Tag: bot

secureserver.net: Research, Ban

Not overly annoying, secureserver.net is a regular content spammer on my site. I thought it would be good to track them down. Their host names lookup properly and they seem to ban properly, so there seems to not be anything tricky or suspicious.

Observations:
n1plcpnl0063.prod.ams1.secureserver.net 46.252.205.189
p3plcpnl0342.prod.phx3.secureserver.net 50.62.161.109
p3nlhg1196.shr.prod.phx3.secureserver.net 50.63.196.77
p3slh164.shr.phx3.secureserver.net 72.167.131.53
p3nlhg189.shr.prod.phx3.secureserver.net 97.74.24.189
smtpout16-01.prod.mesa1.secureserver.net 97.74.104.208
Sg2plpkivs-v03.any.prod.sin2.secureserver.net 97.74.104.222
p3nlwpweb375.prod.phx3.secureserver.net 104.238.120.3
N1nlhg336c1336.shr.prod.ams1.secureserver.net 146.255.36.1
p3plgemwbe11-v01.prod.phx3.secureserver.net 173.201.192
sg2plwbeout19-1.prod.sin2.secureserver.net 182.50.144.34
sg2plcpnl0020.prod.sin2.secureserver.net 182.50.132.87
p3nw8shg390.shr.prod.phx3.secureserver.net 184.168.27.206
a2plcpnl0191.prod.iad2.secureserver.net 198.71.228.16

Research:
198.71.225.127
a2plcpnl0047.prod.iad2.secureserver.net 198.71.225.140
a2plcpnl0054.prod.iad2.secureserver.net 198.71.226.42
a2plcpnl0123.prod.iad2.secureserver.net 198.71.227.48
a2plcpnl0157.prod.iad2.secureserver.net 198.71.228.51
a2plcpnl0226.prod.iad2.secureserver.net 198.71.228.65
a2plcpnl0240.prod.iad2.secureserver.net 198.71.228.73
a2plcpnl0399.prod.iad2.secureserver.net 198.71.231.45
a2plcpnl0365.prod.iad2.secureserver.net

Permanent link to this post (90 words, 0 images, estimated 22 secs reading time)

tor.exit.babylon.network: Research, Ban

The whole concept of tor is a sound one, allowing those in repressive or privacy-optional countries (Canada, US) to anonymously use the internet. Unfortunately this anonymity has been hijacked by the spamming community, taking a benevolent tool and using it for ill. Any IP or hostname used for spamming is game for being banned, tor or not.

tor.exit.babylon.network has a network of tor servers that are content spamming me. Normally tor server IPs are stable, so once you ban them they stay banned. These guys move around a bit, and there are a number of them. If you ban a tor server, or any other hostname, and they return to spam again, then you know they evaded your security efforts. You need to do more research.

This is a preview of tor.exit.babylon.network: Research, Ban. Read the full post (175 words, 0 images, estimated 42 secs reading time)

as51430.net Content Spammer: Research, Ban

as51430.net spammed me, so here is the research for tracking and banning. as51430.net is out of Luxembourg. I did not get spammed by its three sister host names, lux-net-ip.as51430.net, nld-net-ip.as51430.net, and swe-net-ip.as51430.net.

Observation:
lu-customer-ip.as51430.net found the following IPs:

91.214.44.48
91.214.45.104
91.214.46.167
79.142.78.169

Research:
Further research found the following host names that change often: lux-net-ip.as51430.net, nld-net-ip.as51430.net, and swe-net-ip.as51430.net. Maybe they stand for Luxembourg, Netherlands, Sweden? Here is the complete list by ip address, so you can ban all three.

This is a preview of as51430.net Content Spammer: Research, Ban. Read the full post (303 words, 0 images, estimated 1:13 mins reading time)

udm.net: Research, Ban

a228.sub72.net78.udm.net passed me a porn referrer address. I do not tolerate referrer spam on my site, so I looked them up.

Observation:
a228.sub72.net78.udm.net 78.85.72.228

Pattern:
Fourth, 85, third, then first octet from the host name. It is essentially a reversed ip, except they omit the second octet, the 85.

Research:
sub182.net71.udm.net 62.109.26.122
sub214.net71.udm.net 62.109.27.150
blago.Udm.net 78.85.0.6
Security.udm.net 78.85.0.25

This is a preview of udm.net: Research, Ban. Read the full post (155 words, 0 images, estimated 37 secs reading time)

t4vps.eu Content Spammer: Research, Ban

22110.s.t4vps.eu spammed me. Though they resolved a host name to 194.135.93.53, there was scant info on this host name, so I researched them. I do not see a pattern.

