Please report vandalism at the top of the "Current alerts" list below. Please only use this page for repeated malicious vandalism, not for one-off edits, or newbie tests (which you can simply revert by yourself). Except in cases of vandalbot or other rapid-fire attacks, please warn users and wait for further vandalism before listing them here. Do not list non-vandalism.
Please list the IP address or user name (use the format [[Special:Contributions/Username|Username]] or [[Special:Contributions/IP Address|IP Address]] as the header), pages touched and damage done. Sign your name using ~~~~ after your report. Put the person's IP or username in the edit summary.
Obivously, we know about this current vandal, however, it almost seems to be a bot. Should we block because of that? The reason I believe this is because the IP edits three pages per minute and has repeatedly vandalised the same three pages, which I doubt most vandals do. Past vandals venture into vandalising other pages too. -- Andrew Haggard (Sapphire) 20:19, 10 September 2006 (EDT)
block the IP, the recent changes page is a mess of his edits and your reverts, it could go on all night if you dont block it. Russeasby 20:24, 10 September 2006 (EDT)
I suspect this is a bot of some sort, but bot or human it's been making edits that make no real changes to article content but corrupts all non-ASCII characters in the article. It's easy enough to revert, but if this goes on for more than a few hours then I think it would be safe to assume it's a bot gone wrong and consider a block. -- Ryan 02:44, 28 August 2006 (EDT)
I know we don't normally block, but I seriously doubt this is an actual user, and a temporary block might give whoever's script this is a chance to fix it. Is anyone opposed to a short block? -- Ryan 03:46, 28 August 2006 (EDT)
If another admin disagrees please unblock, but rather than continue to clutter up the recent changes page I've put a six hour block on this IP address in the hopes that whoever is running the bot will fix it. Our non-block policy is based on the idea that soft security is better than hard security. However, in this case I don't see any soft security advantages - a bot doesn't get bored or learn from the example of others. -- Ryan 04:11, 28 August 2006 (EDT)
Special:Contributions/18.104.22.168 appears to be the same script, and the IP address also originates from uu.net. I'll try the six hour block again unless anyone objects. -- Ryan 16:09, 28 August 2006 (EDT)
No objections, but this should be noted on the block user page per policy. Also, this morning the bot changed IP a few times, but usually reverted back to 22.214.171.124. So keep an eye out for other IPs too. -- Andrew Haggard (Sapphire) 16:21, 28 August 2006 (EDT)
Interesting enough, the standard WikiTravel curtousy may be paying off... Traveler2006 (mostly as an anon IP) seems to be starting reasonable articles. I would not support a ban... that should be severely the last resort. Please read over the user ban policy -- Ilkirk 15:14, 30 March 2006 (EST)
I agree with Ilkirk... I am seeing places that I did not know existed in Maine and it is encouraging me to do some more clean up in that state. No ban, the edits and adds are pretty easy to handle and it is fun to check out some of these places. Best policy is to for sure keep cool and try not to engage but help with edits and corrections or just do your own thing. There are plenty of folks willing to do clean up. As far a small places, I can see the day when we will have an article on a whole lot of very very small places and you can almost always find a place to sleep close by. -- Tom Holland (xltel) 15:51, 30 March 2006 (EST)
I expect to see that day too, but only because I'm still pretty young. :) Until then, this kid will be leaving lots of empty articles for one-bed towns that won't get developed beyond the empty-outline stage, won't stay on anybody's watchlists, and will subsequently be prime candidates for mischief... broken windows, if you will. Wikipedia already has this problem and as a more general-interest site they'll always have a lot more eyes watching. I'd hate to see Wikitravel gain a reputation among the kidz as a fun place to shit around because it has so many vacant articles to play in and no penalties for doing so, and among the wider population as a guide full of articles with nothing but outdated info and graffiti. London will take care of itself; something like Numidia will probably never be looked at or updated (with legitimate info, that is) after next week. - Todd VerBeek 16:54, 30 March 2006 (EST)
I went through much of Northern California adding an outline for every two-bit watering hole with a motel, and adding links for all the one-bit watering-holes without motels. I've found that a surprising number of these receive contributions from users, and some of the red-linked towns were filled out a bit too. So I think we need an outline for every incorporated town in the US and Canadia. -- Colin 17:10, 30 March 2006 (EST)
A criterion which does not include Numidia, by the way. - Todd VerBeek 17:39, 30 March 2006 (EST)
I understand that Wikitravel has a point of pride of not issuing blocks. Without forming a judgement about the motives of the user, it is very tempting to swallow our pride here. I suppose another possibility would be to allow swifter deletion - Wikitravel:Votes_for_deletion is getting out of control, mostly due to this user. -- Jonboy 15:16, 30 March 2006 (EST)
