Tag: strategy

bahnhof.se Content Scraper: Research, Ban

h-65-167.a416.corp.bahnhof.se has content spammed by site, so I am looking to remove it. bahnhof.se and bahnhof.no are from Sweden.

Observed:
h-65-167.a416.corp.bahnhof.se 79.136.65.167
h-42-226.a357.priv.bahnhof.se 79.136.42.226
h-46-23.a165.priv.bahnhof.se 46.59.46.23

Research:
h-130-176.a2.corp.bahnhof.no 37.123.130.176 a2 = 162 37.123.128.0 – 37.123.191.255 37.123.128.0/18

h-253-21.a139.corp.bahnhof.se 5.150.253.21 5.150.192.0 – 5.150.255.255 5.150.192.0/18
h-130-176.a2.corp.bahnhof.no 37.123.130.176 37.123.128.0 – 37.123.191.255 37.123.128.0/18
h-62-152.a213.priv.bahnhof.se 46.59.62.152 46.59.0.0 – 46.59.128.255 46.59.0.0/17

h-42-226.a357.priv.bahnhof.se 79.136.42.226 79.136.0.0 – 79.136.128.255 79.136.0.0/17
h-53-173.a157.priv.bahnhof.se 79.136.53.173
h-65-174.a416.corp.bahnhof.se 79.136.65.174

h-184-90.a322.priv.bahnhof.se 81.170.184.90 81.170.128.0 – 81.170.255.255 81.170.128.0/17
h-234-136.a189.priv.bahnhof.se 81.170.234.136
h-236-56.a193.priv.bahnhof.se 81.170.236.56
H-249-146.a175.corp.bahnhof.se 81.170.249.146

h-129-203.a328.priv.bahnhof.se 85.24.129.203 85.24.128.0 – 85.24.255.255 85.24.128.0/17
h-129-14.a209.priv.bahnhof.se 85.24.129.14
A218.cust.bahnhof.se 85.24.240.1

h-2-71.a322.priv.bahnhof.se 94.254.2.71 163.34 94.254.0.0 – 94.254.128.255 94.254.0.0/17
h-2-71.a322.priv.bahnhof.se 94.254.2.71
h-2-51.A322.priv.bahnhof.se 94.254.2.51
h-50-216.a240.priv.bahnhof.se 94.254.50.216

7by7.de Content Spammer: Research, Ban

tor-exit-node.7by7.de spammed me today, so I decided to track them down. There is not much on him, but he is a tor exit server.

It is too bad that tor exit servers are used for spamming, as many sites will ban them. Banning due to spamming really defeats the purpose of tor. The best intentions result in misuse.

tor-exit-node.7by7.de 72.52.91.19
tor-exit-node.7by7.de 72.52.91.30
tor-exit-node.7by7.de 96.44.189.101
tor-exit-node.7by7.de 213.61.149.100

7by7.de 91.236.122.1

mbahrain.net: Research, Ban

mbahrain.mbahrain.net is using the Zend_Http_Client user agent, so they get banned. They are small, only 2 IPs.

mbahrain.mbahrain.net 198.57.181.97 198.57.128.0 – 198.57.255.255 198.57.128.0/17 UNIFIEDLAYER
mbahrain.mbahrain.net 198.57.168.229

greencloudvps.com: Research, Ban

10gbpsnl.greencloudvps.com hit my site looking for security weaknesses, so I thought it wise to research them and send them packing. They are a VPS, so I’ll never find the actual intruder.

They are spotty, so I will start small and work my way up.

