Category: Tech

fvds.ru Content Spammer: Research, Ban

fvds.ru spammed me, so I researched them. A good portion of their IPs are in the range of 62.109.24.0/24 but there are others. They use a wide variety of names.

Observation:
t-testing.fvds.ru host lookup 62.109.2.78 is bogus. Research revealed 62.109.24.26 and 62.109.24.27.

Research:
tinchurin.fvds.ru 62.109.16.78
info2.fvds.ru 62.109.18.75
dap.fvds.ru 62.109.24.110
zwrk018.fvds.ru 62.109.24.115
esesovets.fvds.ru 62.109.24.132
ensore.fvds.ru 62.109.24.14
camedia.fvds.ru 62.109.24.145
a777825.fvds.ru 62.109.24.157
move.fvds.ru 62.109.24.20
izhirnoff.fvds.ru 62.109.24.215
pool-62.109.24.0.fvds.ru 62.109.24.218
app777.fvds.ru 62.109.24.236
darthspacker.fvds.ru 62.109.24.249
motorspb4.fvds.ru 62.109.24.30
admin15.fvds.ru 62.109.24.35
cyberilya32.fvds.ru 62.109.24.53
merchdist.fvds.ru 62.109.24.61
aachibilyaevyandex.ru.fvds.ru 62.109.24.82
realmyst1.fvds.ru 62.109.24.95
nkryptor.fvds.ru 62.109.29.208
dimys12373.fvds.ru 62.109.31.36
frederick.fvds.ru 62.109.31.91

Mgi.fvds.ru 78.24.219.148
Fvds.ru 78.24.219.165
fakeyoudeadxtv.fvds.ru 78.24.221.1
MMM5.FVDS.RU 82.146.33.242
alosvlad.fvds.ru 82.146.34.229
voloshenko.ilya.fvds.ru 82.146.36.96
exiex.fvds.ru 82.146.38.254
leonid.fvds.ru 91.240.85.23
fdvcxvcxv.fvds.ru 92.63.98.50

static.vdc.vn: Research, Ban

static.vdc.vn is regular content scraper, but it did POST to me and left its IP address. I have been trying to track this one down for a while, but it uses such a wide variety of IP addresses that this is difficult. I could ban large ranges but this would also ban a wide swath of Vietnam, which I do not wish.

Observation:
static.vdc.vn 113.160.112.9 2017-feb-27
static.vdc.vn 113.160.141.120 2016-nov-03
static.vdc.vn 113.160.198.115 2017-jan-14
static.vdc.vn 113.160.248.143 2016-nov-22
static.vdc.vn 113.161.6.96 2016-oct-31
static.vdc.vn 113.161.71.3 2017-jan-18
static.vdc.vn 113.161.77.63
static.vdc.vn 113.161.90.11 2016-dec-27
static.vdc.vn 113.161.162.64 2017-feb-20
dynamic.vdc.vn 113.162.185.98 2016-dec-26
dynamic.vdc.vn 113.163.110.14 2017-jan-30
dynamic.vdc.vn 113.163.202.82
dynamic.vdc.vn 113.163.233.155 2017-jan-23
dynamic.vdc.vn 113.163.241.225 2016-dec-18
dynamic.vdc.com.vn 113.176.61.178 2017-jan-22
dynamic.vdc.vn 113.190.55.36 2016-oct-21
dynamic.vdc.vn 113.190.135.160 2017-feb-08
dynamic.vdc.vn 113.190.202.218 2017-jan-09
dynamic.vdc.vn 113.191.253.253 2016-nov-21
dynamic.vdc.vn 123.24.112.23 2016-nov-25
static.vdc.vn 123.30.238.16 2016-nov-03
static.vdc.vn 123.30.245.239 2016-dec-23
static.vdc.vn host name 203.162.0.78 actual 123.30.75.115

vivawebhost.com: Research, Ban

vivawebhost.com visited me with a “-” user agent, suspicious at best and certainly a bot. Please, identify yourself.

Observation:
lucky.vivawebhost.com h 78.142.63.208

Research:
wanted.vivawebhost.com 72.249.68.129
core.vivawebhost.com 78.128.60.1
lucky.vivawebhost.com 78.142.63.208
gate.vivawebhost.com 78.142.63.244
europe.vivawebhost.com 78.142.63.38
passat.vivawebhost.com 78.142.63.61
passat.vivawebhost.com 78.142.63.63
tesla.vivawebhost.com 78.142.63.64
lion.vivawebhost.com 91.148.168.30
guard.vivawebhost.com 91.148.168.34
Colonel.vivawebhost.com 173.237.189.70
vivawebhost.com 173.237.190.141
fastest.vivawebhost.com 174.136.29.112
junior.vivawebhost.com 174.136.57.185
general.vivawebhost.com 174.136.57.228
dragon.vivawebhost.com 174.136.57.60
fireblade.vivawebhost.com 217.174.148.86

extendcp.co.uk: Research, Ban

extendcp.co.uk had a user agent name of “-” so I thought to look them up and prepare if they attack me.

Observation:
web232.extendcp.co.uk 79.170.40.232

Pattern:
They use the last octet in their host name, but the first three can vary. Three or 4 ip ranges should do for banning.

