.0/22
 * Special:Contributions/43.226.228.0/22
 * Special:Contributions/45.115.24.0/22
 * Special:Contributions/45.221.64.0/21
 * Special:Contributions/82.102.16.0/20
 * Special:Contributions/89.185.239.192/26
 * Special:Contributions/103.46.140.0/22
 * Special:Contributions/103.47.144.0/22
 * Special:Contributions/103.55.8.0/22
 * Special:Contributions/104.37.0.0/21
 * Special:Contributions/138.99.208.0/22
 * Special:Contributions/154.70.152.0/22
 * Special:Contributions/178.170.136.0/22
 * Special:Contributions/178.170.140.0/23
 * Special:Contributions/185.118.76.0/25
 * Special:Contributions/185.145.64.0/22
 * Special:Contributions/185.158.100.0/22
 * Special:Contributions/188.72.124.0/23
 * Special:Contributions/191.101.56.0/22
 * Special:Contributions/198.13.32.0/21
 * Special:Contributions/198.13.40.0/23
 * Special:Contributions/199.38.232.0/22
 * Special:Contributions/212.117.160.0/20
 * Special:Contributions/217.146.0.0/24 ← checked including here


 * Special:Contributions/66.133.72.0/21
 * Special:Contributions/142.44.128.0/17
 * Special:Contributions/185.189.112.0/22

Already blocked:
 * Special:Contributions/43.228.156.0/22
 * Special:Contributions/43.230.99.0/24
 * Special:Contributions/45.115.25.0/24
 * Special:Contributions/46.243.208.0/20
 * Special:Contributions/45.74.0.0/18 -- expires 26 November (!)
 * Special:Contributions/89.185.224.0/19
 * Special:Contributions/91.214.44.0/22
 * Special:Contributions/103.55.8.0/24
 * Special:Contributions/104.243.240.0/20
 * Special:Contributions/104.243.245.0/24
 * Special:Contributions/104.250.160.0/19
 * Special:Contributions/104.250.172.0/24
 * Special:Contributions/141.101.143.0/24
 * Special:Contributions/141.101.144.0/20
 * Special:Contributions/141.101.160.0/21
 * Special:Contributions/141.101.168.0/22
 * Special:Contributions/141.101.172.0/23
 * Special:Contributions/141.101.174.0/24
 * Special:Contributions/154.60.231.0/24
 * Special:Contributions/172.94.0.0/17
 * Special:Contributions/172.111.128.0/17
 * Special:Contributions/179.61.128.0/17
 * Special:Contributions/185.212.168.0/22
 * Special:Contributions/188.72.80.0/20
 * Special:Contributions/188.72.96.0/20
 * Special:Contributions/188.72.112.0/21
 * Special:Contributions/196.251.64.0/18
 * Special:Contributions/196.251.100.0/22
 * Special:Contributions/206.123.128.0/19 -- expires 26 November (!)
 * Special:Contributions/217.64.32.0/20

Not blocked:
 * Special:Contributions/39.51.0.0/17

Blocked for 2 years. Lots of spam on these ranges, reverted 100+ links so far. This is still a work in progress. SIGH. MER-C 10:15, 8 November 2017 (UTC)
 * Bump. MER-C 07:34, 28 November 2017 (UTC)

We need more eyes on (changes to the contents of) Category:Open_Local_COIBot_Reports, the first of these domains were noticed back in February by LiWa3, and quite a number of them have been noticed by LiWa3. --Dirk Beetstra T C 10:18, 11 November 2017 (UTC)
 * That would have stopped about 20% of it. We nned to find a better solution. MER-C 09:11, 13 November 2017 (UTC)
 * I agree, but if the system is being noticed, we would maybe had a chance to keep up. This wastes now a lot of time of the volunteers on this project.  --Dirk Beetstra T  C 10:39, 13 November 2017 (UTC)
 * I don't think so. At least two of these domains were already blacklisted before I started; nobody (myself included) saw the big picture until recently. For the record, I've automated sifting through the contributions for links. The Phabricator ticket somewhat hinders this, but I can work around it. This is still not a satisfactory solution, but I have something in mind. Pay attention to the WMF's Anti-Harassment team -- their work has led to broadly applicable improvements in admin and checkuser tools. They'll soon be launching a consultation on the ineffectiveness of the banhammer independent of the glacial Community Tech process. (In Community Tech's defense, they recently deployed the range contributions stuff which makes dealing with this crap significantly easier.) MER-C 13:29, 13 November 2017 (UTC)

I'm happy to help, but it's not clear to me how to do so. --Ronz (talk) 16:46, 15 November 2017 (UTC)
 * The best solution to this problem so far is to whois any IPs you catch adding obvious spam and report any webhosts and colocation facilities here for blocking. It also helps to check the contributions for the range regardless of whether it is a webhost or not. If you see a domain exclusively added by non-stale throwaway accounts, please report them for CU. You can also watch some of the more frequently targeted articles; I will consider semi-protection requests for the most heavily targeted. MER-C 03:56, 16 November 2017 (UTC)

Strange user behaviour



 * No user page, the only entry is to create a sandbox that links to a third party site JustaZBguy (talk) 00:30, 30 November 2017 (UTC)
 * Actually the sandbox contains a rough draft of what could be a fairly decent article. It has two sources, both of them good. Let's wait and see. It doesn't seem unambiguously promotional. ~Anachronist (talk) 00:36, 30 November 2017 (UTC)
 * Just for kicks I put both domains into Special:LinkSearch to see if there was any other users that looked like this one because I'm super excited ::about my first contribution. The government site was referenced in other sandboxes but all those users had created user pages and had multiple edits, ::ietc.


 * When I put in the other domain, I found a couple others that matched the following pattern:
 * 1. No user page
 * 2. sandbox article with link to 3rd party site
 * 3. No other contributions outside user's own sandbox, mainspace pages


 * There are a couple others that meet (2) and (3) but have a user page stating that they are a student editor. They aren't editing anyone's post but their own?


 * I'm overthinking this right? JustaZBguy (talk) 01:57, 30 November 2017 (UTC)
 * Probably. New editors who focus on their sandbox, or in draft space, is a good thing. We want new editors to gain experience in their sandbox before venturing out. Do you see any evidence of spamming or promotional writing? Referencing a government website, or a reliable source, isn't spamming. The question is whether thebalance.com (linked in the first sandbox you mentioned) can be considered a reliable source. The byline of the article referenced in that sandbox looks legitimate, but if you see a pattern of people linking to that site, it should be reported at WP:RSN for investigation. ~Anachronist (talk) 03:23, 30 November 2017 (UTC)