Tag: ban

clientshostname.com Content Scraper: Research, Ban

customer.clientshostname.com scraped me, and the name is very generic, so I thought to research it. clientshostname.com has a lot of customer names prepended to it, so this excludes all their names. Three IP ranges should do you.

Observed:
customer.clientshostname.com

Research:
93.170.13.233 93.170.13.0/24
93.170.13.212
93.170.13.205
104.193.252.10 104.193.252.0/24
104.193.252.1
104.193.252.0
185.104.8.50 185.104.8.0 – 185.104.11.255 UK-KSERVERS
185.104.8.56
185.104.8.52
185.104.8.52
185.104.8.50
185.104.8.126
185.104.9.38
185.104.9.38
185.104.9.37
185.104.9.37
185.104.9.246
185.104.9.236
185.104.9.236
185.104.9.230
185.104.9.228
185.104.10.80
185.104.10.6
185.104.10.17
185.104.10.11
185.104.11.255
185.104.11.195
185.104.11.195
185.104.11.195
185.104.11.143
185.104.11.130
185.104.11.130
185.130.104.134
204.155.31.255
213.180.204.213

Permanent link to this post (82 words, 0 images, estimated 20 secs reading time)

blizoo.bg Content Scraper: Research, Ban

c8fb265ea92a.softphone.blizoo.bg scraped me, but this one is tough.

Observation:
c8fb265ea92a.softphone.blizoo.bg

Research:
0024d19b1333.softphone.blizoo.bg 84.252.31.0 0.36.209.155.19.51 84.252.0.0 – 84.252.63.255 84.252.0.0/18 Blizoo BG
001e6beed8e8.softphone.blizoo.bg 84.252.53.172
0024d1956637.Softphone.Blizoo.Bg 85.130.17.48 85.130.0.0 – 85.130.128.255 85.130.0.0/17

c8fb265ea1a7.softphone.blizoo.bg 130.204.57.130 130.204.0.0 – 130.204.255.255 130.204.0.0/16 BLIZOO Bg
002624ab99a0.softphone.blizoo.bg 130.204.81.53
38c85cd6f4bc.softphone.blizoo.bg 130.204.85.1
00252e5ee5e4.softphone.blizoo.bg 130.204.103.4
a4a24a37efd3.softphone.blizoo.bg 130.204.116.226
00252ea84d9b.softphone.blizoo.bg 130.204.143.1 0.37.46.168.77.155
602ad0d8f8b1.softphone.blizoo.bg 130.204.169.1
a4a24a394b91.softphone.blizoo.bg 130.204.243.142

Permanent link to this post (52 words, 0 images, estimated 12 secs reading time)

direcway.com Content Scraper: Research, Ban

host671420043112.direcway.com is a whisper bot that content scraped me. They are unique in that their hostname is somewhat ambiguous, making machine reading more difficult. All octets can be 2 or 3 digits long, allowing for much ambiguity.

whisper is a very much hated botnet that continues to attack my site, one ip at a time, small but relentless.

Observation:
host671420043112.direcway.com predicted IP is 67.142.112.43

Pattern:
The host name has all of the IP digits but is ambiguous. The first octet can be either 2 or 3 digits, so look at their IP ranges. The third and fourth octets are reversed. The third octet has a prepended “00”.

This is a preview of direcway.com Content Scraper: Research, Ban. Read the full post (157 words, 0 images, estimated 38 secs reading time)

network-consulting.fr Content Spammer: Research, Ban

network-consulting.fr had content spammed me, so I looked them up. They are interesting with its host name usage. if they spam me again i will be ready.

79.98.16.0 – 79.98.23.255 Network Consulting Fr

Observation:
f79.ip.network-consulting.fr My educated guess is 79.98.21.79

Pattern:
network-consulting.fr starts its “A” group from 79.98.16.0. Incrementing up the alphabet adds one number to the third octet, or third octet+. The first number of the host name is the fourth octet.

