Corey Salzano – Page 9 – Web developer, music lover

How to: Stop Spam on your MediaWiki website
This past week I deleted a few hundred wiki pages and user accounts from the MediaWiki installation our company uses to track software features and technical issues. Here is how you can stop your public MediaWiki website from becoming the victim of relentless spam bots.

Limit exposure

My wiki was operating smoothly for about a year and a half before any spammer had found it. A publicly accessible and poorly secured website is always a sitting duck. Once the site was indexed by search engines, finding it became a lot easier. A simple search query like Powered by MediaWiki will list thousands of targets for wiki spammers. I am not sure how our wiki was found by search engine robots, but I certainly know when. Right before the onslaught of spam.

Limit exposure to software security holes

The very first change I made to my wiki was a complete update of the MediaWiki software running on the website. The longer software source code is available in the wild, the more likely that someone has found a security hole or method to exploit the scripts to allow outside manipulation.

The backup and upgrade procedures are very intimidating to the casual user. I downloaded a copy of all the website’s files, uploaded the files that make up the latest release, uploaded my old LocalSettings.php so it was not changed with the update, and then ran the installation script again. When you re-run the MediaWiki installer, it will recognize the existing database tables and update them accordingly.

Prevent Search Engines from indexing your MediaWiki

I am now using the REP to prevent robots from crawling the entire site. The robots.txt file in the root of the website directory looks like this:

User-agent: * Disallow: /

Our wiki is for our use within the office only, so we could care less if anyone else finds or reads the website’s contents via a search engine. If removing your wiki from search engines is not a viable course of action, you can still stop spammers by following the rest of these instructions.

Trip the bots

The most violent spammers that attack MediaWiki websites are automated scripts. These scripts assume that the MediaWiki is unmodified and vulnerable to its content creation routines. A simple CAPTCHA will trip the spam bots. Spammers don’t have time to figure out why they can’t pollute a certain MediaWiki website–they move on to easier targets. I installed the ConfirmEdit extension and configured it to require a simple arithmetic CAPTCHA before saving any edit.

Restrict user account creation and anonymous editing

Here are two lines of code I added to LocalSettings.php to prevent new user registrations and anonymous (IP address only) edits:

# Prevent new user registrations except by sysops $wgWhitelistAccount = array ( "user" => 0, "sysop" => 1, "developer" => 1 ); # Restrict anonymous editing $wgGroupPermissions['*']['edit'] = false;

Learn how to police new content

Within 30 days of the initial attack, my wiki had hundreds of new pages and user accounts. More garbage was being added to the wiki so quickly, that the Recent Changes page was not a sufficient monitor for me to see what was being added to my website. Here is a valuable page that outputs a list of every page on your wiki:

http://www.yourmediawiki.com/index.php?title=Special:AllPages

I also installed an extension called Nuke that facilitates quick mass deletion of any user’s contributions.

Larger or highly active wikis will naturally be harder to maintain as spam-free websites. I am very happy that I got to experience these spam bots only 18 months after launching the wiki. Using the AllPages script was only slightly painful because the the total number of good pages on my wiki at the time was in the low hundreds. If the spam bots find another way to plague my website, I will surely write a second chapter to this guide.
January 4, 2009
How to Block Java user-agents
A variety of user-agents that begin with “Java” are likely visiting your website. Visits providing this type of user-agent are programs created in Java by developers who did not choose to change the default user-agent string value. Here is a list of the Java user-agents I have encountered:

Java/1.4.1_04 Java/1.5.0_02 Java/1.5.0_06 Java/1.5.0_14 Java/1.6.0_02 Java/1.6.0_03 Java/1.6.0_04 Java/1.6.0_07 Java/1.6.0_11 Java/1.6.0_12 Java/1.6.0-oem

I will maintain this list simply for kicks. There is no need to collect an exhaustive list of these user-agent strings in order to block them. As I have mentioned before, I prefer to ban non-human visitors based on a combination of an IP address and a user-agent string.