Observation:
22110.s.t4vps.eu host 194.135.93.53

Research:
12927.s.t4vps.eu 79.98.27.251

20951.s.t4vps.eu 109.235.64.29
13769.s.t4vps.eu 109.235.67.32
2857.s.t4vps.eu 109.235.69.177
20895.s.t4vps.eu 109.235.69.253

14223.s.t4vps.eu 185.5.52.22
13060.s.t4vps.eu 185.5.54.228
2993.s.t4vps.eu 185.5.55.83
14913.s.t4vps.eu 185.69.53.149
3955.s.t4vps.eu 185.69.55.222
13924.s.t4vps.eu 185.69.55.62
6v3.f.t4vps.eu 185.81.164.166

91j.f.t4vps.eu 194.135.82.223
11464.s.t4vps.eu 194.135.89.184
16367.s.t4vps.eu 194.135.89.238
6625.s.t4vps.eu 194.135.90.109
12542.s.t4vps.eu 194.135.90.130
10115.s.t4vps.eu 194.135.91.215
5kq.f.t4vps.eu 194.135.92.5
5710.s.t4vps.eu 194.135.92.115
22110.s.t4vps.eu 194.135.93.53
8982.s.t4vps.eu 194.135.93.227
5260.s.t4vps.eu 194.135.94.0

21238.s.t4vps.eu 212.24.99.167
19231.s.t4vps.eu 212.24.105.218
18976.s.t4vps.eu 212.24.107.132
19514.s.t4vps.eu 212.24.110.13
21210.s.t4vps.eu 212.24.111.80

Permanent link to this post (91 words, 0 images, estimated 22 secs reading time)

ukservers.com Content Spammer: Research, Ban

no.rdns.ukservers.com content spammed me, so I researched them. They have a sister host name, no.rdns-yet.ukservers.com, with very much the same ip ranges. See for yourself. They are industrious in their use of IPs.

no.rdns.ukservers.com
5.101.138.140 5.101.136.0 – 5.101.151.255 5.101.136.0/21
5.101.142.102
5.101.145.22
5.101.146.130

31.132.3.176 31.132.3.0/24
31.132.3.239

37.9.62.107 37.9.62.0/24
37.9.62.221
37.9.62.36
37.9.62.41
37.9.62.6
37.9.62.96

54.213.200.95

77.74.192.190 77.74.192.0 – 77.74.199.255 77.74.192.0/21
77.74.194.62
77.74.195.112
77.74.196.231

77.75.122.146

78.110.160.140 78.110.160.0 – 78.110.175.255 78.110.160.0/20
78.110.160.234
78.110.169.178
78.110.169.210
78.110.174.241
78.110.175.202

78.157.192.57 78.157.192.0/24
78.157.192.72
94.46.207.1

94.229.65.56 94.229.64.0 – 94.229.81.255 94.229.64.0/20
94.229.65.171
94.229.67.15
94.229.67.16
94.229.67.33
94.229.67.57
94.229.72.115
94.229.72.116
94.229.72.117
94.229.72.135
94.229.74.89
94.229.75.3
94.229.75.9
94.229.76.195
94.229.76.200
94.229.78.60
94.229.79.3

This is a preview of ukservers.com Content Spammer: Research, Ban. Read the full post (188 words, 0 images, estimated 45 secs reading time)

bezeqint.net Content Spammer: Research, Ban

bezeqint.net content spammed me, so naturally I researched them. They are very smart, these Israelis, and employ a variety of anti-bot software techniques, in order to evade identification. Hats off to them for deploying these tactics. I hope they keep up the good work.

Observation:
bzq-80-17-106.red.bezeqint.net 82.80.17.106

Pattern:
This ISP employs 3 patterns, inter-dispersed within their Ip ranges. You need to differentiate between these three or you will ban the incorrect IP range.

  1. red: reverse first 3 octets, add 4th
  2. red, static.dcenter: straight 4 octets
  3. cablep, red: host name has 3 octets, special number for first octet

Research:
bzq-112-168-31-210.red.bezeqint.net 31.168.112.210
bzq-137-168-31-233.red.bezeqint.net 31.168.137.233
bzq-200-168-31-84.red.bezeqint.net 31.168.200.84
bzq-208-168-31-96.red.bezeqint.net 31.168.208.96
bzq-224-168-31-106.red.bezeqint.net 31.168.224.106
bzq-230-168-31-194.red.bezeqint.net 31.168.230.194
bzq-236-168-31-236.red.bezeqint.net 31.168.236.236
bzq-241-168-31-208.red.bezeqint.net 31.168.241.208

This is a preview of bezeqint.net Content Spammer: Research, Ban. Read the full post (189 words, 0 images, estimated 45 secs reading time)

reverse.completel.fr: Research, Ban

reverse.completel.fr gave me some error 404s, so I thought to look them up. This research excludes reverse.completel.net. Be careful here because though you could ban the whole /16 range you would exclude a whole bunch of French people, and that would be bad.

