Tag: strategy

ioflood.com: Research, Ban

ioflood.com piqueted my interest in their novel hostname: we.love.servers.at.ioflood.com. This turned out to be a barrage of IP addresses, something I did not expect.

Observations:
we.love.servers.at.ioflood.com host lookup 96.45.82.85

Research:
23.226.70.146
23.226.75.246
23.226.76.27
23.226.77.6
23.226.78.222
66.160.196.45
96.45.82.85
104.161.12.41
104.161.18.1
104.161.66.100
107.167.70.227
107.167.77.67
107.167.86.160 107.167.64.0 – 107.167.95.255 107.167.64.0/19
107.167.95.128
107.167.95.141
107.167.95.150
107.167.95.153
107.167.95.173
107.167.95.240
107.167.95.242
107.178.72.147
107.178.98.181
107.178.98.90
107.178.109.225
107.178.110.116
107.178.110.205
107.178.113.209
107.189.135.173
107.189.159.203
107.189.161.170
107.189.161.170
148.163.12.23
148.163.31.25
148.163.31.220
148.163.31.231
148.163.58.123
148.163.97.139
148.163.97.161
148.163.113.107
148.163.122.22
148.163.122.162
148.163.122.165
162.218.115.228
184.105.134.1
184.164.70.158
184.164.73.137
184.164.73.180
184.164.80.80
184.164.84.52
184.164.90.66
192.30.139.30
192.110.160.24
192.110.163.22
192.110.167.229
199.167.133.14
199.167.134.31
199.231.86.82
199.30.53.22

voxility.net Content Scraper: Research, Ban

Voxility has been scraping me for a while and I’ve banned their hostnames, but I could not look up lh27033.voxility.net, so this started the research.

Observation:
lh27033.voxility.net

Research:
lh28925.voxility.net 5.254.112.141 5.254.64.0 – 5.254.127.255 5.254.64.0/18
lh27337.voxility.net 37.221.161.98 37.221.160.0 – 37.221.175.255 37.221.160.0/20
lh25704.voxility.net 37.221.161.149
lh20524.voxility.net 37.221.161.156
lh25696.voxility.net 37.221.163.213
lh25646.voxility.net 37.221.165.196
lh18827.voxility.net 37.221.167.108
lh28364.voxility.net 37.221.171.24

lh17088.voxility.net 39.41.114.93
lh25613.voxility.net 41.218.228.206
lh17088.voxility.net 93.114.41.39 93.114.40.0 – 93.114.47.255 93.114.40.0/21
lh20162.voxility.net 93.114.43.45
lh21485.voxility.net 93.115.82.214 93.115.80.0 – 93.115.87.255 93.115.88.0 – 93.115.91.255 93.115.92.0 – 93.115.95.255 93.115.80.0/20
lh21729.voxility.net 93.115.83.152
lh22451.voxility.net 93.115.83.252
lh21001.voxility.net 93.115.84.226
lh27175.voxility.net 93.115.85.133
lh25655.voxility.net 93.115.91.54
lh26417.voxility.net 93.115.92.207
lh26480.voxility.net 93.115.92.247
lh25350.voxility.net 93.115.92.248
lh28409.voxility.net 93.115.95.201
lh28409.voxility.net 93.115.95.202
lh28409.voxility.net 93.115.95.204
lh28409.voxility.net 93.115.95.206
lh28409.voxility.net 93.115.95.207
lh28409.voxility.net 93.115.95.207
lh17109.voxility.net 109.163.227.25 109.163.224.0 – 109.163.239.255 109.163.224.0/20
lh19738.voxility.net 109.163.231.168
lh25680.voxility.net 109.163.234.13
lh21184.voxility.net 109.163.234.39

blazingfast.io Content Spammer: Research, Ban

hosted-by.blazingfast.io spammed me, so I looked them up. They are an orderly shop.

