Tag Archives: key

blizoo.bg Content Scraper: Research, Ban

c8fb265ea92a.softphone.blizoo.bg scraped me, but this one is tough.

Observation:
c8fb265ea92a.softphone.blizoo.bg

Research:
0024d19b1333.softphone.blizoo.bg 84.252.31.0 0.36.209.155.19.51 84.252.0.0 – 84.252.63.255 84.252.0.0/18 Blizoo BG
001e6beed8e8.softphone.blizoo.bg 84.252.53.172
0024d1956637.Softphone.Blizoo.Bg 85.130.17.48 85.130.0.0 – 85.130.128.255 85.130.0.0/17

c8fb265ea1a7.softphone.blizoo.bg 130.204.57.130 130.204.0.0 – 130.204.255.255 130.204.0.0/16 BLIZOO Bg
002624ab99a0.softphone.blizoo.bg 130.204.81.53
38c85cd6f4bc.softphone.blizoo.bg 130.204.85.1
00252e5ee5e4.softphone.blizoo.bg 130.204.103.4
a4a24a37efd3.softphone.blizoo.bg 130.204.116.226
00252ea84d9b.softphone.blizoo.bg 130.204.143.1 0.37.46.168.77.155
602ad0d8f8b1.softphone.blizoo.bg 130.204.169.1
a4a24a394b91.softphone.blizoo.bg 130.204.243.142

cable.net.co Content Scraper: Research, Ban

You never know what you will find in your travels. dynamic-ip-181500198200.cable.net.co was content scraping me, so I decided to target it. It is part of the large Semalt botnet that started with keywords-monitoring-your-success.com and free-video-tool.comand then continued with fix-website-errors, with a sprinkling of buttons-for-websites thrown in.

Its host name is unique in that it is numerically very long. I could see remnants of a decimal IP address, but there was something odd.

Their pattern is not as predictable as required by a computer but that is precisely the point: They want to fool anti-bot software, but allow their admin staff to figure it out. If staff have a couple of errors it is no problem.

unassigned.psychz.net Comment Spammer: Research, Ban

unassigned.psychz.net spammed me, so I tracked them down. They use a lot of various IP ranges.

They have a hostname lookup of host 199.15.112.8 199.15.112.0 – 199.15.119.255 199.15.112.0/21 but this hostname has been used for so many more IPs.

Research:
23.91.13.35
23.228.228.142

45.35.1.10 45.34.0.0 – 45.35.255.255 45.34.0.0/15
45.34.0.0 – 45.35.105.255 45.35.0.0/18 45.35.64.0/19 45.35.96.0/21 45.35.104.0/23
45.35.71.119
45.35.75.57
45.35.90.36
45.35.90.36
45.35.105.172

66.249.75.140
66.249.75.231

74.117.56.250 74.117.56.0 – 74.117.63.255 74.117.56.0/21
74.117.58.193
74.117.62.54
74.117.62.54

107.160.192.167

108.171.240.170 108.171.240.0 – 108.171.255.255 108.171.240.0/20
108.171.240.86
108.171.240.86
108.171.255.189

173.224.209.59 173.224.208.0 – 173.224.223.255 173.224.208.0/20
173.224.211.52
173.224.218.223
173.224.218.223
173.224.218.83

174.132.240.146

192.168.10.202 192.168.0.0 – 192.168.255.255 192.168.0.0/16

hosted-by.leaseweb.com: Research, Ban

I have had a couple encounters with this spammer, but only one where they left an actual IP for me to ban. The rest I have only the host name, much more difficult to track down.

Research them and you will know they are a formidable entity to track and ban. There is a lot of IP ranges to cover.

Observation:
hosted-by.leaseweb.com confirmed because they spammed me, so I have their IP address
Leaseweb Deutschland
46.165.250.0 – 46.165.251.255
46.165.251.153
hosted-by.leaseweb.com 108.59.8.80
162.210.196.130 hosted-by.leaseweb.com

Leaseweb is scraping with an anon bot called “Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)” and a bot “-”
91.109.16.0 – 91.109.23.255
95.211.142.0 – 95.211.144.255

setaptr.net Content Spammer: Research, Ban

d15f328d.setaptr.net content spammed me, so I thought to look them up and ban them.

