Comment Spammers: Dual IP Strategy

Spammers are never welcome, clutter up your comments and are a pain in the arse. They blow through your bandwidth, which then gets your ISP on your tail asking you to upgrade your account type. This costs you money. Here are some dual IP strategies that I found in analyzing my WordPress site’s comments.

While you cannot prevent all spam, ban managers are very helpful. There are, however, some spammers that use a trickly method. They GET your document with one IP and then PUT, or post the comment with another. The second IP is posted in Akismet, but if you ban it, the spam keeps coming because the spammer simply changes the ip address until he is successful. You need to ban the GET IP to remove the spammer. These spammers are harder to detect because you need to read your raw access log to see how they are reading your post in order to find their GET IP.

Here is my list of dual IP spammers I have banned from my site:
2.29.220.111 dual ip post to fake 185.153.151.11
5.255.81.169
5.15.194.47 5-15-194-47.residential.rdsnet.ro, POST to fake 92.167.55.221
14.102.76.26 WORLDPHONE dual IP to fake 188.166.3.32 2018-jun-13
24.14.134.30 c-24-14-134-30.hsd1.il.comcast.net dual ip post to fake cpe-24-93-138-164.maine.res.rr.com 2016-Sept-02
24.32.192.145 24-32-192-145.res.dyn.suddenlink.net, POST to 71.220.33.138
24.126.144.95 c-24-126-144-95.hsd1.ga.comcast.net, POST to fake s0106602ad07e6d8a.cn.shawcable.net 24.64.87.21
24.146.197.157 ool-1892c59d.dyn.optonline.net, POST as fake 31.38.115.192
24.240.119.116 24-240-119-116.dhcp.eucl.wi.charter.com dual ip spammer to fake 216.151.184.120 2016-oct-13
50.31.10.39
31.39.125.134 rob92-h03-31-39-125-134.dsl.sta.abo.bbox.fr , POST to fake 1-162-90-250.dynamic.hinet.net post 1.162.90.250
42.119.17.72 FPT Telecom Vn dual ip spam to fake 1.234.245.2 2018-may-14
46.164.141.45 DataGroup Datacom Ukr dual ip spam to fake 109.75.254.139 2018-jun-09
47.29.116.88 dual ip post to fake 47.29.14.72 2016-oct-08
47.221.166.84 47-221-166-84.gtwncmta03.res.dyn.suddenlink.net dual ip post to fake ool-4351ceab.dyn.optonline.net 2016-oct-17
64.44.51.107 Nexeon fake get 109.201.97.204 dual IP scam 2018-nov-30
66.61.1.211 Time Warner dual IP post for fake 173.44.59.96 2018-sept-11
67.208.251.172, POST to fake 184.146.128.70
68.113.216.106 Charter dual ip spammer to fake 75.80.135.223
68.199.90.104 ool-44c75a68.dyn.optonline.net, POST to 68.108.8.30
69.55.114.138 host-69-55-114-138.twlakes.net, POST to fake 82.233.117.59
69.243.96.174 c-69-243-96-174.hsd1.md.comcast.net, POST to fake 71.219.45.209
70.55.185.204 bell canada dual ip poster to fake 64.145.94.226
70.120.90.253 Time Warner dual ip spammer to fake 73.237.112.154 2018-mar-11
70.121.84.58 Time Warner dual ip spam to fake 67.168.96.223 2018-may-19
70.122.247.252 cpe-70-122-247-252.tx.res.rr.com, POST to fake dynamic.vdc.vn 222.255.216.123
71.163.4.250 pool-71-163-4-250.washdc.fios.verizon.net, POST to 74.140.117.5
71.244.38.18 Verzion, POST to fake 24.146.211.162
73.9.112.237 c-73-9-112-237.hsd1.il.comcast.net, POST to 76.185.85.15
73.166.93.171 comcast dual ip poster to fake 173.75.249.145
73.192.194.226 c-73-192-194-226.hsd1.ca.comcast.net, POST to fake 74.69.36.149
73.222.225.82 comcast dual ip poster to fake 50.71.193.129
74.58.139.170 videotron dual ip poster to fake 104.174.74.208
74.12.82.10 toroon2928w-lp130-05-1242321418.dsl.bell.ca, POST to fake 67.204.223.36
74.129.112.176 cpe-74-129-112-176.kya.res.rr.com dual ip post to fake cpe-173-174-34-247.austin.res.rr.com 2016-sept-04
74.71.252.149 cpe-74-71-252-149.nyc.res.rr.com dual ip post to fake s010600fc8dfd2e13.vc.shawcable.net 2016-oct-17
75.72.160.182 Comcast dual ip spammer to fake 75.138.31.122
77.22.53.130 ip4d163582.dynamic.kabel-deutschland.de, POST to fake 81.67.123.144
80.5.249.153 cpc77088-renf7-2-0-cust408.14-1.cable.virginm.net dual ip post to fake cpc101656-grth11-2-0-cust388.16-4.cable.virginm.net 94.175.5.133 2016-Sept-01
77.186.131.208 Telefonica Deutschland dual ip to fake 31.132.4.146
77.186.175.2 Telefonica Deutschland dual ip spam to fake 37.220.22.131 2018-may-31
77.187.18.57 Telefonica Deutschland dual ip spam to fake 77.81.107.67 2018-may-19
77.187.34.93 Telefonica De dual ip spam to fake 77.81.107.62 2018-jun-05
77.188.21.76 TELEFONICA De Argentina dual ip spam to fake 80.243.181.56 2018-jul-03
77.188.65.182 x4dbc41b6.dyn.telefonica.de dual ip to fake 88.150.131.197
78.51.175.153 Telefonica Germany dual ip spam to fake 31.132.4.146 2018-jun-09
78.51.205.240 x4e33cdf0.dyn.telefonica.de dual ip poster fake 109.73.79.173 2016-oct-23 uses one read for 2 posts, spaced out
78.51.205.240 x4e33cdf0.dyn.telefonica.de dual ip poster to fake 80.243.181.18 2016-oct-23
78.51.205.240 x4e33cdf0.dyn.telefonica.de dual ip poster to fake 45.61.46.240 2016-oct-23