From this pattern they can go up to “H”

Research:
a20.ip.network-consulting.fr 79.98.16.20
a81.ip.network-consulting.fr 79.98.16.81
b248.ip.network-consulting.fr 79.98.17.248
c4.ip.network-consulting.fr 79.98.18.4
c17.ip.network-consulting.fr 79.98.18.17
c51.ip.network-consulting.fr 79.98.18.51
c61.ip.network-consulting.fr 79.98.18.61
c80.ip.network-consulting.fr 79.98.18.80
c165.ip.network-consulting.fr 79.98.18.165
d49.ip.network-consulting.fr 79.98.19.49

Permanent link to this post (104 words, 0 images, estimated 25 secs reading time)

ztomy.com Content Spammer: Research, Ban

ns1648.ztomy.com has spammed me, but it has been difficult to track down and ban. The ips jump around like mexican jumping beans.

Observations:
I finally got a positive spam hit from 5.231.42.24. and then from 5.231.40.52.
5.41.178.9 ns1648.ztomy.com
5.62.21.221 ns1648.ztomy.com
23.27.250.179 ns1648.ztomy.com 2016-nov-17
104.144.22.219 ns1648.ztomy.com 2016-nov-08
104.144.28.122 ns1648.ztomy.com 2016-oct-12
104.144.28.155 ns1648.ztomy.com 2016-nov-20
184.83.3.154 ns1648.ztomy.com 2016-oct-25
193.169.144.179 ns1648.ztomy.com 2016-nov-20
193.169.144.221 ns1648.ztomy.com 2016-nov-17
193.169.144.230 ns1648.ztomy.com 2016-nov-20
193.169.144.241 ns1648.ztomy.com 2016-nov-20
193.169.144.243 ns1648.ztomy.com 2016-nov-20
193.169.144.247 ns1648.ztomy.com 2016-nov-20
202.51.195.38 ns1648.ztomy.com 2016-nov-16
204.188.238.39 ns1648.ztomy.com 2017-mar-13
205.211.138.134 ns1648.ztomy.com 2016-nov-04

This is a preview of ztomy.com Content Spammer: Research, Ban. Read the full post (179 words, 0 images, estimated 43 secs reading time)

cable.net.co Content Scraper: Research, Ban

You never know what you will find in your travels. dynamic-ip-181500198200.cable.net.co was content scraping me, so I decided to target it. It is part of the large Semalt botnet that started with keywords-monitoring-your-success.com and free-video-tool.comand then continued with fix-website-errors, with a sprinkling of buttons-for-websites thrown in.

Its host name is unique in that it is numerically very long. I could see remnants of a decimal IP address, but there was something odd.

Their pattern is not as predictable as required by a computer but that is precisely the point: They want to fool anti-bot software, but allow their admin staff to figure it out. If staff have a couple of errors it is no problem.

This is a preview of cable.net.co Content Scraper: Research, Ban. Read the full post (349 words, 0 images, estimated 1:24 mins reading time)

unassigned.psychz.net Comment Spammer: Research, Ban

unassigned.psychz.net spammed me, so I tracked them down. They use a lot of various IP ranges.

They have a hostname lookup of host 199.15.112.8 199.15.112.0 – 199.15.119.255 199.15.112.0/21 but this hostname has been used for so many more IPs.

Research:
23.91.13.35
23.228.228.142

45.35.1.10 45.34.0.0 – 45.35.255.255 45.34.0.0/15
45.34.0.0 – 45.35.105.255 45.35.0.0/18 45.35.64.0/19 45.35.96.0/21 45.35.104.0/23
45.35.71.119
45.35.75.57
45.35.90.36
45.35.90.36
45.35.105.172

66.249.75.140
66.249.75.231

74.117.56.250 74.117.56.0 – 74.117.63.255 74.117.56.0/21
74.117.58.193
74.117.62.54
74.117.62.54

107.160.192.167

108.171.240.170 108.171.240.0 – 108.171.255.255 108.171.240.0/20
108.171.240.86
108.171.240.86
108.171.255.189

173.224.209.59 173.224.208.0 – 173.224.223.255 173.224.208.0/20
173.224.211.52
173.224.218.223
173.224.218.223
173.224.218.83

174.132.240.146

192.168.10.202 192.168.0.0 – 192.168.255.255 192.168.0.0/16

This is a preview of unassigned.psychz.net Comment Spammer: Research, Ban. Read the full post (145 words, 0 images, estimated 35 secs reading time)

hosted-by.leaseweb.com: Research, Ban

I have had a couple encounters with this spammer, but only one where they left an actual IP for me to ban. The rest I have only the host name, much more difficult to track down.