Observation:
185.61.138.178

Research:
185.11.144.105

185.11.145.4 185.11.145.0 – 185.11.148.255 185.11.145.0/22
185.11.145.5
185.11.145.7
185.11.145.10
185.11.145.18
185.11.145.184
185.11.145.97
185.11.146.126
185.11.146.139
185.11.146.201
185.11.146.76
185.11.147.3
185.11.147.59

185.61.136.34 185.61.136.0 – 185.61.139.255 185.61.136.0/22
185.61.137.48
185.61.137.50
185.61.137.78
185.61.137.93
185.61.138.25
185.61.138.28
185.61.138.124
185.61.138.170
185.61.138.196
185.61.138.250

185.62.188.3 185.62.188.0 – 185.62.191.255 185.62.188.0/22
185.62.188.55
185.62.188.78
185.62.188.98
185.62.188.100
185.62.188.109
185.62.188.128
185.62.188.148
185.62.188.162
185.62.188.176
185.62.188.177
185.62.189.81
185.62.189.189
185.62.189.211
185.62.190.76
185.62.190.79
185.62.190.156
185.62.190.203

188.209.49.34 188.209.49.0/24
188.209.49.47
188.209.49.84
188.209.49.206

188.209.52.34 188.209.52.0/24
188.209.52.63
188.209.52.109
188.209.52.120

Yota.ru Content Spammer: Research, Ban

client.yota.ru spammed me so I did research. This Russian spammer makes it difficult to track them down. They are prolific. They also have the host name wimax-client.yota.ru that they also use to spam.

Observations:
client.yota.ru 94.25.168.61 2017-nov-22
client.yota.ru 94.25.173.177 2016-nov-10
client.yota.ru 94.25.177.77 2017-jul-03
client.yota.ru 94.25.179.233 2017-jan-17
client.yota.ru 94.25.180.215 2017-apr-04
client.yota.ru 94.25.228.4 2016-dec-18
client.yota.ru 94.25.229.18 2-17-jan-14
client.yota.ru 94.25.231.224 2016-dec-18
wimax-client.yota.ru 109.188.127.14 2016-dec-02
client.yota.ru 188.162.14.35 2016-dec-30
client.yota.ru 188.162.39.25 2016-nov-12
client.yota.ru 188.162.65.24 2016-sept-20
client.yota.ru 188.162.65.56 2016-nov-12
client.yota.ru 188.162.80.201 2017-feb-21
client.yota.ru 188.162.166.227 2017-jan-17
client.yota.ru 188.162.236.184 2016-oct-30
client.yota.ru 188.162.245.156 2016-sept-20

clientshostname.com Content Scraper: Research, Ban

customer.clientshostname.com scraped me, and the name is very generic, so I thought to research it. clientshostname.com has a lot of customer names prepended to it, so this excludes all their names. Three IP ranges should do you.

Observed:
customer.clientshostname.com

Research:
93.170.13.233 93.170.13.0/24
93.170.13.212
93.170.13.205
104.193.252.10 104.193.252.0/24
104.193.252.1
104.193.252.0
185.104.8.50 185.104.8.0 – 185.104.11.255 UK-KSERVERS
185.104.8.56
185.104.8.52
185.104.8.52
185.104.8.50
185.104.8.126
185.104.9.38
185.104.9.38
185.104.9.37
185.104.9.37
185.104.9.246
185.104.9.236
185.104.9.236
185.104.9.230
185.104.9.228
185.104.10.80
185.104.10.6
185.104.10.17
185.104.10.11
185.104.11.255
185.104.11.195
185.104.11.195
185.104.11.195
185.104.11.143
185.104.11.130
185.104.11.130
185.130.104.134
204.155.31.255
213.180.204.213

blizoo.bg Content Scraper: Research, Ban

c8fb265ea92a.softphone.blizoo.bg scraped me, but this one is tough.

Observation:
c8fb265ea92a.softphone.blizoo.bg

Research:
0024d19b1333.softphone.blizoo.bg 84.252.31.0 0.36.209.155.19.51 84.252.0.0 – 84.252.63.255 84.252.0.0/18 Blizoo BG
001e6beed8e8.softphone.blizoo.bg 84.252.53.172
0024d1956637.Softphone.Blizoo.Bg 85.130.17.48 85.130.0.0 – 85.130.128.255 85.130.0.0/17