78.52.211.102 Telefonica Germany dual ip spam to fake 80.243.181.4 2018-may-19
80.6.68.247 cpc15-asfd3-2-0-cust246.1-2.cable.virginm.net dual ip spammer to fake 88.67.78.36 2016-oct-13
81.2.236.229 229.236.forpsi.net FORPSI-CZ, POST to fake 89.36.221.71
81.152.197.49 host81-152-197-49.range81-152.btcentralplus.com, POST to 46.47.118.2
81.171.71.63 Eweka dual ip spammer to fake 62.153.14.120 2018-mar-11
81.171.74.72 81-171-74-72.ipvanish.com dual ip post to fake 053f9294.rdns.100tb.com 2016-oct-17
81.171.81.48 Mudhook Marketing dual ip poster to fake 2.237.115.178 2018-mar-04
81.171.97.63 81-171-97-63.ipvanish.com dual ip spammer to fake 90.109.149.228 2016-oct-13
81.171.107.128 IPVanish Mudhook dual ip spammer to fake 62.225.216.112 2018-mar-03
81.184.136.14 81.184.136.14.dyn.user.ono.com dual ip spammer to fake 82.103.129.46 2016-oct-13
82.119.86.58 EVOLINK NANET Bg dual ip spammer to fake 77.106.114.81 2018-feb-03
83.205.232.211 atoulouse-653-1-313-211.w83-205.abo.wanadoo.fr POST to fake 5.67.47.32
83.252.56.158 com hem se dual ip poster to fake 92.37.75.111
86.123.247.134, POST to fake bsn-142-6-145.dynamic.siol.net 89.142.6.145
88.105.52.177 88-105-52-177.dynamic.dsl.as9105.com, POST to fake 78.213.26.89
89.238.186.90 GLOBALAXS M247 dual ip spammer to fake 95.141.38.88
93.126.112.202 ip-70ca.proline.net.ua, POST fake to 196.22.241.169
94.16.114.186 NetCup De dual IP to fake 162.253.128.42 2018-dec-11
98.167.210.192 ip98-167-210-192.ph.ph.cox.net, POST to fake 23.243.64.206
98.189.4.194 wsip-98-189-4-194.oc.oc.cox.net dual ip post to fake 104.238.234.90 2016-oct-17
100.36.64.186 pool-100-36-64-186.washdc.fios.verizon.net, POST to fake 23.233.28.8
100.36.91.72
104.174.214.56 time warner dual ip poster to fake 47.147.134.135
104.148.208.124 ool-6894d07c.dyn.optonline.net dual ip post to fake s010600226b714ad2.vs.shawcable.net 2016-sept-03
104.244.154.119 Owned-Networks dual ip to fake 186.225.157.22
104.254.93.36
107.150.47.42 Datashack dual ip spammer to fake 115.216.62.214 2018-mar-26
107.150.47.42 Datashack dual ip spamer to fake 200.105.148.74 2018-mar-26
107.152.186.125 B2Net
109.201.142.113 NFORCE dual IP spam to fake 170.78.222.22 2018-aug-04
112.84.124.21 China Unicom Jiangsu
114.231.82.229 Chinanet Jiangsu dual ip spam to fake 180.116.188.72
114.232.112.4 CHINANET jiangsu dual ip spammer to fake 141.105.162.190
121.226.31.121 CHINANET jiangsu dual ip spammer post to fake 119.179.149.61
144.217.116.154 dual ip spam to fake 197.161.74.212 2018-jun-14
151.80.92.208 GET 96.8.116.248 PUT
167.99.4.244 Digital Ocean dual ip spam to fake 170.238.120.17 2018-jun-13
167.114.31.180
157.56.177.178 (Microsoft) dual IP to fake 183.245.147.37 (China Unicom)
173.245.203.93 Carpathia dual ip spam to fake 64.145.76.138 2018-may-19
174.29.8.23 174-29-8-23.hlrn.qwest.net, POST to 72.220.123.208
176.31.39.23
176.31.64.186 OVH dual ip to fake 81.171.71.48
178.32.12.113, POST to fake 93.118.75.204
178.33.196.31 dual ip post to fake cpc1-newt40-2-0-cust468.19-3.cable.virginm.net 2016-Sept-01
180.125.128.230 Chinanet Jiangsu dual ip spam for fake 176.37.121.85 2017-oct-15
185.28.21.141 HOSTINGER HOSTING-SERVERS dual ip spammer to fake 179.124.186.112 2018-feb-03
185.93.183.140 GLOBALAXS M247 dual ip spammer to fake 78.171.11.212
192.40.89.12 dual post ip post to fake 178-175-137-108.static.host 2016-Sept-02
192.40.95.6 dual ip post to fake host-92-44-37-100.reverse.superonline.net 2016-sept-04195.154.57.220 Iliad Enterprises
192.95.42.42 OVH dual IP spam to fake 42.61.52.116
195.154.250.39 SeoOptimizedRankings.com
197.210.29.216 MTN-Nigeria dual ip spam to fake 197.210.173.90 2018-jun-17
197.210.226.160 MTN-Nigeria dual ip spam to fake 197.210.227.23 2018-jun-05
197.210.226.193 MTN-Nigeria dual ip spam to fake 197.210.227.233 2018-jun-05
204.210.244.81 cpe-204-210-244-81.columbus.res.rr.com, POST to 199.126.155.244
209.107.204.55 IPVanish Bandcon dual ip spammer to fake 74.194.110.58
216.151.180.136 BandCon dual ip spammer to fake 72.208.98.25 2018-mar-11
216.158.93.175 WebNX fake dual IP to 118.160.80.144 2018-aug-29
217.129.247.253 av-217-129-247-253.netvisao.pt dual ip spammer to fake 81.171.74.48 2016-oct-13
c999946513-cloudpro-420808331.cloudatcost.com, POST to fake 73.37.153.146
fl-71-55-180-6.dhcp.embarqhsd.net dual ip post to fake
fp76f01e5d.chbd214.ap.nuro.jp 2016-Sept-03
cpe-23-243-64-206.socal.res.rr.com dual ip post to fake 96-33-78-17.dhcp.ahvl.nc.charter.com 2016-sept-04
bly33-1-78-247-2-54.fbx.proxad.net dual ip post to fake ppp079166067180.access.hol.gr 2016-sept-04
cpe-85-10-50-179.static.amis.hr dual ip post to fake cm-84.208.227.178.getinternet.no 2016-sept-04
c-71-231-213-159.hsd1.wa.comcast.net dual ip post to fake pool-68-134-103-93.bltmmd.fios.verizon.net 2016-sept-04
dyn-131-212-222-198.d.umn.edu dual ip post to fake 50.35.120.30 2016-sept-04