46.218.12.177 46.218.0.0 – 46.218.255.255 46.218.0.0/16
46.218.35.112
46.218.35.59
46.218.64.123
46.218.64.98
46.218.67.98
46.218.114.106
46.218.117.246
46.218.119.190
46.218.120.111
46.218.120.111
46.218.120.144
46.218.127.119
46.218.127.119
46.218.127.160
46.218.127.69
46.218.139.182
46.218.139.182
46.218.167.42
46.218.170.154
46.218.170.160
46.218.171.146
46.218.172.227
46.218.177.128
46.218.177.191
46.218.179.51
46.218.179.67
46.218.182.217
46.218.185.90
46.218.199.244
46.218.203.138
46.218.241.188
46.218.241.197
92.103.150.243 92.103.0.0/16
92.103.236.242
92.103.237.151
92.103.247.114
195.167.195.204
213.244.1.41 213.244.0.0/19
213.244.31.213

Permanent link to this post (90 words, 0 images, estimated 22 secs reading time)

ioflood.com: Research, Ban

ioflood.com piqueted my interest in their novel hostname: we.love.servers.at.ioflood.com. This turned out to be a barrage of IP addresses, something I did not expect.

Observations:
we.love.servers.at.ioflood.com host lookup 96.45.82.85

Research:
23.226.70.146
23.226.75.246
23.226.76.27
23.226.77.6
23.226.78.222
66.160.196.45
96.45.82.85
104.161.12.41
104.161.18.1
104.161.66.100
107.167.70.227
107.167.77.67
107.167.86.160 107.167.64.0 – 107.167.95.255 107.167.64.0/19
107.167.95.128
107.167.95.141
107.167.95.150
107.167.95.153
107.167.95.173
107.167.95.240
107.167.95.242
107.178.72.147
107.178.98.181
107.178.98.90
107.178.109.225
107.178.110.116
107.178.110.205
107.178.113.209
107.189.135.173
107.189.159.203
107.189.161.170
107.189.161.170
148.163.12.23
148.163.31.25
148.163.31.220
148.163.31.231
148.163.58.123
148.163.97.139
148.163.97.161
148.163.113.107
148.163.122.22
148.163.122.162
148.163.122.165
162.218.115.228
184.105.134.1
184.164.70.158
184.164.73.137
184.164.73.180
184.164.80.80
184.164.84.52
184.164.90.66
192.30.139.30
192.110.160.24
192.110.163.22
192.110.167.229
199.167.133.14
199.167.134.31
199.231.86.82
199.30.53.22

Permanent link to this post (93 words, 0 images, estimated 22 secs reading time)

voxility.net Content Scraper: Research, Ban

Voxility has been scraping me for a while and I’ve banned their hostnames, but I could not look up lh27033.voxility.net, so this started the research.

Observation:
lh27033.voxility.net

Research:
lh28925.voxility.net 5.254.112.141 5.254.64.0 – 5.254.127.255 5.254.64.0/18
lh27337.voxility.net 37.221.161.98 37.221.160.0 – 37.221.175.255 37.221.160.0/20
lh25704.voxility.net 37.221.161.149
lh20524.voxility.net 37.221.161.156
lh25696.voxility.net 37.221.163.213
lh25646.voxility.net 37.221.165.196
lh18827.voxility.net 37.221.167.108
lh28364.voxility.net 37.221.171.24

lh17088.voxility.net 39.41.114.93
lh25613.voxility.net 41.218.228.206
lh17088.voxility.net 93.114.41.39 93.114.40.0 – 93.114.47.255 93.114.40.0/21
lh20162.voxility.net 93.114.43.45
lh21485.voxility.net 93.115.82.214 93.115.80.0 – 93.115.87.255 93.115.88.0 – 93.115.91.255 93.115.92.0 – 93.115.95.255 93.115.80.0/20
lh21729.voxility.net 93.115.83.152
lh22451.voxility.net 93.115.83.252
lh21001.voxility.net 93.115.84.226
lh27175.voxility.net 93.115.85.133
lh25655.voxility.net 93.115.91.54
lh26417.voxility.net 93.115.92.207
lh26480.voxility.net 93.115.92.247
lh25350.voxility.net 93.115.92.248
lh28409.voxility.net 93.115.95.201
lh28409.voxility.net 93.115.95.202
lh28409.voxility.net 93.115.95.204
lh28409.voxility.net 93.115.95.206
lh28409.voxility.net 93.115.95.207
lh28409.voxility.net 93.115.95.207
lh17109.voxility.net 109.163.227.25 109.163.224.0 – 109.163.239.255 109.163.224.0/20
lh19738.voxility.net 109.163.231.168
lh25680.voxility.net 109.163.234.13
lh21184.voxility.net 109.163.234.39

This is a preview of voxility.net Content Scraper: Research, Ban. Read the full post (135 words, 0 images, estimated 32 secs reading time)