Tag: ban

best-hosting.simplexhost.net Content Spammer: Research, Ban

best-hosting.simplexhost.net is a prolific content spammer, and a true chameleon, as it changes IP addresses very often. Look up its hostname and you will get 62.210.24.146, but ban this ip or even range and best-hosting.simplexhost.net spamming simply will not stop. This is good for fooling anti-bot engines.

Observed:
62.210.24.146 62.210.0.0 – 62.210.127.255 Iliad is a spoof and has nothing to do with best-hosting.simplexhost.net

Research:
185.89.100.0 185.89.100.0/24 EUNet USA Trusov Ilya Igorevych
185.89.100.7
185.89.100.48
185.89.100.56
185.89.100.56
185.89.100.134
185.89.100.160
185.89.100.181
185.89.100.221
185.89.100.223
185.89.100.231
185.89.100.236
185.89.100.239
185.89.100.248

185.89.101.0 185.89.101.0/24 Moscow Net Trusov Ilya Igorevych
185.89.101.15
185.89.101.27
185.89.101.30
185.89.101.31
185.89.101.43
185.89.101.56
185.89.101.62
185.89.101.80
185.89.101.119
185.89.101.160
185.89.101.163
185.89.101.175
185.89.101.218
185.89.101.218

Permanent link to this post (106 words, 0 images, estimated 25 secs reading time)

contabo.host: Research, Ban

contabo.host is a consistent content scraper from Germany. I’ve been banning IPs for a while, so thought it best to go for larger ranges. They are a hosting company, not an ISP. kontrollprozesse.contabo.host, a content spammer, was added 2016 Jul 27, and includes a larger ban range.

Observation:
vmi60316.contabo.host 5.189.137.81
vmi74707.contabo.host 5.189.142.153
vmi76252.contabo.host 5.189.162.103
vmi10785.contabo.host 79.143.180.67
vmi32368.contabo.host 213.136.84.244
m1131.contabo.host 178.238.239.246
kontrollprozesse.contabo.host host command maxed out and returned over 256 entries (2016 Jul 27)

Research:
Vmi37520.contabo.host 5.189.138.84 5.189.128.0 – 5.189.143.255 5.189.128.0/20 CONTABO 5.189.128.0 – 5.189.191.255 5.189.128.0.18
vmi55222.contabo.host 5.189.138.110
vmi53481.contabo.host 5.189.139.214
vmi38740.Contabo.host 5.189.142.182
vmi60944.contabo.host 5.189.153.59 5.189.144.0 – 5.189.159.255 5.189.144.0/20
M3124.contabo.host 5.189.144.124
M3124.contabo.host 5.189.144.124
vmi46878.contabo.host 5.189.155.137
vmi60164.contabo.host 5.189.168.169 5.189.160.0 – 5.189.175.255 5.189.160.0/20
m3506.contabo.host 5.189.173.106
Vmi57182.contabo.host 5.189.177.179 5.189.176.0 – 5.189.191.255 5.189.176.0/20
m0848.contabo.host 5.189.191.40

This is a preview of contabo.host: Research, Ban. Read the full post (562 words, 0 images, estimated 2:15 mins reading time)

100tb.com: Research, Ban

92b9149c.lon.100tb.com has content spammed me, so I tracked them down.

Observation:
92b9149c.lon.100tb.com 146.185.20.156

Research:
053f90f5.rdns.100tb.com 5.63.144.245
053f90e4.rdns.100tb.com 5.63.144.228
053f93b4.rdns.100tb.com 5.63.147.180
053f9304.rdns.100tb.com 5.63.147.4
053f95dc.rdns.100tb.com 5.63.149.220
053f96be.rdns.100tb.com 5.63.150.190
053f97cc.rdns.100tb.com 5.63.151.204

2582e0ca.rdns.100tb.com 37.130.224.202
2582e016.rdns.100tb.com 37.130.224.22
2582e3dc.rdns.100tb.com 37.130.227.220
2582e595.rdns.100tb.com 37.130.229.149
2582e595.rdns.100tb.com 37.130.229.149

6bb6e600.lon.100tb.com 107.182.230.54
6bb6ea00.lon.100tb.com 107.182.234.0
6bb6ee00.lon.100tb.com 107.182.238.38