Research:
web32.extendcp.co.uk 79.170.40.32 79.170.40.0 – 79.170.47.255 Heart Internet
web55.extendcp.co.uk 79.170.40.55
mail158.extendcp.co.uk 79.170.40.158
web227.extendcp.co.uk 79.170.40.227
web38.extendcp.co.uk 79.170.40.38
web95.extendcp.co.uk 79.170.44.95
mail39.extendcp.co.uk 79.170.44.39
web214.extendcp.co.uk 79.170.44.214
web170.extendcp.co.uk 79.170.40.170
web202.extendcp.co.uk 79.170.44.202
web75.extendcp.co.uk 79.170.44.75
mail42.extendcp.co.uk 79.170.44.42
Web93.extendcp.co.uk 79.170.44.93
web127.extendcp.co.uk 79.170.44.127

web26.extendcp.co.uk 176.32.230.26
web252.extendcp.co.uk 176.32.230.252

web62.extendcp.co.uk 217.199.187.62
web58.extendcp.co.uk 217.199.187.58
web59.extendcp.co.uk 217.199.187.59

1-99seo.com Content Spammer: Research, Ban

1-99seo.com looks like a similar content spammer campaign, from South America/Brazil. The style is very similar to fix-website-errors-com by Semalt, which was really terrible.

1-free-share-buttons.com looks to be the same

It is these types of content scraper marketing campaigns that wastes the receiving web site’s bandwidth. They visit the same pages daily, scraping from multiple IP addresses.

Virgin Mobile Canada: New Home Internet Offer

Interested, I was, when I read a G&M article, written more like advertising copy, about Virgin Mobile offering home internet service, 300MB for $50/mo.

I went to their web site, input my address, which it acknowledged, but the lookup feature was not working. I therefore phoned and they confirmed that home internet is not yet available for me but is in the works.

They also confirmed that they will use Bell fiber optic lines, which were recently installed on my street, 300G bandwidth, 25mbps download, 15mbps upload. That is a lot cheaper than Bell is offering today.

secureserver.net: Research, Ban

Not overly annoying, secureserver.net is a regular content spammer on my site. I thought it would be good to track them down. Their host names lookup properly and they seem to ban properly, so there seems to not be anything tricky or suspicious.

Observations:
n1plcpnl0063.prod.ams1.secureserver.net 46.252.205.189
p3plcpnl0342.prod.phx3.secureserver.net 50.62.161.109
p3nlhg1196.shr.prod.phx3.secureserver.net 50.63.196.77
p3slh164.shr.phx3.secureserver.net 72.167.131.53
p3nlhg189.shr.prod.phx3.secureserver.net 97.74.24.189
smtpout16-01.prod.mesa1.secureserver.net 97.74.104.208
Sg2plpkivs-v03.any.prod.sin2.secureserver.net 97.74.104.222
p3nlwpweb375.prod.phx3.secureserver.net 104.238.120.3
N1nlhg336c1336.shr.prod.ams1.secureserver.net 146.255.36.1
p3plgemwbe11-v01.prod.phx3.secureserver.net 173.201.192
sg2plwbeout19-1.prod.sin2.secureserver.net 182.50.144.34
sg2plcpnl0020.prod.sin2.secureserver.net 182.50.132.87
p3nw8shg390.shr.prod.phx3.secureserver.net 184.168.27.206
a2plcpnl0191.prod.iad2.secureserver.net 198.71.228.16

Research:
198.71.225.127
a2plcpnl0047.prod.iad2.secureserver.net 198.71.225.140
a2plcpnl0054.prod.iad2.secureserver.net 198.71.226.42
a2plcpnl0123.prod.iad2.secureserver.net 198.71.227.48
a2plcpnl0157.prod.iad2.secureserver.net 198.71.228.51
a2plcpnl0226.prod.iad2.secureserver.net 198.71.228.65
a2plcpnl0240.prod.iad2.secureserver.net 198.71.228.73
a2plcpnl0399.prod.iad2.secureserver.net 198.71.231.45
a2plcpnl0365.prod.iad2.secureserver.net

tor.exit.babylon.network: Research, Ban

The whole concept of tor is a sound one, allowing those in repressive or privacy-optional countries (Canada, US) to anonymously use the internet. Unfortunately this anonymity has been hijacked by the spamming community, taking a benevolent tool and using it for ill. Any IP or hostname used for spamming is game for being banned, tor or not.

tor.exit.babylon.network has a network of tor servers that are content spamming me. Normally tor server IPs are stable, so once you ban them they stay banned. These guys move around a bit, and there are a number of them. If you ban a tor server, or any other hostname, and they return to spam again, then you know they evaded your security efforts. You need to do more research.

Check htaccess Deny From lines for Alpha Characters

My htaccess file is getting large as I continually ban more bad bots of the world. As it gets larger there are bound to be more mistakes. One of the mistakes can occur in “deny from” lines, which account for the vast majority of lines in the htaccess. If you add any alpha characters to the ip addresses in “deny from” lines, the Apache server will do all host lookups and try to not return IP addresses. This means that some spammers’ ip addresses will be hidden behind bogus host names. For accuracy it is best for the Apache server to return their IP addresses. Using IPs you can then do host and search lookups, find them and ban them.

as51430.net Content Spammer: Research, Ban

as51430.net spammed me, so here is the research for tracking and banning. as51430.net is out of Luxembourg. I did not get spammed by its three sister host names, lux-net-ip.as51430.net, nld-net-ip.as51430.net, and swe-net-ip.as51430.net.

Observation:
lu-customer-ip.as51430.net found the following IPs:

91.214.44.48
91.214.45.104
91.214.46.167
79.142.78.169

Research:
Further research found the following host names that change often: lux-net-ip.as51430.net, nld-net-ip.as51430.net, and swe-net-ip.as51430.net. Maybe they stand for Luxembourg, Netherlands, Sweden? Here is the complete list by ip address, so you can ban all three.