Tag: bot

blazingfast.io Content Spammer: Research, Ban

hosted-by.blazingfast.io spammed me, so I looked them up. They are an orderly shop.

Observation:
185.61.138.178

Research:
185.11.144.105

185.11.145.4 185.11.145.0 – 185.11.148.255 185.11.145.0/22
185.11.145.5
185.11.145.7
185.11.145.10
185.11.145.18
185.11.145.184
185.11.145.97
185.11.146.126
185.11.146.139
185.11.146.201
185.11.146.76
185.11.147.3
185.11.147.59

185.61.136.34 185.61.136.0 – 185.61.139.255 185.61.136.0/22
185.61.137.48
185.61.137.50
185.61.137.78
185.61.137.93
185.61.138.25
185.61.138.28
185.61.138.124
185.61.138.170
185.61.138.196
185.61.138.250

185.62.188.3 185.62.188.0 – 185.62.191.255 185.62.188.0/22
185.62.188.55
185.62.188.78
185.62.188.98
185.62.188.100
185.62.188.109
185.62.188.128
185.62.188.148
185.62.188.162
185.62.188.176
185.62.188.177
185.62.189.81
185.62.189.189
185.62.189.211
185.62.190.76
185.62.190.79
185.62.190.156
185.62.190.203

188.209.49.34 188.209.49.0/24
188.209.49.47
188.209.49.84
188.209.49.206

188.209.52.34 188.209.52.0/24
188.209.52.63
188.209.52.109
188.209.52.120

Permanent link to this post (82 words, 0 images, estimated 20 secs reading time)

Yota.ru Content Spammer: Research, Ban

client.yota.ru spammed me so I did research. This Russian spammer makes it difficult to track them down. They are prolific. They also have the host name wimax-client.yota.ru that they also use to spam.

Observations:
client.yota.ru 94.25.168.61 2017-nov-22
client.yota.ru 94.25.173.177 2016-nov-10
client.yota.ru 94.25.177.77 2017-jul-03
client.yota.ru 94.25.179.233 2017-jan-17
client.yota.ru 94.25.180.215 2017-apr-04
client.yota.ru 94.25.228.4 2016-dec-18
client.yota.ru 94.25.229.18 2-17-jan-14
client.yota.ru 94.25.231.224 2016-dec-18
wimax-client.yota.ru 109.188.127.14 2016-dec-02
client.yota.ru 188.162.14.35 2016-dec-30
client.yota.ru 188.162.39.25 2016-nov-12
client.yota.ru 188.162.65.24 2016-sept-20
client.yota.ru 188.162.65.56 2016-nov-12
client.yota.ru 188.162.80.201 2017-feb-21
client.yota.ru 188.162.166.227 2017-jan-17
client.yota.ru 188.162.236.184 2016-oct-30
client.yota.ru 188.162.245.156 2016-sept-20

This is a preview of Yota.ru Content Spammer: Research, Ban. Read the full post (200 words, 0 images, estimated 48 secs reading time)

clientshostname.com Content Scraper: Research, Ban

customer.clientshostname.com scraped me, and the name is very generic, so I thought to research it. clientshostname.com has a lot of customer names prepended to it, so this excludes all their names. Three IP ranges should do you.

Observed:
customer.clientshostname.com

Research:
93.170.13.233 93.170.13.0/24
93.170.13.212
93.170.13.205
104.193.252.10 104.193.252.0/24
104.193.252.1
104.193.252.0
185.104.8.50 185.104.8.0 – 185.104.11.255 UK-KSERVERS
185.104.8.56
185.104.8.52
185.104.8.52
185.104.8.50
185.104.8.126
185.104.9.38
185.104.9.38
185.104.9.37
185.104.9.37
185.104.9.246
185.104.9.236
185.104.9.236
185.104.9.230
185.104.9.228
185.104.10.80
185.104.10.6
185.104.10.17
185.104.10.11
185.104.11.255
185.104.11.195
185.104.11.195
185.104.11.195
185.104.11.143
185.104.11.130
185.104.11.130
185.130.104.134
204.155.31.255
213.180.204.213

Permanent link to this post (82 words, 0 images, estimated 20 secs reading time)

blizoo.bg Content Scraper: Research, Ban

c8fb265ea92a.softphone.blizoo.bg scraped me, but this one is tough.

Observation:
c8fb265ea92a.softphone.blizoo.bg

Research:
0024d19b1333.softphone.blizoo.bg 84.252.31.0 0.36.209.155.19.51 84.252.0.0 – 84.252.63.255 84.252.0.0/18 Blizoo BG
001e6beed8e8.softphone.blizoo.bg 84.252.53.172
0024d1956637.Softphone.Blizoo.Bg 85.130.17.48 85.130.0.0 – 85.130.128.255 85.130.0.0/17

c8fb265ea1a7.softphone.blizoo.bg 130.204.57.130 130.204.0.0 – 130.204.255.255 130.204.0.0/16 BLIZOO Bg
002624ab99a0.softphone.blizoo.bg 130.204.81.53
38c85cd6f4bc.softphone.blizoo.bg 130.204.85.1
00252e5ee5e4.softphone.blizoo.bg 130.204.103.4
a4a24a37efd3.softphone.blizoo.bg 130.204.116.226
00252ea84d9b.softphone.blizoo.bg 130.204.143.1 0.37.46.168.77.155
602ad0d8f8b1.softphone.blizoo.bg 130.204.169.1
a4a24a394b91.softphone.blizoo.bg 130.204.243.142

Permanent link to this post (52 words, 0 images, estimated 12 secs reading time)

direcway.com Content Scraper: Research, Ban

host671420043112.direcway.com is a whisper bot that content scraped me. They are unique in that their hostname is somewhat ambiguous, making machine reading more difficult. All octets can be 2 or 3 digits long, allowing for much ambiguity.

whisper is a very much hated botnet that continues to attack my site, one ip at a time, small but relentless.

