Author Archives: dontai

virtua.com.br Content Scraper: Research, Ban

Persistent this botnet is. It’s like a virus that mutates but does not go away. Or an itch you scratch but does not stop. virtua.com.br has a content scraping bot going at my site that I need to stop. virtua.com.br is part of a large Semalt-led botnet I am trying to remove. They have no website. The host addresses I receive on my access log do not resolve, and there’s nothing specific on Google. I’m just giving this a simple domain ban to see how it goes. They also have a huge number of IP blocks, as they are connected to Akamai in the US.

This is a preview of virtua.com.br Content Scraper: Research, Ban. Read the full post (354 words, 0 images, estimated 1:25 mins reading time)

keywords-monitoring-your-success.com and free-video-tool.com: Semalt Botnet

Both keywords-monitoring-your-success.com and free-video-tool.com are Semalt tools for content scraping. This botnet is pretty extensive and tiring to kill.

The raw access log entries look seemingly legit, but being referred from the two Semalt tools, they could not be legit users.

These host names and Ip address, masquerading as valid browsers, took up a lot of my bandwidth. This botnet used mainly companies from Brazil such as TELEFÔNICA BRASIL, Vivo, Global Village, Brasil Telecom, Yawl, portalmail but also used a bunch of Italian and US companies as well.

Virtua.com.br continues to content scrape for Semalt. I have a separate research report on them.

This is a preview of keywords-monitoring-your-success.com and free-video-tool.com: Semalt Botnet. Read the full post (304 words, 0 images, estimated 1:13 mins reading time)

hosted-ny.securefastserver.com Content Scraper: Research and Ban

This one is difficult. They are elusive. They use partial IP ranges that start randomly, like a disk that needs defragmenting. This masks their use of larger IP ranges. The names James Prado and Private Layer are always involved. What they do is bury the hosted-ny.securefastserver into small IP segments, but the IP ranges before and after are also owned by the same company but are under the Private Layer or James Prado name. Tricky. Just ban the complete range, as it is the same company.

DNS Record:
Fast Serv Inc. d.b.a. QHoster.com
1 Mapp Str.
Belize City, Belize

This is a preview of hosted-ny.securefastserver.com Content Scraper: Research and Ban. Read the full post (274 words, 0 images, estimated 1:06 mins reading time)

Chinese Maps Compare: Google, 360, Sougou, Baidu 中国地图比较：谷歌， 360, 搜狗，百度

Maps, I do like. Not only are they pretty, they are pretty useful, especially if you are unfamiliar with the area. Map and compass in hand, you can walk at your leisure and not get lost, or at least be able to get help from the locals when you do. But which maps are the best for China? I thought I’d do a map slugfest, comparing Google (line and satellite), 360, Sougou and Baidu. I chose 150 meters of Shandong, Changdao on Jiefang (Liberation) Road as an example.

我喜欢地图。除了很漂亮意外，它们也很好用，特别要是你对这个地方不熟悉。地图和指南针zai 手里你可以随便走路不怕迷路，或者一迷路可以让本地人给你帮忙。在中国哪个地图最好呢？我想比较，用谷歌（线的和卫星的）， 360, 搜狗和百度比较。我选择了150米的山东长岛的解放路来比如。

This is a preview of Chinese Maps Compare: Google, 360, Sougou, Baidu 中国地图比较：谷歌， 360, 搜狗，百度. Read the full post (386 words, 5 images, estimated 1:33 mins reading time)

pinspb.ru, Content Scraper: Research and Ban

This content scraper pinspb.ru is a regular on my site and I’d like to ban it. Very mysterious and hard to pin down. Not much on the DNS record. At least they have a web site. They look like an ISP. They have a lot of IP blocks.

Observations:
46.161.62.74 pinspb.ru 2016-dec-26
46.161.63.90 2016/sept/22
46.161.63.109 pinspb.ru 2016-oct-16

Google Pattern Examples, ban these:
5.8.78.132 5.8.72.0 – 5.8.79.255 5.8.72.0/21
5.101.67.0 5.101.64.0 – 5.101.67.255 5.101.64.0/22
46.161.54.109 46.161.0.0 – 46.161.63.255 46.161.0.0/18
46.161.60.177
46.161.61.68
195.2.240.4 195.2.240.0 – 195.2.241.255 195.2.240.0/23

17 + 128
18 + 63
19 + 31
20 + 15
21 + 7
22 +3
23 +1

This is a preview of pinspb.ru, Content Scraper: Research and Ban. Read the full post (239 words, 0 images, estimated 57 secs reading time)

Furanet.com: Research and Banning

There is not much for this, and it seems they like to be unknown. There is no web site for furanet.com. Let me try to tease their pattern.