He has changed tactic: now creates articles on small communities I hardly believe can pass the "can you sleep there?" test. Needs special attention. Simone 15:35, 30 March 2006 (EST)
The use of a temporary block (e.g. 24 hours) might put a fraction of the inconvenience on him rather than the rest of us, and drive home the notion that there can be consequences to his misbehavior. - Todd VerBeek 16:54, 30 March 2006 (EST)
This isn't the place to discuss a ban. This is: Wikitravel:User ban nominations. If you feel strongly enough about it, take it there. As for discussions about where we're heading with WikiTravel and what articles are good articles, there are plenty of other places to talk about that too. -- Ilkirk 17:18, 30 March 2006 (EST)
126.96.36.199 - has made a mixture of obviously false and some plausible-sounding edits. I've reverted some, but maybe an admin can roll back the whole bunch just in case? --Ravikiran 06:37, 16 Nov 2005 (EST)
I don't have time to babysit 188.8.131.52, who is slowly but persistently messing with African sites like Mali, Senegal, etc. Maybe someone can keep an eye on him/her/it. Jonboy 11:15, 14 Feb 2006 (EST)
Please keep an eye on Oxford (Mississippi) which is being repeatedly vandalized by multiple morons. -- Colin 02:18, 23 Jan 2006 (EST)
There is a bot out there that converts HTML quote characters ( " and ' ) to HTML " strings. This knocks the country quick boxes to bits. It also truncates pages. I caught it doing this  to Australia. It looked very similar to a couple of previous spam attacks where a number of anonymous users all attacked pages and added spam. Perhaps someone is doing more testing. Suspect any anonymous edit to a whole country page. -- Huttite 06:24, 21 Jan 2006 (EST)
(Heh. While I was typing about the same subject...)
Okay, so we're being repeatedly spammed by some idiot who doesn't even format his own spam-links correctly. But Wait! It gets worse! He clearly has a saved list of pages to modify that he goes through in sequence; and it is a human because there are such significant variations in lag between modifications.
I've sent off a complaint to email@example.com Hopefully they will deal with this so we don't need to block netvision's dialup range. -- Colin 01:25, 24 Aug 2004 (EDT)
We are nowhere close to needing to block him. So far we've been able to deal with this non-sense in just a couple of minutes collectively. Blocking is there for when it gets so out of hand that we can't handle it the normal way, like if he starts placing links faster than we can remove them. Until that happens I won't block, especially not a dynamic range.
I hope that the other admins show similar restraint.
Should it get truly out of hand -- as in he's adding bogus casino links faster than you can delete them -- then any admin who is around at the time should block right then and there without discussing it. Blocking is for emergencies in which there is no time for discussion. As soon as the person or bot or whatever stops the block should be removed.
Meanwhile, yes we should definitely take the step of complaining to his ISP, and anything else we can think of without blocking the whole range of IPs. -- Mark 04:49, 24 Aug 2004 (EDT)
FYI, he vandalises also fr:Washington (D.C.) every time. Should we send several complains? Yann 07:55, 24 Aug 2004 (EDT)
Absolutely in no way should we ban this IP address. It's very easy to clean this stuff up. --Evan 15:25, 24 Aug 2004 (EDT)
If complaining to netvision doesn't work, and he keeps doing this every two or three days, a temp ban may be useful in order to get him to take us off his to-do list. -- Colin 16:21, 24 Aug 2004 (EDT)
So he's back again today as User:184.108.40.206, but this time he's posting nonsense -- the same nonsense to every page. So either he has Obsessive Compulsive Disorder or he is now testing a script. Anyone else want to try complaing to firstname.lastname@example.org about him (please include a pointer to the history page  or a copy of when the IP Address was active)? Otherwise, we're going to have to deal with this indefintely, which will require a block. -- Colin 14:52, 14 Sep 2004 (EDT)
I still don't think it's bad enough to use blocking. If you click on the IP address of the spammer you can see all the edits they've made ever. The ones which have not yet been rolled back have a rollback link next to them. Just click that and it will rollback all changes made by that IP address to a given page. The process takes seconds, and doesn't involve blocking half of Tiawan or wherever just to stop one jerk from spamming us. -- Mark 08:53, 15 Sep 2004 (EDT)
Fine. I nominate you to spend time doing this every three days -- assuming he goes back to his previous pattern. Don't forget Washington DC on French wikitravel. Also, you did see my idea that blocking him temporarily will cause him to remove us from his list of sites? -- Colin 02:03, 16 Sep 2004 (EDT)
I guess that means that you aren't going to revert spam anymore? I can totally understand that, and I know I can't speak for everybody but I for one am just grateful for the vigilence you've already put into keeping the site spam-free. Thank you.