Observation:
host671420043112.direcway.com predicted IP is 67.142.112.43

Pattern:
The host name has all of the IP digits but is ambiguous. The first octet can be either 2 or 3 digits, so look at their IP ranges. The third and fourth octets are reversed. The third octet has a prepended “00”.

This is a preview of direcway.com Content Scraper: Research, Ban. Read the full post (157 words, 0 images, estimated 38 secs reading time)

secured-by.zenmate.com: Research, Ban

secured-by.zenmate.com did nothing suspcious, but it did pique my interest, so I did the research.

Observations:
37.58.52.47
37.58.52.107
46.165.234.134
91.109.30.104
91.109.30.91
108.59.8.208 108.59.0.0 – 108.59.15.255 108.59.0.0/20 LEASEWEB
108.59.8.210
108.59.8.218
108.59.10.153
178.162.199.130
178.162.208.142
178.162.216.34
179.43.147.123
179.43.147.205
179.43.147.219
179.43.159.89
179.43.169.28
192.96.205.133
199.115.118.81
199.115.118.83
207.244.72.200
207.244.72.222
207.244.72.228
207.244.77.1
207.244.77.10
207.244.77.4
207.244.77.9
207.244.77.45
207.244.78.12
207.244.79.129
207.244.79.131 linked with referrer kwpublisher
207.244.83.102
207.244.83.206
de51.node.zenmate.io 46.165.208.228
207.244.79.153 secured-by.zenmate.com

Permanent link to this post (63 words, 0 images, estimated 15 secs reading time)

network-consulting.fr Content Spammer: Research, Ban

network-consulting.fr had content spammed me, so I looked them up. They are interesting with its host name usage. if they spam me again i will be ready.

79.98.16.0 – 79.98.23.255 Network Consulting Fr

Observation:
f79.ip.network-consulting.fr My educated guess is 79.98.21.79

Pattern:
network-consulting.fr starts its “A” group from 79.98.16.0. Incrementing up the alphabet adds one number to the third octet, or third octet+. The first number of the host name is the fourth octet.

From this pattern they can go up to “H”

Research:
a20.ip.network-consulting.fr 79.98.16.20
a81.ip.network-consulting.fr 79.98.16.81
b248.ip.network-consulting.fr 79.98.17.248
c4.ip.network-consulting.fr 79.98.18.4
c17.ip.network-consulting.fr 79.98.18.17
c51.ip.network-consulting.fr 79.98.18.51
c61.ip.network-consulting.fr 79.98.18.61
c80.ip.network-consulting.fr 79.98.18.80
c165.ip.network-consulting.fr 79.98.18.165
d49.ip.network-consulting.fr 79.98.19.49

Permanent link to this post (104 words, 0 images, estimated 25 secs reading time)

ztomy.com Content Spammer: Research, Ban

ns1648.ztomy.com has spammed me, but it has been difficult to track down and ban. The ips jump around like mexican jumping beans.

Observations:
I finally got a positive spam hit from 5.231.42.24. and then from 5.231.40.52.
5.41.178.9 ns1648.ztomy.com
5.62.21.221 ns1648.ztomy.com
23.27.250.179 ns1648.ztomy.com 2016-nov-17
104.144.22.219 ns1648.ztomy.com 2016-nov-08
104.144.28.122 ns1648.ztomy.com 2016-oct-12
104.144.28.155 ns1648.ztomy.com 2016-nov-20
184.83.3.154 ns1648.ztomy.com 2016-oct-25
193.169.144.179 ns1648.ztomy.com 2016-nov-20
193.169.144.221 ns1648.ztomy.com 2016-nov-17
193.169.144.230 ns1648.ztomy.com 2016-nov-20
193.169.144.241 ns1648.ztomy.com 2016-nov-20
193.169.144.243 ns1648.ztomy.com 2016-nov-20
193.169.144.247 ns1648.ztomy.com 2016-nov-20
202.51.195.38 ns1648.ztomy.com 2016-nov-16
204.188.238.39 ns1648.ztomy.com 2017-mar-13
205.211.138.134 ns1648.ztomy.com 2016-nov-04

This is a preview of ztomy.com Content Spammer: Research, Ban. Read the full post (179 words, 0 images, estimated 43 secs reading time)

cable.net.co Content Scraper: Research, Ban

You never know what you will find in your travels. dynamic-ip-181500198200.cable.net.co was content scraping me, so I decided to target it. It is part of the large Semalt botnet that started with keywords-monitoring-your-success.com and free-video-tool.comand then continued with fix-website-errors, with a sprinkling of buttons-for-websites thrown in.

Its host name is unique in that it is numerically very long. I could see remnants of a decimal IP address, but there was something odd.

Their pattern is not as predictable as required by a computer but that is precisely the point: They want to fool anti-bot software, but allow their admin staff to figure it out. If staff have a couple of errors it is no problem.

This is a preview of cable.net.co Content Scraper: Research, Ban. Read the full post (349 words, 0 images, estimated 1:24 mins reading time)

7by7.de Content Spammer: Research, Ban

tor-exit-node.7by7.de spammed me today, so I decided to track them down. There is not much on him, but he is a tor exit server.

It is too bad that tor exit servers are used for spamming, as many sites will ban them. Banning due to spamming really defeats the purpose of tor. The best intentions result in misuse.

tor-exit-node.7by7.de 72.52.91.19
tor-exit-node.7by7.de 72.52.91.30
tor-exit-node.7by7.de 96.44.189.101
tor-exit-node.7by7.de 213.61.149.100

7by7.de 91.236.122.1

Permanent link to this post (69 words, 0 images, estimated 17 secs reading time)