6d7b6501.lon.100tb.com 109.123.101.1

92b91036.rdns.100tb.com 146.185.16.54
92b91a01.rdns.100tb.com 146.185.26.1
92b91b01.rdns.100tb.com 146.185.27.1
92b91b35.rdns.100tb.com 146.185.27.53
92b91b2d.rdns.100tb.com 146.185.27.45
92b91c01.rdns.100tb.com 146.185.28.1
92b91cb2.rdns.100tb.com 146.185.28.178
92b91d01.rdns.100tb.com 146.185.29.1
92b91fd6.rdns.100tb.com 146.185.31.214
92b91fd8.rdns.100tb.com 146.185.31.216
92b91fd8.rdns.100tb.com 146.185.31.216
92b91fda.rdns.100tb.com 146.185.31.218
92b91fd9.rdns.100tb.com 146.185.31.217

b9028b0c.lon.100tb.com 185.2.139.12
b950dc00.lon.100tb.com 185.80.220.0

Permanent link to this post (77 words, 0 images, estimated 18 secs reading time)

163data.com.cn Spammer: Research, Ban

163data.com.cn is a very prolific content spammer. While they operate out of Chinanet Fujian Province most of the time, they will take IPs from all over China. You can see the province in their ip address. I get spam from them at least every week, and much more if they have a spam campaign.

I have tried banning their host name but this does not work. You need to ban by IP address, unfortunately.

This is a preview of 163data.com.cn Spammer: Research, Ban. Read the full post (850 words, 0 images, estimated 3:24 mins reading time)

mediaworksit.net: Research, Ban

free-109-108.mediaworksit.net has tried to crack my security so I thought it appropriate to track them down.

The host name only provides the third and fourth octet, leading one to gues the first two. As they have not repeated the third octet you will need to ban larger ranges.

Observation:
free-109-108.mediaworksit.net

Research:
free-112-5.mediaworksit.net 95.140.112.5 95.140.112.0 – 95.140.127.255 140.112.0/20
free-114-1.mediaworksit.net 95.140.114.0
free-124-110.mediaworksit.net 95.140.124.110
free-125-37.mediaworksit.net 95.140.125.37
free-125-62.mediaworksit.net 95.140.125.62

free-234-154.mediaworksit.net 109.111.234.154 109.111.234.0 – 109.111.237.255 109.111.234.0/22
free-235-194.mediaworksit.net 109.111.235.194

free-144-214.mediaworksit.net 178.254.144.214 178.254.128.0 – 178.254.191.255 178.254.128.0/18
free-148-194.mediaworksit.net 178.254.148.194
free-164-196.mediaworksit.net 178.254.164.196
free-167-14.mediaworksit.net 178.254.167.14
free-246-89.mediaworksit.net 178.253.246.89
free-249-30.mediaworksit.net 178.253.249.30

This is a preview of mediaworksit.net: Research, Ban. Read the full post (145 words, 0 images, estimated 35 secs reading time)

nullvpn.com: Research, Ban

hoor.nullvpn.com was trying to crack my security, so I thought it good to research and ban them. They are using a VPN, but there are not many IP addresses.

Observed:
hoor.nullvpn.com 128.199.170.45
paladin.nullvpn.com
kodi.nullvpn.com 128.199.103.2
hermod.nullvpn.com 188.166.188.219
cooper.nullvpn.com 128.199.127.59

Research:
Nullvpn.com 104.24.114.17

game.nullvpn.com 116.251.210.113

loki.nullvpn.com 128.199.80.0 128.199.0.0 – 128.199.255.255 DigitalOcean
necro.nullvpn.com 128.199.86.38
aegis.nullvpn.com 128.199.124.10
ra.nullvpn.com 128.199.176.180
tios.nullvpn.com 128.199.194.237
nyx.nullvpn.com 128.199.225.142
kodi.nullvpn.com 128.199.103.2

eros.nullvpn.com 139.59.234.213

free-02.nullvpn.com 149.202.60.72

poseidon.nullvpn.com 188.166.178.67 188.166.0.0 – 188.166.255.255 EU-DIGITALOCEAN
zeus.nullvpn.com 188.166.178.103
demeter.nullvpn.com 188.166.184.105
tyr.nullvpn.com 188.166.184.163
hermod.nullvpn.com 188.166.188.219
float.nullvpn.com 188.166.189.38
dev.nullvpn.com 188.166.190.144

Permanent link to this post (85 words, 0 images, estimated 20 secs reading time)

bahnhof.se Content Scraper: Research, Ban

h-65-167.a416.corp.bahnhof.se has content spammed by site, so I am looking to remove it. bahnhof.se and bahnhof.no are from Sweden.