Along with these tricky dual comment spammers are those that wish to break into your WP site by trying to login. I have banned these people as well:
24.140.150.98
85.214.83.71
103.25.130.228
112.26.168.34
62.233.119.216 IOMart

12.83.172.46.customer.rostnet.net 46.172.83.12 tried this “GET /wp-login.php?action=logout&redirect_to=http://yandex.com HTTP/1.0”. What the hell?!?!
ROSTNET Ukrane 46.172.83.0 – 46.172.83.255

Correlating Drupal to my raw access log was more difficult. Drupal does not easily tell you what document the comment is attached to. On top of that, Drupal’s comment time stamp was actually 6 hours later than the raw access log. This commenter was a live person, rather than a bot. A bot would not be able to pass the captcha.

5.164.248.58 [02/Mar/2016:14:00:32 -0600] POST /root/comment/reply/58 HTTP/1.0 200 33144 http://dontai.com/root/comment/reply/58/ Mozilla/5.0 (Windows; rv:36.0) Gecko/20100101 Firefox/36.0
5.164.248.58 [02/Mar/2016:14:00:44 -0600] POST /root/comment/reply/58 HTTP/1.0 200 33163 http://dontai.com/root/comment/reply/58/ Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20120403211507 Firefox/39.0
5.164.248.58 [02/Mar/2016:14:00:45 -0600] POST /root/comment/reply/58 HTTP/1.0 200 33163 http://dontai.com/root/comment/reply/58/ Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:38.0) Gecko/20100101 Firefox/38.0
5.164.248.58 [02/Mar/2016:14:00:46 -0600] POST /root/comment/reply/58 HTTP/1.0 302 - http://dontai.com/root/comment/reply/58/ Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

The PUT was timestamped at 14:00:46, return code of 200 and 33163 bytes used. The supposed Captcha I believe was logged at 14:00:46, with a return code of 302 and no bytes used. For sure I know the comment was logged to document 58, my main page post, and I know the calendar date. For Mar 02, document 58, while there are PUTs with return code 200, there are no other unique return codes for that date and that document.

Leave a Reply

Your email address will not be published. Required fields are marked *