kwpublisher.com is a long-time referrer spammer that I would like to remove. I have tried to ban them with an HTTP_REFERER ban but this does not work. My ISP, Site5, will not help me. This guy seems to have a similar method to kosmetik-freaks.blogspot. They seem to be out of Pakistan mostly, but have gone to Indonesia and China. I am now tracking them closely.
Conclusion: Tracked down the code hotlinking to my site. Complained to their domain names provider. Them they disappeared. Goodbye.
220.127.116.11 x 4 18.104.22.168 – 22.214.171.124 Pakistan Tel
Does your raw access log display a host name of “0”, or zero? Very odd, is it not? I have been struggling with this for a couple of months, and my ISP Site5 had no answers. It turns out that one of my spammers, NFORCE_ENTERTAINMENT, puts an unprintable character into their host table, so that when my ISP looks them up, they display the unprintable character in my log as “0”.
Trying to control your site’s spam can be challenging. If you try to ban an IP that is simply 0, or a host name of “0” you will fail, because there is no zero in their host name, but an unprintable character. Ban these guys instead.
This is a preview of
Host Name 0 Zero or localhost in your Raw Access Log
. Read the full post (900 words, 0 images, estimated 3:36 mins reading time)
no-ptr.as20860.net is a dual Ip spammer with a twist. The originating IP hostname lookup returns three IPs! You’ll need to ban all three, but there’s a lot more. They use IOMart, GB as their ISP.
It seems like this hostname also morphs to numerous IP addresses, making them difficult to track down.
no-ptr.as20860.net hostname lookup 126.96.36.199 188.8.131.52 184.108.40.206
no-ptr.as20860.net not only uses the dual ip spammer strategy, but also changes its host name through many ip addresses, making it double difficult to ban.
This is a preview of
no-ptr.as20860.net Comment Spammer: Research, Ban
. Read the full post (174 words, 0 images, estimated 42 secs reading time)
fvds.ru spammed me, so I researched them. A good portion of their IPs are in the range of 220.127.116.11/24 but there are others. They use a wide variety of names.
t-testing.fvds.ru host lookup 18.104.22.168 is bogus. Research revealed 22.214.171.124 and 126.96.36.199.
static.vdc.vn is regular content scraper, but it did POST to me and left its IP address. I have been trying to track this one down for a while, but it uses such a wide variety of IP addresses that this is difficult. I could ban large ranges but this would also ban a wide swath of Vietnam, which I do not wish.
static.vdc.vn 188.8.131.52 2017-feb-27
static.vdc.vn 184.108.40.206 2016-nov-03
static.vdc.vn 220.127.116.11 2017-jan-14
static.vdc.vn 18.104.22.168 2016-nov-22
static.vdc.vn 22.214.171.124 2016-oct-31
static.vdc.vn 126.96.36.199 2017-jan-18
static.vdc.vn 188.8.131.52 2016-dec-27
static.vdc.vn 184.108.40.206 2017-feb-20
dynamic.vdc.vn 220.127.116.11 2016-dec-26
dynamic.vdc.vn 18.104.22.168 2017-jan-30
dynamic.vdc.vn 22.214.171.124 2017-jan-23
dynamic.vdc.vn 126.96.36.199 2016-dec-18
dynamic.vdc.com.vn 188.8.131.52 2017-jan-22
dynamic.vdc.vn 184.108.40.206 2016-oct-21
dynamic.vdc.vn 220.127.116.11 2017-feb-08
dynamic.vdc.vn 18.104.22.168 2017-jan-09
dynamic.vdc.vn 22.214.171.124 2016-nov-21
dynamic.vdc.vn 126.96.36.199 2016-nov-25
static.vdc.vn 188.8.131.52 2016-nov-03
static.vdc.vn 184.108.40.206 2016-dec-23
static.vdc.vn host name 220.127.116.11 actual 18.104.22.168
vivawebhost.com visited me with a “-” user agent, suspicious at best and certainly a bot. Please, identify yourself.
lucky.vivawebhost.com h 22.214.171.124
Permanent link to this post
(58 words, 0 images, estimated 14 secs reading time)
extendcp.co.uk had a user agent name of “-” so I thought to look them up and prepare if they attack me.
They use the last octet in their host name, but the first three can vary. Three or 4 ip ranges should do for banning.
web32.extendcp.co.uk 126.96.36.199 188.8.131.52 – 184.108.40.206 Heart Internet
1-99seo.com looks like a similar content spammer campaign, from South America/Brazil. The style is very similar to fix-website-errors-com by Semalt, which was really terrible.
1-free-share-buttons.com looks to be the same
It is these types of content scraper marketing campaigns that wastes the receiving web site’s bandwidth. They visit the same pages daily, scraping from multiple IP addresses.
Not overly annoying, secureserver.net is a regular content spammer on my site. I thought it would be good to track them down. Their host names lookup properly and they seem to ban properly, so there seems to not be anything tricky or suspicious.
Permanent link to this post
(90 words, 0 images, estimated 22 secs reading time)
The whole concept of tor is a sound one, allowing those in repressive or privacy-optional countries (Canada, US) to anonymously use the internet. Unfortunately this anonymity has been hijacked by the spamming community, taking a benevolent tool and using it for ill. Any IP or hostname used for spamming is game for being banned, tor or not.
tor.exit.babylon.network has a network of tor servers that are content spamming me. Normally tor server IPs are stable, so once you ban them they stay banned. These guys move around a bit, and there are a number of them. If you ban a tor server, or any other hostname, and they return to spam again, then you know they evaded your security efforts. You need to do more research.