Research them and you will know they are a formidable entity to track and ban. There is a lot of IP ranges to cover.

Observation:
hosted-by.leaseweb.com confirmed because they spammed me, so I have their IP address
Leaseweb Deutschland
46.165.250.0 – 46.165.251.255
46.165.251.153
hosted-by.leaseweb.com 108.59.8.80
162.210.196.130 hosted-by.leaseweb.com

Leaseweb is scraping with an anon bot called “Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)” and a bot “-”
91.109.16.0 – 91.109.23.255
95.211.142.0 – 95.211.144.255

This is a preview of hosted-by.leaseweb.com: Research, Ban. Read the full post (180 words, 0 images, estimated 43 secs reading time)

setaptr.net Content Spammer: Research, Ban

d15f328d.setaptr.net content spammed me, so I thought to look them up and ban them.

Observation:
d15f328d.setaptr.net 209.95.50.141

Pattern:
Convert hex to the IP 4 octets.

Research:
d15f2929.Setaptr.net 209.95.41.41 209.95.32.0 – 209.95.63.255 209.95.32.0/19 Hosting Services
d15f2997.setaptr.net 209.95.41.151
d15f29a4.setaptr.net 209.95.41.164
d15f328d.setaptr.net 209.95.50.141
d15f3237.setaptr.net 209.95.50.55
d15f32af.setaptr.net 209.95.50.175
d15f323c.setaptr.net 209.95.50.60
d15f328e.setaptr.net 209.95.50.142
d15f32a4.setaptr.net 209.95.50.164
d15f3277.setaptr.net 209.95.50.119
d15f326b.setaptr.net 209.95.50.107
d15f325f.setaptr.net 209.95.50.95
d15f3263.setaptr.net 209.95.50.99
d15f325b.setaptr.net 209.95.50.91
d15f325d.setaptr.net 209.95.50.93
d15f320d.setaptr.net 209.95.50.13
d15f33db.setaptr.net 209.95.51.219
d15f33eb.setaptr.net 209.95.51.235

6bb6e4cd.setaptr.net 107.182.228.205 107.182.224.0 – 107.182.239.255 107.182.224.0/20 Hosting Services
6bb6e6c8.setaptr.net 107.182.230.200
6bb6e664.setaptr.net 107.182.230.100
6bb6e60a.setaptr.net 107.182.230.10
6bb6e932.setaptr.net 107.182.233.50

6d7b651c.setaptr.net 109.123.101.28 109.123.101.0 – 109.123.101.255 UK2
6d7b65ab.setaptr.net 109.123.101.171
6d7b65b4.setaptr.net 109.123.101.180
6d7b65e2.setaptr.net 109.123.101.226

Permanent link to this post (97 words, 0 images, estimated 23 secs reading time)

static.cmcti.vn: Research, Ban

static.cmcti.vn tried to do some security funny business and was testing my security. I was curious so did research.

static.cmcti.vn is anything but static. In fact there is a lot of research on this host name. It seems this guy has been very active and has changed IPs on a very regular basis.

As Viet Nam is an emerging country I’m unsure about banning large swaths of IP ranges.

Observation:
static.cmcti.vn 183.91.3.182 comment spammed me and I now have a positive IP to ban.
static.cmcti.vn 101.99.23.217 2016-sept-23
101.99.52.242 static.cmcti.vn 2016-oct-19
101.99.11.18 static.cmcti.vn 2016-nov-04
113.20.116.83 static.cmcti.vn 2017-feb-13

This is a preview of static.cmcti.vn: Research, Ban. Read the full post (232 words, 0 images, estimated 56 secs reading time)