URL rewrite rules

Here are some URL rewriting conditions and rules that will match a list of IP addresses and any user-agent that begins with “Java” and deliver a 403 Forbidden response for any HTTP request to your server:

RewriteCond %{HTTP_USER_AGENT} Java.* RewriteRule ^/(.*)$ /$1 [F]

The condition matches any user-agent string that begins with “Java” no matter what comes later. The rewrite rule returns any location that was requested with a 403 Forbidden response code. There will be no change made to the URL and no document delivered.

IIS7 URL Rewrite web.config

<rule name="no-java-bots" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTP_USER_AGENT}" pattern="^Java/.*" /> </conditions> <action type="AbortRequest" /> </rule>

Why block Java bots?

Bots with a well-defined purpose will typically identify themselves with a unique name. These Java user-agents are either not interested in identifying their purpose or not ready to publish their name and take ownership of the crawling activities. Both cases are a waste of bandwidth. Test your new application on someone else’s website. Play with your shady crawler on someone else’s website. Come back when you are willing to identify yourself.
December 1, 2008
WordPress latest twitter sidebar widget
Discontinued! This plugin is dead, details here.

I made a WordPress widget to display latest Twitter updates for any Twitter user in a WordPress website’s sidebar. A widget is activated just like a plugin on any “widget ready” theme and can be positioned within the sidebar using the drag and drop Widgets page in the Administration Dashboard.

Links @usernames, #hashtags and URLs

Displays up to 20 twitter updates

Works for any username with public tweets

Does not require twitter password

CSS friendly element IDs

Requirements to run

WordPress version 3.0.0 minimum (MySQL 5 + PHP5)

json extension for PHP

This project is based on some code written by Ryan Barr. I added some sauce and already have a nice idea of where the next version will progress. Thanks for introducing me to the twitter API, Ryan.

PHP5 required

This will be the last version of this plugin that runs uses PHP4’s DOMXML object. All future versions published to this plugin’s page on the WordPress Plugin Directory will be PHP5 only. Click here to download the last PHP4 compatible build from my server, version 0.100210 of this plugin.
November 26, 2008
PHP4 Friendly htmlspecialchars_decode
I needed to use the PHP function htmlspecialchars_decode( ) for a WordPress widget I am making. This function is built into PHP versions 5.1.0 and greater and is used to convert special HTML entities to characters. As defined, htmlspecialchars_decode( ) is the opposite of htmlspecialchars( ). Someone named Thomas commented on the PHP man page to point out a flaw in the definition. He also provides some code, which I have only modified slightly below to check function_exists( ).

if ( !function_exists('htmlspecialchars_decode') ){ function htmlspecialchars_decode($string,$style=ENT_COMPAT) { $translation = array_flip(get_html_translation_table(HTML_SPECIALCHARS,$style)); if($style === ENT_QUOTES){ $translation['''] = '\''; } return strtr($string,$translation); } }
November 25, 2008
WordPress recently updated pages or posts
This WordPress plugin creates a list of links to the most recently updated pages and posts on any WP website. The following image is a screen shot of the widget output. I am running this widget on this website, so forget the screen shot. Look at the sidebar on this page and you will find the widget itself.

Install this plugin

Download recently-updated-pages-and-posts.zip

Decompress the file contents

Upload the recently-updated-pages-and-posts folder to a WordPress plugins directory (/wp-content/plugins)

Activate the plugin from the Administration Dashboard

Open the Widgets page under the Appearance section

Drag the Recently updated widget to the active sidebar

Configure the widget options to suit your needs and click Save

Sample HTML output

View sample-html-output.txt

Styling the output with CSS

/* reference the list by id */ #recently-updated-widget-list{ list-style: disc; }

/* apply style to all of the list items */
.recently-updated-widget-item{ margin-left: 25px; }

/* make the first list item font size larger */
#ruwi-0{ font-size: 125%; }

WordPress.org plugin page

Visit this plugin’s page in the official WordPress Plugin Directory.