Observed:
10gbpsnl.greencloudvps.com 93.158.215.90 93.158.215.0 – 93.158.215.255 SERVERIUS NL
mnt-by:
10gbpsnl.greencloudvps.com 93.158.215.92

Research:
lgvn.greencloudvps.com 66.249.69.189

kvmla2.greencloudvps.com 92.210.165.94
lgnl.greencloudvps.com 93.158.203.162

lgnv.Greencloudvps.com 104.194.14.71
104.223.6.19.static.greencloudvps.com 104.223.6.19

107.161.93.161.static.greencloudvps.com 107.161.93.161

lgaz.greencloudvps.com 148.163.90.3

kvmla2.greencloudvps.com 192.210.165.97
kvmla2.greencloudvps.com 192.210.165.96

198.55.115.24.static.greencloudvps.com 198.55.115.24
198.55.115.58.static.greencloudvps.com 198.55.115.58

hukot.net Tor Exit: Research, Ban

108-36.hukot.net seems to be a Tor exit server. While I am all for the philosophy of net privacy, these Tor servers more often than not are used to content spam me. As a result I ban almost all of them. It is human nature, I suppose, to take something that should be beneficial and, using selfish and personal reasons, turn it to a tool of the bad.

Oh well, who am I to judge. This is my site, I ban content spammers, and I therefore also ban Tor content spammers, exit or not.

hukot.net seems to be an ISP from the Czech Republic.

ubernet.com.bd: Research, Ban

host-64-166-83.ubernet.com.bd was testing my security, so I thought I would out them. ubernet.com.bd is an IP telephone and ISP, out of Bangledesh.

Pattern:
This guy seems to have an older and a newer pattern. The older pattern starts with 220.47 and then appends the last 2 octets of the host name. The newer pattern starts with 45 and appends the last 3 octets of the host name.

Research:
host-161-148.ubernet.com.bd 220.247.161.148 220.247.160.0 – 220.247.167.255 220.247.160.0/21
host-162-202.ubernet.com.bd 220.247.162.202
host-162-238.ubernet.com.bd 220.247.162.238
host-162-58.ubernet.com.bd 220.247.162.58
host-162-55.ubernet.com.bd 220.247.162.55
host-162-173.ubernet.com.bd 220.247.162.173

dps.gov.co Content Scraper: Research, Ban

lyncdiscover.dps.gov.co has nothing to do with the Government of Columbia, and a good thing, because it is a content scraper bot.

dps.gov.co is the Departamento para la Prosperidad Social, part of the Columbian Government. I am unsure how a content scraper got hold of a Columbian Government extent, legally.

As this is a Government site I have contacted their tech contact, but they do not look too sophisticated. At least I have done my part to try to stop this abuse of the dps.gv.co host name.

Research:
186.170.31.134 186.170.0.0 /15 COLOMBIA TEL
186.170.31.134
186.170.31.134

boostgram.com security risk: Research, Ban

boostgram.com tried to crack my site security. I need him disabled. Boostgram is hosted by Digital Ocean, which hosts a lot of spamming sites.

Observation:
production.ap.3393bc.boostgram.com 159.203.202.54

51.147.188

Research:
production.ap.9612d3.boostgram.com 104.131.9.204 104.131.0.0 – 104.131.255.255 104.131.0.0/16
150.18.211.
production.ap.90c84e.boostgram.com 104.131.156.149 144.200.78.
production.ap.970190.boostgram.com 104.131.192.0/19

production.ap.831aab.boostgram.com 104.236.7.133 104.236.0.0 – 104.236.255.255 104.236.0.0/16
131.26.171.
production.ap.9b51e1.boostgram.com 104.236.9.104 155.81.225.
production.ap.ecaad3.boostgram.com 104.236.88.116 236.170.211.
production.ap.3880c0.boostgram.com 104.236.94.135
production.ap.777b50.boostgram.com 104.236.199.226
production.ap.136571.boostgram.com 104.236.254.46

production.ap.e06883.boostgram.com 107.170.4.120 107.170.0.0 – 107.170.255.255 107.170.0.0/16
production.ap.73d069.boostgram.com 107.170.36.72
production.ap.67b6b3.boostgram.com 107.170.115.31
production.ap.f9906e.boostgram.com 107.170.219.111