Observation:
d15f328d.setaptr.net 209.95.50.141

Pattern:
Convert hex to the IP 4 octets.

Research:
d15f2929.Setaptr.net 209.95.41.41 209.95.32.0 – 209.95.63.255 209.95.32.0/19 Hosting Services
d15f2997.setaptr.net 209.95.41.151
d15f29a4.setaptr.net 209.95.41.164
d15f328d.setaptr.net 209.95.50.141
d15f3237.setaptr.net 209.95.50.55
d15f32af.setaptr.net 209.95.50.175
d15f323c.setaptr.net 209.95.50.60
d15f328e.setaptr.net 209.95.50.142
d15f32a4.setaptr.net 209.95.50.164
d15f3277.setaptr.net 209.95.50.119
d15f326b.setaptr.net 209.95.50.107
d15f325f.setaptr.net 209.95.50.95
d15f3263.setaptr.net 209.95.50.99
d15f325b.setaptr.net 209.95.50.91
d15f325d.setaptr.net 209.95.50.93
d15f320d.setaptr.net 209.95.50.13
d15f33db.setaptr.net 209.95.51.219
d15f33eb.setaptr.net 209.95.51.235

6bb6e4cd.setaptr.net 107.182.228.205 107.182.224.0 – 107.182.239.255 107.182.224.0/20 Hosting Services
6bb6e6c8.setaptr.net 107.182.230.200
6bb6e664.setaptr.net 107.182.230.100
6bb6e60a.setaptr.net 107.182.230.10
6bb6e932.setaptr.net 107.182.233.50

6d7b651c.setaptr.net 109.123.101.28 109.123.101.0 – 109.123.101.255 UK2
6d7b65ab.setaptr.net 109.123.101.171
6d7b65b4.setaptr.net 109.123.101.180
6d7b65e2.setaptr.net 109.123.101.226

static.cmcti.vn: Research, Ban

static.cmcti.vn tried to do some security funny business and was testing my security. I was curious so did research.

static.cmcti.vn is anything but static. In fact there is a lot of research on this host name. It seems this guy has been very active and has changed IPs on a very regular basis.

As Viet Nam is an emerging country I’m unsure about banning large swaths of IP ranges.

Observation:
static.cmcti.vn 183.91.3.182 comment spammed me and I now have a positive IP to ban.
static.cmcti.vn 101.99.23.217 2016-sept-23
101.99.52.242 static.cmcti.vn 2016-oct-19
101.99.11.18 static.cmcti.vn 2016-nov-04
113.20.116.83 static.cmcti.vn 2017-feb-13

best-hosting.simplexhost.net Content Spammer: Research, Ban

best-hosting.simplexhost.net is a prolific content spammer, and a true chameleon, as it changes IP addresses very often. Look up its hostname and you will get 62.210.24.146, but ban this ip or even range and best-hosting.simplexhost.net spamming simply will not stop. This is good for fooling anti-bot engines.

Observed:
62.210.24.146 62.210.0.0 – 62.210.127.255 Iliad is a spoof and has nothing to do with best-hosting.simplexhost.net

Research:
185.89.100.0 185.89.100.0/24 EUNet USA Trusov Ilya Igorevych
185.89.100.7
185.89.100.48
185.89.100.56
185.89.100.56
185.89.100.134
185.89.100.160
185.89.100.181
185.89.100.221
185.89.100.223
185.89.100.231
185.89.100.236
185.89.100.239
185.89.100.248

185.89.101.0 185.89.101.0/24 Moscow Net Trusov Ilya Igorevych
185.89.101.15
185.89.101.27
185.89.101.30
185.89.101.31
185.89.101.43
185.89.101.56
185.89.101.62
185.89.101.80
185.89.101.119
185.89.101.160
185.89.101.163
185.89.101.175
185.89.101.218
185.89.101.218

contabo.host: Research, Ban

contabo.host is a consistent content scraper from Germany. I’ve been banning IPs for a while, so thought it best to go for larger ranges. They are a hosting company, not an ISP. kontrollprozesse.contabo.host, a content spammer, was added 2016 Jul 27, and includes a larger ban range.

