1-99seo.com looks like a similar content spammer campaign, from South America/Brazil. The style is very similar to fix-website-errors-com by Semalt, which was really terrible.
1-free-share-buttons.com looks to be the same
It is these types of content scraper marketing campaigns that wastes the receiving web site’s bandwidth. They visit the same pages daily, scraping from multiple IP addresses.
ns1648.ztomy.com has spammed me, but it has been difficult to track down and ban. The ips jump around like mexican jumping beans.
I finally got a positive spam hit from 184.108.40.206. and then from 220.127.116.11.
18.104.22.168 ns1648.ztomy.com 2016-nov-17
22.214.171.124 ns1648.ztomy.com 2016-nov-08
126.96.36.199 ns1648.ztomy.com 2016-oct-12
188.8.131.52 ns1648.ztomy.com 2016-nov-20
184.108.40.206 ns1648.ztomy.com 2016-oct-25
220.127.116.11 ns1648.ztomy.com 2016-nov-20
18.104.22.168 ns1648.ztomy.com 2016-nov-17
22.214.171.124 ns1648.ztomy.com 2016-nov-20
126.96.36.199 ns1648.ztomy.com 2016-nov-20
188.8.131.52 ns1648.ztomy.com 2016-nov-20
184.108.40.206 ns1648.ztomy.com 2016-nov-20
220.127.116.11 ns1648.ztomy.com 2016-nov-16
18.104.22.168 ns1648.ztomy.com 2017-mar-13
22.214.171.124 ns1648.ztomy.com 2016-nov-04
You never know what you will find in your travels. dynamic-ip-181500198200.cable.net.co was content scraping me, so I decided to target it. It is part of the large Semalt botnet that started with keywords-monitoring-your-success.com and free-video-tool.comand then continued with fix-website-errors, with a sprinkling of buttons-for-websites thrown in.
Its host name is unique in that it is numerically very long. I could see remnants of a decimal IP address, but there was something odd.
Their pattern is not as predictable as required by a computer but that is precisely the point: They want to fool anti-bot software, but allow their admin staff to figure it out. If staff have a couple of errors it is no problem.
wimax183-11.yota.com.ni hit my site as a part of the large Semalt botnet that started with keywords-monitoring-your-success.com and free-video-tool.com campaign, which I have already banned. That botnet was huge. They involved virtua in Brazil as well. Finally that campaign ended and they started with fix-website-errors.com and buttons-for-website. buttons-for-website is a really old Semalt SEO botnet campaign.
To the IP root of 190.181 for the first two octets, add the second two from the hostname.
wimax183-11.yota.com.ni 126.96.36.199 188.8.131.52 – 184.108.40.206 190.181.128/18 Yota De Nicaragua
10gbpsnl.greencloudvps.com hit my site looking for security weaknesses, so I thought it wise to research them and send them packing. They are a VPS, so I’ll never find the actual intruder.
They are spotty, so I will start small and work my way up.
10gbpsnl.greencloudvps.com 220.127.116.11 18.104.22.168 – 22.214.171.124 SERVERIUS NL
108-36.hukot.net seems to be a Tor exit server. While I am all for the philosophy of net privacy, these Tor servers more often than not are used to content spam me. As a result I ban almost all of them. It is human nature, I suppose, to take something that should be beneficial and, using selfish and personal reasons, turn it to a tool of the bad.
Oh well, who am I to judge. This is my site, I ban content spammers, and I therefore also ban Tor content spammers, exit or not.
hukot.net seems to be an ISP from the Czech Republic.
host-64-166-83.ubernet.com.bd was testing my security, so I thought I would out them. ubernet.com.bd is an IP telephone and ISP, out of Bangledesh.
This guy seems to have an older and a newer pattern. The older pattern starts with 220.47 and then appends the last 2 octets of the host name. The newer pattern starts with 45 and appends the last 3 octets of the host name.
host-161-148.ubernet.com.bd 126.96.36.199 188.8.131.52 – 184.108.40.206 220.127.116.11/21
static.vnpt.vn does not resolve as a host name, and as they scraped me I will track them down. They are pretty tricky. One of their tactics is that they use the host name “localhost”, which looks odd in the access log. Tech staff cannot find the actual IP address.
As I work with these IP ranges it is clear that this content scraper is doing a real detriment to Viet Nam. The use of his IPs would force me to pretty much ban the whole country. As an emerging country this would be very bad for Viet Nam, all for the greed and selfishness of a single bot maker. I know that there are no morals with stealing content, as with thieves, but at this stage of Viet Nam’s development this bot maker could easily damage the country.
lyncdiscover.dps.gov.co has nothing to do with the Government of Columbia, and a good thing, because it is a content scraper bot.
dps.gov.co is the Departamento para la Prosperidad Social, part of the Columbian Government. I am unsure how a content scraper got hold of a Columbian Government extent, legally.
As this is a Government site I have contacted their tech contact, but they do not look too sophisticated. At least I have done my part to try to stop this abuse of the dps.gv.co host name.
18.104.22.168 22.214.171.124 /15 COLOMBIA TEL