Here is some code I hacked together to display a list of recently updated pages and posts on a WordPress site:

<?php $today = current_time('mysql', 1); $howMany = 5; if ( $recentposts = $wpdb->get_results("SELECT ID, post_title FROM $wpdb->posts WHERE post_status = 'publish' AND post_modified_gmt < '$today' ORDER BY post_modified_gmt DESC LIMIT $howMany")): ?> <h2><?php _e("Recent Updates"); ?></h2> <ul> <?php foreach ($recentposts as $post) { if ($post->post_title == '') $post->post_title = sprintf(__('Post #%s'), $post->ID); echo "<li><a href='".get_permalink($post->ID)."'>"; the_title(); echo '</a></li>'; } ?> </ul> <?php endif; ?>

The variable $howMany holds the number of items to display in the list. I used some code I found in a WordPress theme I am using on some website, and modified it to help someone in need of this specific solution.

Update 02/22/2010:

Including post excerpts

A commenter below asks, “Is it possible to combine the_excerpt(); with the code you provided?” The function you are naming is only useful inside “the loop,” but yes, including excerpts is easy. Try this:

<?php $today = current_time('mysql', 1); $howMany = 18; if ( $recentposts = $wpdb->get_results("SELECT ID, post_title, post_excerpt FROM $wpdb->posts WHERE post_status = 'publish' AND post_modified_gmt < '$today' ORDER BY post_modified_gmt DESC LIMIT $howMany")): ?> <h2><?php _e("Recent Updates"); ?></h2> <ul> <?php foreach ($recentposts as $post) { if ($post->post_title == '') $post->post_title = sprintf(__('Post #%s'), $post->ID); echo "<li><a href='".get_permalink($post->ID)."'>"; the_title(); echo '</a><p>' . $post->post_excerpt . '</p></li>'; } ?> </ul> <?php endif; ?>
November 7, 2008
No Blog Clients WordPress plugin

I wrote a small WordPress plugin today to prevent these link elements from showing up in the header of my websites:

<link rel="EditURI" type="application/rsd+xml" title="RSD" href="WPURL/xmlrpc.php?rsd" /> <link rel="wlwmanifest" type="application/wlwmanifest+xml" href="WPURL/wp-includes/wlwmanifest.xml" />

The first of these link elements instruct blog clients where to find the WordPress XML-RPC interface via really simple discovery (RSD).

The second tells Windows Live Writer where to find your WordPress administration dashboard, the location of the edit posts and manage comments scripts.

If you are not using any blog clients to log into your WordPress and make changes to your posts or approve comments, these is no reason to be publishing these script locations.

Download no-blog-clients.zip

This plugin is now included in the official WP Plugins Directory.

October 25, 2008
Blacklisting via Ionic’s Isapi Rewrite Filter

In IIS, banning IP addresses from accessing a website is fairly easy. I rarely do this, however, because I prefer to use a combination of an IP address and a user agent string to identify bad bots that are likely scraping my content or attempting to harvest email addresses.

I try to avoid blocking an IP address at all costs. IP addresses can be forged and changed, so I prefer to rely on an IP address and user agent string combination to identify the culprit that I want to exile. This approach is not fool proof, but I find it be much more reliable.

Scalability is also an issue. The use of an ISAPI filter to process requests for every website on the server or a single file sure makes life easy. The Microsoft IIS configuration console is a mouse-click nightmare on a server with a couple hundred websites.

I use Ionic’s Isapi Rewrite Filter to change the URL structure of websites to be more search engine friendly. This filter uses the PCRE library, and the use of regular expressions is always a huge plus. The rewriting rules are maintained inside one .ini file, so tweaks and updates are a breeze.

Here is an Ionic’s rewrite rule that will let you block access to every site on your server based upon an IP address and user agent string match. In this particular case, I am blocking an email address harvester with IP 24.132.226.94 and user agent Java/1.6.0-oem.