production.ap.3393bc.boostgram.com 159.203.202.54 159.203.0.0 – 159.203.255.255 159.203.0.0/16
production.ap.c648f2.boostgram.com 159.203.218.94
production.ap.08ccaf.boostgram.com 159.203.245.132
production.ap.9d13a2.boostgram.com 159.203.207.1

sl-reverse.com Content Scraper: Research, Ban

sl-reverse.com is a content spammer that is creeping into my site and I want it stopped. I’ll hunt them down and ban them. Sl-reverse also uses servers in Canada, Germany, Singapore, Japan and Italy, to name a few.

If they botnet my butt I will get more aggressive on them.

Observations:
fa.f7.a86c.ip4.static.sl-reverse.com 108.168.247.250

6.1f.5177.ip4.static.sl-reverse.com 119.81.31.6 119.81.31.0/24 SOFTLAYER
6.1f.5177.ip4.static.sl-reverse.com 119.81.31.6
59.7c.5177.ip4.static.sl-reverse.com 119.81.124.89
12.87.5177.ip4.static.sl-reverse.com 119.81.135.18
93.fa.5177.ip4.static.sl-reverse.com 119.81.250.147
39.f8.5177.ip4.static.sl-reverse.com 119.81.248.57
8b.f9.5177.ip4.static.sl-reverse.com 119.81.249.139
d6.fd.5177.ip4.static.sl-reverse.com 119.81.253.214

e6.96.089f.ip4.static.sl-reverse.com 159.8.150.230
d7.85.7a9f.ip4.static.sl-reverse.com 159.122.133.215 159.122.133.0/24 SOFTLAYER
d7.85.7a9f.ip4.static.sl-reverse.com 159.122.133.215
a6.48.caa1.ip4.static.sl-reverse.com 161.202.72.166
a.06.01a8.ip4.static.sl-reverse.com 168.1.6.10
d6.35.01a8.ip4.static.sl-reverse.com 168.1.53.214
70.17.01a8.ip4.static.sl-reverse.com 168.1.23.112
34.4b.01a8.ip4.static.sl-reverse.com 168.1.75.52
db.63.01a8.ip4.static.sl-reverse.com 168.1.99.219
fa.f7.a86c.ip4.static.sl-reverse.com 168.108.247.250
d8.00.39a9.ip4.static.sl-reverse.com 169.57.0.216
a0.67.b9d8.ip4.static.sl-reverse.com 216.185.103.160

hn.kd.dhcp Content Spammer: Research, Ban

hn.kd.dhcp is spamming my site, so I need to remove it. This guy has been around for quote a while and has a long list of IPs, but not so long a list of IP ranges. This spammer runs out of Henan Province, China, but has used Jilin, Chongqing, Guangdong, and Shanghai

These may be related: hn.kd.ny.adsl; hn.ly.kd.adsl; hn.kd.dhcp

Observation:
61.52.253.116 hn.kd.dhcp 2017-jan-04
61.54.208.158 hn.kd.dhcp
61.54.208.235 hn.kd.dhcp 2016-oct-06
61.54.209.51 hn.kd.dhcp

Research:
61.52.9.239 61.52.0.0 – 61.53.255.255 61.52.0.0/15 China Unicom Henan
61.52.28.157
61.52.53.10
61.52.74.18
61.52.100.71
61.52.168.1
61.52.198.139
61.52.207.172
61.52.232.29
61.53.1.241
61.53.5.165
61.53.25.9
61.53.65.52
61.53.64.37
61.53.64.37
61.53.65.54
61.53.65.54
61.53.65.54
61.53.67.14
61.53.73.0
61.53.86.244
61.53.92.65
61.53.143.179
61.53.143.179
61.53.143.179
61.53.152.179
61.53.153.90
61.53.153.90
61.53.160.28
61.53.185.170
61.53.193.169
61.53.194.0
61.53.203.0
61.53.235.197