Tag: pattern

tor.exit.babylon.network: Research, Ban

The whole concept of tor is a sound one, allowing those in repressive or privacy-optional countries (Canada, US) to anonymously use the internet. Unfortunately this anonymity has been hijacked by the spamming community, taking a benevolent tool and using it for ill. Any IP or hostname used for spamming is game for being banned, tor or not.

tor.exit.babylon.network has a network of tor servers that are content spamming me. Normally tor server IPs are stable, so once you ban them they stay banned. These guys move around a bit, and there are a number of them. If you ban a tor server, or any other hostname, and they return to spam again, then you know they evaded your security efforts. You need to do more research.

This is a preview of tor.exit.babylon.network: Research, Ban. Read the full post (175 words, 0 images, estimated 42 secs reading time)

as51430.net Content Spammer: Research, Ban

as51430.net spammed me, so here is the research for tracking and banning. as51430.net is out of Luxembourg. I did not get spammed by its three sister host names, lux-net-ip.as51430.net, nld-net-ip.as51430.net, and swe-net-ip.as51430.net.

Observation:
lu-customer-ip.as51430.net found the following IPs:

91.214.44.48
91.214.45.104
91.214.46.167
79.142.78.169

Research:
Further research found the following host names that change often: lux-net-ip.as51430.net, nld-net-ip.as51430.net, and swe-net-ip.as51430.net. Maybe they stand for Luxembourg, Netherlands, Sweden? Here is the complete list by ip address, so you can ban all three.

This is a preview of as51430.net Content Spammer: Research, Ban. Read the full post (303 words, 0 images, estimated 1:13 mins reading time)

udm.net: Research, Ban

a228.sub72.net78.udm.net passed me a porn referrer address. I do not tolerate referrer spam on my site, so I looked them up.

Observation:
a228.sub72.net78.udm.net 78.85.72.228

Pattern:
Fourth, 85, third, then first octet from the host name. It is essentially a reversed ip, except they omit the second octet, the 85.

Research:
sub182.net71.udm.net 62.109.26.122
sub214.net71.udm.net 62.109.27.150
blago.Udm.net 78.85.0.6
Security.udm.net 78.85.0.25

This is a preview of udm.net: Research, Ban. Read the full post (155 words, 0 images, estimated 37 secs reading time)

t4vps.eu Content Spammer: Research, Ban

22110.s.t4vps.eu spammed me. Though they resolved a host name to 194.135.93.53, there was scant info on this host name, so I researched them. I do not see a pattern.

Observation:
22110.s.t4vps.eu host 194.135.93.53

Research:
12927.s.t4vps.eu 79.98.27.251

20951.s.t4vps.eu 109.235.64.29
13769.s.t4vps.eu 109.235.67.32
2857.s.t4vps.eu 109.235.69.177
20895.s.t4vps.eu 109.235.69.253

14223.s.t4vps.eu 185.5.52.22
13060.s.t4vps.eu 185.5.54.228
2993.s.t4vps.eu 185.5.55.83
14913.s.t4vps.eu 185.69.53.149
3955.s.t4vps.eu 185.69.55.222
13924.s.t4vps.eu 185.69.55.62
6v3.f.t4vps.eu 185.81.164.166

91j.f.t4vps.eu 194.135.82.223
11464.s.t4vps.eu 194.135.89.184
16367.s.t4vps.eu 194.135.89.238
6625.s.t4vps.eu 194.135.90.109
12542.s.t4vps.eu 194.135.90.130
10115.s.t4vps.eu 194.135.91.215
5kq.f.t4vps.eu 194.135.92.5
5710.s.t4vps.eu 194.135.92.115
22110.s.t4vps.eu 194.135.93.53
8982.s.t4vps.eu 194.135.93.227
5260.s.t4vps.eu 194.135.94.0

21238.s.t4vps.eu 212.24.99.167
19231.s.t4vps.eu 212.24.105.218
18976.s.t4vps.eu 212.24.107.132
19514.s.t4vps.eu 212.24.110.13
21210.s.t4vps.eu 212.24.111.80

Permanent link to this post (91 words, 0 images, estimated 22 secs reading time)

ukservers.com Content Spammer: Research, Ban

no.rdns.ukservers.com content spammed me, so I researched them. They have a sister host name, no.rdns-yet.ukservers.com, with very much the same ip ranges. See for yourself. They are industrious in their use of IPs.