RewriteCond %{REMOTE_ADDR} 24\.132\.226\.94 RewriteCond %{HTTP_USER_AGENT} Java/1\.6\.0-oem RewriteRule ^/(.*)$ /$1 [F]

The two conditions on this match use server variables to match the user’s IP address and user agent string to an expression match. The final line is the rewrite rule that matches any file on any website. The [F] flag tells the Ionic’s filter to return an appropriate HTTP status code of 403 Forbidden.

Regular expressions provide the capability to block a range of IP addresses and partial user agent matches. If i wanted to match on any version of this Java-based robot, I could expand the second condition to something like this:

RewriteCond %{HTTP_USER_AGENT} Java/\d.\S*

Similarily, wildcard matches on IP addresses can be used to block ranges of IPs instead of a single address.

The Microsoft vs *NIX server debate will never die. I use both everyday, and I find that the biggest advantage that the open source server environment has over Microsoft is the interface. Using the Ionic’s ISAPI filter allows me to control the URL structure and blacklist for all of my websites easily and efficiently.

I see this method of blocking IPs or blacklisting bots based on IP address and user agent as a great way to simulate an .htaccess approach to the same problem on a Microsoft server.

UPDATE:
As of May 2009, I am using these rules to block these Java bots. I know earlier in this post I favored an IP address and user-agent combination, but my IP address list grew to more than 100 entries before I abandoned that method. There are no useful Java bots. Useful bots have useful names.

RewriteCond %{HTTP_USER_AGENT} Java.* [OR] RewriteCond %{HTTP_USER_AGENT} ^Java.* RewriteRule ^/(.*)$ /$1 [F]

August 22, 2008
Label tag width not working

The <label> element will not accept a width value in FireFox, and I just spent way too long finding a workaround. The label element is used to associate a text label to a form control that does not automatically have a label.

Short answer: float left makes width work on label elements.

When assigning a width to the label tag, the width value worked in Internet Explorer. FireFox disregarded the width in pixels that I assigned to the label HTML tag in my CSS file.

Label elements are in-line style elements, so technically FireFox is interpreting the CSS properly by not obeying my width declaration. In-line elements do not accept width attributes. The workaround is to force the label element to become a block level element by floating it.

Why float it when you could just declare it a block element with display: block, you ask? Because block elements will stack on top of each other without being floated, and if my original intent was to give a label a width I might be trying to distance it from something beside and not below it. You can do display: block; float: left; and achieve the same result, but if you are going to float it the display attribute is not required.

June 18, 2008
eBay Vehicle Protection Program scam
Update 4/13/2021 Do not contact me about classified ad scams. I can’t help you if you are inclined to believe that a stranger is going to ship you a vehicle for a great price. It’s a scam. I will not respond to your email. If I continue getting emails about this post, I’ll probably take this page offline.

Update 3/12/2010 I have disabled new comments on this post. If you are reading this because you have witnessed this scam, I built a new website that you can use to share your story and help others avoid becoming victims.

A new type of escrow scam is showing up on most of the east coast craigslist motorcycle boards. This scheme will advertise a great deal to elicit lots of responses, and each responder gets a few bait emails explaining that the item is “in eBay’s hands” because a previous sale there was not completed.

Lately, scammers are posting with gmail addresses that almost always contain a first name. After a potential target responds to the ad, the gmail address is abandoned. I have seen this trend in real estate as well. This particular scammer used [email protected] to send these emails to me in an auto-responder fashion after I contacted him. No matter what my emails contained, these three messages came from the scammer as immediate responses in this order:

First of all, please DO NOT REPLY at this e-Mail if you don’t have the amount available, or if you don’t intend to be serious.
I’m from Orlando, Florida.
This is the second time when I try to sell the motorcycle. First time I tried eBay.
Because all the time I use only 100% safe methods I sent the motorcycle through eBay Vehicle Protection Program to a buyer from Alaska.
I paid all the shipping fees from my money and when the eBay have requested the payment the seller have refused to pay because he don’t have the full amount.
Now I have the motorcycle in the eBay hands and is ready to be delivered to the next buyer.
If you want to purchase it and only if you are a serious buyer then send me your complete name and address for shipping.
The time delivery will be only 3 days and the motorcycle will be delivered at your home address full registered in your state and under your name.