Hopefully the rest of us will be able to keep up.
Meanwhile, I think your idea about blocking the guy as a discouragement probably makes some sense, but really agree with Evan that for the moment SoftSecurity is a better approach for us, and one which we've had a lot of success with so far. Me, I think that the guy will eventually get tired of replacing the links we keep deleting. I could be wrong, and we could eventually try a temporary block maybe, but I would view that as a sort of failure on our part. -- Mark 06:58, 16 Sep 2004 (EDT)
I just wanted to say that I agree with Mark. I am very proud of the fact that we've gone a year plus without a user or IP ban, and I definitely don't think that this problem is sufficient to cause us to break that record. We can quite easily keep up with this user.
If anyone doesn't want to participate in the process of editing and improving this guide -- including deleting unwanted edits -- well, they don't have to. The great thing about wiki is that if you don't want to do something that needs to be done, someone else will.
Meanwhile, why are we waiting for two weeks for the VFD process on the pages the spammer made? They were already VFDed, and the spammer obviously didn't used the Votes-for-undeletion process to resurrect them. If anyone can just resurrect a page without discussion, the vfud process is meaningless. -- Colin 18:41, 17 Sep 2004 (EDT)
An observation concerning this vandal. He is not only hitting WikiTravel but other wiki's as well. I recently cleaned up the Know-how wiki after he used the same technique around the same time. -- Huttite 20:08, 2 Oct 2004 (EDT)
Vandalism on the Romanian Wikitravel
I think there was some vandalism on the Main Page of the Romanian Wikitravel. I reverted to an earlier version, but my Romanian being quite inexistant, could somebody else check that it's allright. Yann 12:30, 1 Sep 2004 (EDT)
Looks more like someone changed the destination of the month but forgot to change the picture. The same IP has been editing the Romanian Wikitravel for months, and has several pages on top. -phma 22:06, 2 Sep 2004 (EDT)
It was Ronline. Yes the fact that he was not loggued and that he changed the text and not the picture seems curious to me. Yann 12:25, 3 Sep 2004 (EDT)
Ronline often edits without logging in. Maybe he gets tired of being autologged out. -- Colin 13:16, 3 Sep 2004 (EDT)
Well can someone translate the article? There's a lot more about Sibiu in English than Romanian. -phma 21:38, 3 Sep 2004 (EDT)
I was the one who wrote the article on Sibiu in English, so I will translate it in Romanian too on the RO Wikitravel. I have already started doing this. Sorry for not logging in - it seems too cumbersome a process sometimes. The reason why I changed the text and not the picture is because, frankly, I couldn't find a picture of the city and the picture of Prague looked so nice (and, in many ways, similar to how Sibiu is like). In any case, I have found a decent picture from Wikipedia to put, even though I don't particularly like it. Cheers, Ronline 22:28, 4 Sep 2004 (EDT)
Someone in 80.131 (Deutsche Telekom) has been adding links to Kartenkredit with "minor edit" itp. in the summary. He's done it to three pages so far. T changes everyone's IP address each night, so we can't block him or leave a message on his talk page. How do we deal with this? Should we have a "vandalism in progress" page? -phma 10:38, 9 Jul 2004 (EDT)
Maybe post here so that others can have an eye on it... But every vandal will go away eventually. -- Nils 04:27, 17 Jul 2004 (EDT)
FYI: In the same vein, 220.127.116.11 has repeatedly added Iran (a stub) to Main page, and has just now removed Israel from the Middle East country list. IP is in Iran, so this is obviously some messed up fundamentalist. -- Nils 04:37, 18 Jul 2004 (EDT)
coohost dot biz
There is currently (as of 1:48 AM PST on 9 October 2005) some sort of bot spamming the site from a series of rotating IP addresses. I first tried rolling back changes, but due to the fact that several different IP addresses are changing the same file this wasn't working. I realized bans are frowned upon, but I hoped that banning a few of the IP addresses might help the situation - it did not due to the number of different IPs. At this point either the spam filter needs to run to block this spam, or else we need to hope that the bot stops as I see no other way of stopping this -- there are too many edits happening from too many different IPs to make rollbacks a feasible option. -- Wrh2 04:45, 9 Oct 2005 (EDT)
Since their URL fragment is entering the spam list shortly we should only need to block until then at the most, so maybe two or three hours. Are we sure it's a bot? They're only going after a fairly short list of pages so far. Blockage is a really big deal, especially if the "bot" is spoofing IP addresses. Not only does blocking not help but it could block real users who might help us. I know that's a long-shot, but still.
