You never know what you will find in your travels. dynamic-ip-181500198200.cable.net.co was content scraping me, so I decided to target it. It is part of the large Semalt botnet that started with keywords-monitoring-your-success.com and free-video-tool.comand then continued with fix-website-errors, with a sprinkling of buttons-for-websites thrown in.
Its host name is unique in that it is numerically very long. I could see remnants of a decimal IP address, but there was something odd.
Their pattern is not as predictable as required by a computer but that is precisely the point: They want to fool anti-bot software, but allow their admin staff to figure it out. If staff have a couple of errors it is no problem.
I have had a couple encounters with this spammer, but only one where they left an actual IP for me to ban. The rest I have only the host name, much more difficult to track down.
Research them and you will know they are a formidable entity to track and ban. There is a lot of IP ranges to cover.
Observation:
hosted-by.leaseweb.com confirmed because they spammed me, so I have their IP address
Leaseweb Deutschland
46.165.250.0 – 46.165.251.255
46.165.251.153
hosted-by.leaseweb.com 108.59.8.80
162.210.196.130 hosted-by.leaseweb.com
Leaseweb is scraping with an anon bot called “Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)” and a bot “-”
91.109.16.0 – 91.109.23.255
95.211.142.0 – 95.211.144.255
static.cmcti.vn tried to do some security funny business and was testing my security. I was curious so did research.
static.cmcti.vn is anything but static. In fact there is a lot of research on this host name. It seems this guy has been very active and has changed IPs on a very regular basis.
As Viet Nam is an emerging country I’m unsure about banning large swaths of IP ranges.
Observation:
static.cmcti.vn 183.91.3.182 comment spammed me and I now have a positive IP to ban.
static.cmcti.vn 101.99.23.217 2016-sept-23
101.99.52.242 static.cmcti.vn 2016-oct-19
101.99.11.18 static.cmcti.vn 2016-nov-04
113.20.116.83 static.cmcti.vn 2017-feb-13
best-hosting.simplexhost.net is a prolific content spammer, and a true chameleon, as it changes IP addresses very often. Look up its hostname and you will get 62.210.24.146, but ban this ip or even range and best-hosting.simplexhost.net spamming simply will not stop. This is good for fooling anti-bot engines.
Observed:
62.210.24.146 62.210.0.0 – 62.210.127.255 Iliad is a spoof and has nothing to do with best-hosting.simplexhost.net
contabo.host is a consistent content scraper from Germany. I’ve been banning IPs for a while, so thought it best to go for larger ranges. They are a hosting company, not an ISP. kontrollprozesse.contabo.host, a content spammer, was added 2016 Jul 27, and includes a larger ban range.
Observation:
vmi60316.contabo.host 5.189.137.81
vmi74707.contabo.host 5.189.142.153
vmi76252.contabo.host 5.189.162.103
vmi10785.contabo.host 79.143.180.67
vmi32368.contabo.host 213.136.84.244
m1131.contabo.host 178.238.239.246
kontrollprozesse.contabo.host host command maxed out and returned over 256 entries (2016 Jul 27)
163data.com.cn is a very prolific content spammer. While they operate out of Chinanet Fujian Province most of the time, they will take IPs from all over China. You can see the province in their ip address. I get spam from them at least every week, and much more if they have a spam campaign.
I have tried banning their host name but this does not work. You need to ban by IP address, unfortunately.