Observation:
vmi60316.contabo.host 5.189.137.81
vmi74707.contabo.host 5.189.142.153
vmi76252.contabo.host 5.189.162.103
vmi10785.contabo.host 79.143.180.67
vmi32368.contabo.host 213.136.84.244
m1131.contabo.host 178.238.239.246
kontrollprozesse.contabo.host host command maxed out and returned over 256 entries (2016 Jul 27)

Research:
Vmi37520.contabo.host 5.189.138.84 5.189.128.0 – 5.189.143.255 5.189.128.0/20 CONTABO 5.189.128.0 – 5.189.191.255 5.189.128.0.18
vmi55222.contabo.host 5.189.138.110
vmi53481.contabo.host 5.189.139.214
vmi38740.Contabo.host 5.189.142.182
vmi60944.contabo.host 5.189.153.59 5.189.144.0 – 5.189.159.255 5.189.144.0/20
M3124.contabo.host 5.189.144.124
M3124.contabo.host 5.189.144.124
vmi46878.contabo.host 5.189.155.137
vmi60164.contabo.host 5.189.168.169 5.189.160.0 – 5.189.175.255 5.189.160.0/20
m3506.contabo.host 5.189.173.106
Vmi57182.contabo.host 5.189.177.179 5.189.176.0 – 5.189.191.255 5.189.176.0/20
m0848.contabo.host 5.189.191.40

163data.com.cn Spammer: Research, Ban

163data.com.cn is a very prolific content spammer. While they operate out of Chinanet Fujian Province most of the time, they will take IPs from all over China. You can see the province in their ip address. I get spam from them at least every week, and much more if they have a spam campaign.

I have tried banning their host name but this does not work. You need to ban by IP address, unfortunately.

bahnhof.se Content Scraper: Research, Ban

h-65-167.a416.corp.bahnhof.se has content spammed by site, so I am looking to remove it. bahnhof.se and bahnhof.no are from Sweden.

Observed:
h-65-167.a416.corp.bahnhof.se 79.136.65.167
h-42-226.a357.priv.bahnhof.se 79.136.42.226
h-46-23.a165.priv.bahnhof.se 46.59.46.23

Research:
h-130-176.a2.corp.bahnhof.no 37.123.130.176 a2 = 162 37.123.128.0 – 37.123.191.255 37.123.128.0/18

h-253-21.a139.corp.bahnhof.se 5.150.253.21 5.150.192.0 – 5.150.255.255 5.150.192.0/18
h-130-176.a2.corp.bahnhof.no 37.123.130.176 37.123.128.0 – 37.123.191.255 37.123.128.0/18
h-62-152.a213.priv.bahnhof.se 46.59.62.152 46.59.0.0 – 46.59.128.255 46.59.0.0/17

h-42-226.a357.priv.bahnhof.se 79.136.42.226 79.136.0.0 – 79.136.128.255 79.136.0.0/17
h-53-173.a157.priv.bahnhof.se 79.136.53.173
h-65-174.a416.corp.bahnhof.se 79.136.65.174

h-184-90.a322.priv.bahnhof.se 81.170.184.90 81.170.128.0 – 81.170.255.255 81.170.128.0/17
h-234-136.a189.priv.bahnhof.se 81.170.234.136
h-236-56.a193.priv.bahnhof.se 81.170.236.56
H-249-146.a175.corp.bahnhof.se 81.170.249.146

h-129-203.a328.priv.bahnhof.se 85.24.129.203 85.24.128.0 – 85.24.255.255 85.24.128.0/17
h-129-14.a209.priv.bahnhof.se 85.24.129.14
A218.cust.bahnhof.se 85.24.240.1

h-2-71.a322.priv.bahnhof.se 94.254.2.71 163.34 94.254.0.0 – 94.254.128.255 94.254.0.0/17
h-2-71.a322.priv.bahnhof.se 94.254.2.71
h-2-51.A322.priv.bahnhof.se 94.254.2.51
h-50-216.a240.priv.bahnhof.se 94.254.50.216