This scam appears to be sophisticated for a few reasons. Above all, eBay does have a Vehicle Protection Program that was designed to shield buyers from scam artists on eBay Motors. After some quick searches, a shopper could be falsely convinced that this program exists as a transaction escrow service instead of just a monetary guarantee. Also, the ad text itself plays on a buyer’s emotions. This seller appears to be frustrated with dead-beat buyers and tire kickers, which is a typical grief that one-time sellers profess in their listings.

The second email…

The bike is in perfect condition. Full working. The technical inspection has been made 3 weeks ago.
Now the motorcycle is in the eBay hands and not in my possession it. If you will not like it and you will decide to return it then you will receive the full refund. If you will decide to buy it then eBay will release the funds to me.
If you agree with the terms then send me your complete name, address FAX number and I’ll redirect the motorcycle to you.
I’ll wait for your reply!
Regards!

…and the third email…

eBay Protection Program help the sellers and buyers to stay safe with all the transactions.
How it works:
1. The seller ships the goods to eBay. They will inspect the goods and will contact you through email with the payment details.
2. You will send the payment to eBay.
3. After eBay will confirm your payment they will delivery you the goods in 3 days.
4. As soon as you will receive and you will inspect it if all will be ok and if you will decide to keep it then eBay will release the funds to me. If not you will receive the full refunds and the goods will be returned to me.

Tips that will save you from this scam:

eBay does not handle merchandise or hold and release funds
make sure the email address on the ad listing and the one you communicate with are the same
avoid shipping, deal locally, and meet the seller in person

Have you encountered an online scam?

I am not a lawyer or a financial consultant, but I can help you report an online scam to the US federal authorities.

Do not contact me

Please do not contact me about classified ad scams. I don’t care that people are trying to rip you off. If you email me about a scam, you might become the reason I take this web page offline.
May 27, 2008
Calculate days receivable

The amount of time that elapses between a sale and receipt of payment for that sale provides information about the financial structure of a company, including how the company manages its receivables. Calculating days receivable, or the average number of days sales are outstanding, is easy now with this calculator:

Days Receivable Calculator

Days receivable = = Accounts receivable balance

Average day’s sales = = Net sales
365

Old Days Receivable Flash Calculator

Here is the original flash version of this calculator I built in 2007:

Efficiency ratios can indicate how efficiently a business manages its assets. Days receivable is the collect-ability of accounts receivable, answering the question “how fast can cash supply be built?” with a number of days.

Calculating this number of days receivable helps determine if a change in receivables is a result of a change in sales. Comparing days receivable with the company’s credit terms indicates how customers obey the terms of credit.

About the tool

I built this tool with Flash in 2007. I rewrote it in JavaScript in 2011 since Flash is now of questionable compatibility. The reset button restores all values to defaults, and the about button launches this web page. If you have trouble or suggestions please leave comments here.

November 23, 2007
Do not forget about your domain

If your business has a website, be sure you understand who is in charge of maintaining your domain name registration. Anyone can find out who owns a domain by conducting a whois query on the address. The registration and expiration dates are listed in the report as well as the name of the company that can help renew an expiring domain. Most web hosts will register and maintain a .com or other top level domain name for your website, and some will charge hundreds of dollars to gain or regain ownership of your own domain.

February 13, 2007

Days receivable = =	Accounts receivable balance
	Average day’s sales = =	Net sales
		365

Limit exposure

Limit exposure to software security holes

Prevent Search Engines from indexing your MediaWiki

Trip the bots

Restrict user account creation and anonymous editing

Learn how to police new content

URL rewrite rules

IIS7 URL Rewrite web.config

Why block Java bots?

Requirements to run

PHP5 required

Install this plugin

Sample HTML output

Styling the output with CSS

WordPress.org plugin page

Including post excerpts

Tips that will save you from this scam:

Have you encountered an online scam?

Do not contact me

Days Receivable Calculator

Old Days Receivable Flash Calculator

About the tool