c8fb265ea1a7.softphone.blizoo.bg 130.204.57.130 130.204.0.0 – 130.204.255.255 130.204.0.0/16 BLIZOO Bg
002624ab99a0.softphone.blizoo.bg 130.204.81.53
38c85cd6f4bc.softphone.blizoo.bg 130.204.85.1
00252e5ee5e4.softphone.blizoo.bg 130.204.103.4
a4a24a37efd3.softphone.blizoo.bg 130.204.116.226
00252ea84d9b.softphone.blizoo.bg 130.204.143.1 0.37.46.168.77.155
602ad0d8f8b1.softphone.blizoo.bg 130.204.169.1
a4a24a394b91.softphone.blizoo.bg 130.204.243.142

direcway.com Content Scraper: Research, Ban

host671420043112.direcway.com is a whisper bot that content scraped me. They are unique in that their hostname is somewhat ambiguous, making machine reading more difficult. All octets can be 2 or 3 digits long, allowing for much ambiguity.

whisper is a very much hated botnet that continues to attack my site, one ip at a time, small but relentless.

Observation:
host671420043112.direcway.com predicted IP is 67.142.112.43

Pattern:
The host name has all of the IP digits but is ambiguous. The first octet can be either 2 or 3 digits, so look at their IP ranges. The third and fourth octets are reversed. The third octet has a prepended “00”.

network-consulting.fr Content Spammer: Research, Ban

network-consulting.fr had content spammed me, so I looked them up. They are interesting with its host name usage. if they spam me again i will be ready.

79.98.16.0 – 79.98.23.255 Network Consulting Fr

Observation:
f79.ip.network-consulting.fr My educated guess is 79.98.21.79

Pattern:
network-consulting.fr starts its “A” group from 79.98.16.0. Incrementing up the alphabet adds one number to the third octet, or third octet+. The first number of the host name is the fourth octet.

From this pattern they can go up to “H”

Research:
a20.ip.network-consulting.fr 79.98.16.20
a81.ip.network-consulting.fr 79.98.16.81
b248.ip.network-consulting.fr 79.98.17.248
c4.ip.network-consulting.fr 79.98.18.4
c17.ip.network-consulting.fr 79.98.18.17
c51.ip.network-consulting.fr 79.98.18.51
c61.ip.network-consulting.fr 79.98.18.61
c80.ip.network-consulting.fr 79.98.18.80
c165.ip.network-consulting.fr 79.98.18.165
d49.ip.network-consulting.fr 79.98.19.49

ztomy.com Content Spammer: Research, Ban

ns1648.ztomy.com has spammed me, but it has been difficult to track down and ban. The ips jump around like mexican jumping beans.

Observations:
I finally got a positive spam hit from 5.231.42.24. and then from 5.231.40.52.
5.41.178.9 ns1648.ztomy.com
5.62.21.221 ns1648.ztomy.com
23.27.250.179 ns1648.ztomy.com 2016-nov-17
104.144.22.219 ns1648.ztomy.com 2016-nov-08
104.144.28.122 ns1648.ztomy.com 2016-oct-12
104.144.28.155 ns1648.ztomy.com 2016-nov-20
184.83.3.154 ns1648.ztomy.com 2016-oct-25
193.169.144.179 ns1648.ztomy.com 2016-nov-20
193.169.144.221 ns1648.ztomy.com 2016-nov-17
193.169.144.230 ns1648.ztomy.com 2016-nov-20
193.169.144.241 ns1648.ztomy.com 2016-nov-20
193.169.144.243 ns1648.ztomy.com 2016-nov-20
193.169.144.247 ns1648.ztomy.com 2016-nov-20
202.51.195.38 ns1648.ztomy.com 2016-nov-16
204.188.238.39 ns1648.ztomy.com 2017-mar-13
205.211.138.134 ns1648.ztomy.com 2016-nov-04

cable.net.co Content Scraper: Research, Ban

You never know what you will find in your travels. dynamic-ip-181500198200.cable.net.co was content scraping me, so I decided to target it. It is part of the large Semalt botnet that started with keywords-monitoring-your-success.com and free-video-tool.comand then continued with fix-website-errors, with a sprinkling of buttons-for-websites thrown in.

Its host name is unique in that it is numerically very long. I could see remnants of a decimal IP address, but there was something odd.

Their pattern is not as predictable as required by a computer but that is precisely the point: They want to fool anti-bot software, but allow their admin staff to figure it out. If staff have a couple of errors it is no problem.