Observed:
h-65-167.a416.corp.bahnhof.se 79.136.65.167
h-42-226.a357.priv.bahnhof.se 79.136.42.226
h-46-23.a165.priv.bahnhof.se 46.59.46.23

Research:
h-130-176.a2.corp.bahnhof.no 37.123.130.176 a2 = 162 37.123.128.0 – 37.123.191.255 37.123.128.0/18

h-253-21.a139.corp.bahnhof.se 5.150.253.21 5.150.192.0 – 5.150.255.255 5.150.192.0/18
h-130-176.a2.corp.bahnhof.no 37.123.130.176 37.123.128.0 – 37.123.191.255 37.123.128.0/18
h-62-152.a213.priv.bahnhof.se 46.59.62.152 46.59.0.0 – 46.59.128.255 46.59.0.0/17

h-42-226.a357.priv.bahnhof.se 79.136.42.226 79.136.0.0 – 79.136.128.255 79.136.0.0/17
h-53-173.a157.priv.bahnhof.se 79.136.53.173
h-65-174.a416.corp.bahnhof.se 79.136.65.174

h-184-90.a322.priv.bahnhof.se 81.170.184.90 81.170.128.0 – 81.170.255.255 81.170.128.0/17
h-234-136.a189.priv.bahnhof.se 81.170.234.136
h-236-56.a193.priv.bahnhof.se 81.170.236.56
H-249-146.a175.corp.bahnhof.se 81.170.249.146

h-129-203.a328.priv.bahnhof.se 85.24.129.203 85.24.128.0 – 85.24.255.255 85.24.128.0/17
h-129-14.a209.priv.bahnhof.se 85.24.129.14
A218.cust.bahnhof.se 85.24.240.1

h-2-71.a322.priv.bahnhof.se 94.254.2.71 163.34 94.254.0.0 – 94.254.128.255 94.254.0.0/17
h-2-71.a322.priv.bahnhof.se 94.254.2.71
h-2-51.A322.priv.bahnhof.se 94.254.2.51
h-50-216.a240.priv.bahnhof.se 94.254.50.216

This is a preview of bahnhof.se Content Scraper: Research, Ban. Read the full post (134 words, 0 images, estimated 32 secs reading time)

7by7.de Content Spammer: Research, Ban

tor-exit-node.7by7.de spammed me today, so I decided to track them down. There is not much on him, but he is a tor exit server.

It is too bad that tor exit servers are used for spamming, as many sites will ban them. Banning due to spamming really defeats the purpose of tor. The best intentions result in misuse.

tor-exit-node.7by7.de 72.52.91.19
tor-exit-node.7by7.de 72.52.91.30
tor-exit-node.7by7.de 96.44.189.101
tor-exit-node.7by7.de 213.61.149.100

7by7.de 91.236.122.1

Permanent link to this post (69 words, 0 images, estimated 17 secs reading time)

mbahrain.net: Research, Ban

mbahrain.mbahrain.net is using the Zend_Http_Client user agent, so they get banned. They are small, only 2 IPs.

mbahrain.mbahrain.net 198.57.181.97 198.57.128.0 – 198.57.255.255 198.57.128.0/17 UNIFIEDLAYER
mbahrain.mbahrain.net 198.57.168.229

Permanent link to this post (27 words, 0 images, estimated 6 secs reading time)

yota.com.ni, Part of Semalt Botnet: Research, Ban

wimax183-11.yota.com.ni hit my site as a part of the large Semalt botnet that started with keywords-monitoring-your-success.com and free-video-tool.com campaign, which I have already banned. That botnet was huge. They involved virtua in Brazil as well. Finally that campaign ended and they started with fix-website-errors.com and buttons-for-website. buttons-for-website is a really old Semalt SEO botnet campaign.

Pattern:
To the IP root of 190.181 for the first two octets, add the second two from the hostname.

Observed:
wimax183-11.yota.com.ni 190.181.183.11 190.181.128.0 – 190.181.191.255 190.181.128/18 Yota De Nicaragua

Research:
WiMax128-245.yota.com.ni 190.181.128.245
wimax129-115.yota.com.ni 190.181.129.115
wimax129-158.yota.com.ni 190.181.129.158
wimax132-70.yota.com.ni 190.181.132.70
WiMax133-44.yota.com.ni 190.181.133.44
WiMax137-187.yota.com.ni 190.181.137.187
WiMax139-2.yota.com.ni 190.181.139.2
WiMax141-57.yota.com.ni 190.181.141.57

This is a preview of yota.com.ni, Part of Semalt Botnet: Research, Ban. Read the full post (124 words, 0 images, estimated 30 secs reading time)