As for rollbacks, yes the rollback link is less useful in a situation like this, but one could pretty easily set up a tabbed browser (like Firefox) with a good version of each of the articles in edit mode on each tab. When the spammer comes back just hit "save page", and click edit again to set yourself up to do it again.
Or we just wait a few hours for the spam filter to reload, and do the cleanup then. -- Mark 04:59, 9 Oct 2005 (EDT)
Is the spam filter re-enabled? On the talk page Evan had indicated that it was turned off a while back. And yes, I realize blocking is a big deal, but my hope was that this attack was coming from a pool of compromised servers -- I'm checking each IP prior to blocking, and each is responsible for numerous page changes. I agree that possibly blocking legitimate users is a bad thing, but it's a 24 hour block and the odds of a legitimate user having the same IP address is pretty small (1 in 256 * 256 * 256 * 256).
Either way, it's very late here and I need to get to bed. Hopefully this stops soon and the army of editors can get to work cleaning things up. -- Wrh2 05:03, 9 Oct 2005 (EDT)
It could be a pool of compromised servers. If so there sure are a lot of them. Unfortunately I have stuff to do today, so I can't keep fixing things. -- Mark 06:05, 9 Oct 2005 (EDT)
$ whois coolhost dot biz
Domain Name: COOLHOST dot BIZ
Domain ID: D2893052-BIZ
Sponsoring Registrar: ENOM, INC.
Sponsoring Registrar IANA ID: 48
Domain Status: ok
Registrant ID: HARLMDJDB100B26A
Registrant Name: Harley Kaufman
Registrant Address1: 441 East 20th Street - 7D
Registrant City: NY
Registrant State/Province: NY
Registrant Postal Code: 10010
Registrant Country: United States
Registrant Country Code: US
Registrant Email: email@example.com
Administrative Contact ID: HARLMDJDB100B26A
Administrative Contact Name: Harley Kaufman
Administrative Contact Address1: 441 East 20th Street - 7D
Administrative Contact City: NY
Administrative Contact State/Province: NY
Administrative Contact Postal Code: 10010
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Email: firstname.lastname@example.org
Billing Contact ID: HARLMDJDB100B26A
Billing Contact Name: Harley Kaufman
Billing Contact Address1: 441 East 20th Street - 7D
Billing Contact City: NY
Billing Contact State/Province: NY
Billing Contact Postal Code: 10010
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Email: email@example.com
Technical Contact ID: HARLMDJDB100B26A
Technical Contact Name: Harley Kaufman
Technical Contact Address1: 441 East 20th Street - 7D
Technical Contact City: NY
Technical Contact State/Province: NY
Technical Contact Postal Code: 10010
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Email: firstname.lastname@example.org
Name Server: DNS1.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Created by Registrar: ENOM, INC.
Last Updated by Registrar: ENOM, INC.
Domain Registration Date: Sat Apr 06 05:30:17 GMT 2002
Domain Expiration Date: Wed Apr 05 23:59:59 GMT 2006
Domain Last Updated Date: Mon Mar 07 09:41:24 GMT 2005
>>>> Whois database was last updated on: Sun Oct 09 10:19:36 GMT 2005 <<<<
At last count there are around 395 IP addresses involved. Some of these though are real edits, so I certainly don't want to block them all. -- Mark 06:43, 9 Oct 2005 (EDT)
I take it back, looks more like there are around 95 affected IPs. -- Mark 06:49, 9 Oct 2005 (EDT)
Actually it appears that there's only one edit per host. I think that this is probably an instance of somebody sending out email spam which edits a given page on wikitravel when the recipient opens the spam using an email capable mail reader. The spammer seems to target a page at a time, and sends out probably a couple of hundred messages with the wikitravel editing payload. They may or may not actually be related to coolhost. -- Mark 09:39, 9 Oct 2005 (EDT)
We had the same problem on the german language version, but we have it unter control. -- Steffen M. 09:42, 9 Oct 2005 (EDT)
Whatever it is, it seems to finally have stopped. Evan, if you did some technical wizardry to manage this trick, please let us know and we'll start mopping up the mess. Jpatokal 09:44, 9 Oct 2005 (EDT)
Argh — the version histories of many articles are now messed up. Eg  claims that I nuked my own article, whereas the actual edit added a picture. Jpatokal 09:52, 9 Oct 2005 (EDT)
Now that it has (hopefully) stopped, here are a couple of questions:
If this happens again, is the proper behavior to just add the offending URL to the spam filter and hope that it ends? Is there a better way to handle it?
Is the history problem related to the attack, or is that a Mediawiki issue?
Could someone post more information about how one of these email attacks happens and add that to the this page?