93.93.68.0/24
COMVIVE SERVIDORES S.L.
Sevilla, Spain
email@comvive.es

My content scraper host name was 98-68.furanet.com. It looks like their pattern or strategy is a reverse order domain name with the first 2 octets missing. Looking at their IP range I would guess 93.93.64.0/21, which covers the 68 of 98-68.furanet.com. From my Google search I’ve added 91.192.108.0/22 which they also commonly use.

Ban these most commonly used IPs:
91.192.108.0/22
93.93.64.0/21

This is a preview of Furanet.com: Research and Banning. Read the full post (183 words, 0 images, estimated 44 secs reading time)

XFone 018.net.il: Research and Banning

My site has been getting content and image scraped by bb-81-107.018.net.il and bb-153-46.018.net.il, but these two host names do not resolve. Furthermore there is very little on the internet on them. My next step is to ban their complete IP range.

Observation:
cust-68.196.102.5.018.net.il 5.102.196.68
CUST-89.242.102.5.018.net.il 5.102.242.89 2017-jan-23
cust-186.224.102.5.018.net.il 5.102.224.186
cust-140.227.102.5.018.net.il 5.102.227.140
cust-151.241.102.5.018.net.il 5.102.241.151
cust-132.255.102.5.018.net.il 5.102.255.132
bb-81-107.018.net.il 94.230.81.107
bb-84-30.018.net.il 94.230.84.30
bb-132-134.018.net.il 188.120.132.134
bb-134-60.018.net.il 188.120.134.60
BB-151-179.018.net.il 188.120.151.179 2017-jan-18
bb-153-46.018.net.il 188.120.153.46
BB-154-107.018.net.il 188.120.154.107 2016-oct-08
141.226.151.47 2016-oct-14

Pattern:
If there are 4 octets in the host name, then reverse the octets. If there are only 2 octets then these are the last 2 of the IP. You will need to use the host command and try the first 2 octets of their common ranges.

This is a preview of XFone 018.net.il: Research and Banning. Read the full post (145 words, 0 images, estimated 35 secs reading time)

Hit by Weight Loss Spambot, Heavy Day for Content Scrapers

Hit I was, by a terribly time wasteful spambot pushing weight loss ads. Yes, my Recaptcha did send them to my spam folder for analysis, but it was still a lot. I just wished they would simply stop. All the comment spammers were pushing weight loss. I’m sure they are telling me something about my slightly widening girth, but I am already making amends. There is no need for added pressure, nor waste of bandwidth and technology.

This is a preview of Hit by Weight Loss Spambot, Heavy Day for Content Scrapers. Read the full post (327 words, 0 images, estimated 1:18 mins reading time)

Scarborough Crime. Birchmount / Finch

East-end shooting leaves young man dead Mar 21, 2016
Pair sought in Scarborough shooting Jan 22 2016
Jan. 21: Two men fired several shots into a home on Glendower Circuit, near Birchmount Rd. and Finch Ave. E., around 3:25 p.m., but nobody was hit. Jan 21 2015

33-year-old man in critical condition after being shot in the face outside apartment buildingSept 16 2006
Judge imposes life sentence for `senseless’ shooting June 14 2005

Permanent link to this post (74 words, 0 images, estimated 18 secs reading time)

454a986e.cst.lightpath.net: Research, Ban

454a986e.cst.lightpath.net is a content scraper bot that has been visiting my site, so I would like to remove the welcome mat.

lightpath.net seems to change their front extent many times, as a search on Google did not yield an exact match, but many variants.

Pattern:
Take the numbers before “.cst.lightpath.net” and convert them from hex to decimal, giving you 4 octets.

lightpath.net resolves to 216.2.192.141, Optimum Online or Cablevision Systems, XO Communications (ISP), but they have no website. cablevisionlightpath.org also resolves to the same ip address.

454a986e.cst.lightpath.net Their hex converts to 69.74.152.110, Cablevision Systems.

Permanent link to this post (95 words, 0 images, estimated 23 secs reading time)