no.rdns.ukservers.com
5.101.138.140 5.101.136.0 – 5.101.151.255 5.101.136.0/21
5.101.142.102
5.101.145.22
5.101.146.130

31.132.3.176 31.132.3.0/24
31.132.3.239

37.9.62.107 37.9.62.0/24
37.9.62.221
37.9.62.36
37.9.62.41
37.9.62.6
37.9.62.96

54.213.200.95

77.74.192.190 77.74.192.0 – 77.74.199.255 77.74.192.0/21
77.74.194.62
77.74.195.112
77.74.196.231

77.75.122.146

78.110.160.140 78.110.160.0 – 78.110.175.255 78.110.160.0/20
78.110.160.234
78.110.169.178
78.110.169.210
78.110.174.241
78.110.175.202

78.157.192.57 78.157.192.0/24
78.157.192.72
94.46.207.1

94.229.65.56 94.229.64.0 – 94.229.81.255 94.229.64.0/20
94.229.65.171
94.229.67.15
94.229.67.16
94.229.67.33
94.229.67.57
94.229.72.115
94.229.72.116
94.229.72.117
94.229.72.135
94.229.74.89
94.229.75.3
94.229.75.9
94.229.76.195
94.229.76.200
94.229.78.60
94.229.79.3

This is a preview of ukservers.com Content Spammer: Research, Ban. Read the full post (188 words, 0 images, estimated 45 secs reading time)

bezeqint.net Content Spammer: Research, Ban

bezeqint.net content spammed me, so naturally I researched them. They are very smart, these Israelis, and employ a variety of anti-bot software techniques, in order to evade identification. Hats off to them for deploying these tactics. I hope they keep up the good work.

Observation:
bzq-80-17-106.red.bezeqint.net 82.80.17.106

Pattern:
This ISP employs 3 patterns, inter-dispersed within their Ip ranges. You need to differentiate between these three or you will ban the incorrect IP range.

  1. red: reverse first 3 octets, add 4th
  2. red, static.dcenter: straight 4 octets
  3. cablep, red: host name has 3 octets, special number for first octet

Research:
bzq-112-168-31-210.red.bezeqint.net 31.168.112.210
bzq-137-168-31-233.red.bezeqint.net 31.168.137.233
bzq-200-168-31-84.red.bezeqint.net 31.168.200.84
bzq-208-168-31-96.red.bezeqint.net 31.168.208.96
bzq-224-168-31-106.red.bezeqint.net 31.168.224.106
bzq-230-168-31-194.red.bezeqint.net 31.168.230.194
bzq-236-168-31-236.red.bezeqint.net 31.168.236.236
bzq-241-168-31-208.red.bezeqint.net 31.168.241.208

This is a preview of bezeqint.net Content Spammer: Research, Ban. Read the full post (189 words, 0 images, estimated 45 secs reading time)

7by7.de Content Spammer: Research, Ban

tor-exit-node.7by7.de spammed me today, so I decided to track them down. There is not much on him, but he is a tor exit server.

It is too bad that tor exit servers are used for spamming, as many sites will ban them. Banning due to spamming really defeats the purpose of tor. The best intentions result in misuse.

tor-exit-node.7by7.de 72.52.91.19
tor-exit-node.7by7.de 72.52.91.30
tor-exit-node.7by7.de 96.44.189.101
tor-exit-node.7by7.de 213.61.149.100

7by7.de 91.236.122.1

Permanent link to this post (69 words, 0 images, estimated 17 secs reading time)

mbahrain.net: Research, Ban

mbahrain.mbahrain.net is using the Zend_Http_Client user agent, so they get banned. They are small, only 2 IPs.

mbahrain.mbahrain.net 198.57.181.97 198.57.128.0 – 198.57.255.255 198.57.128.0/17 UNIFIEDLAYER
mbahrain.mbahrain.net 198.57.168.229

Permanent link to this post (27 words, 0 images, estimated 6 secs reading time)

greencloudvps.com: Research, Ban

10gbpsnl.greencloudvps.com hit my site looking for security weaknesses, so I thought it wise to research them and send them packing. They are a VPS, so I’ll never find the actual intruder.

They are spotty, so I will start small and work my way up.

Observed:
10gbpsnl.greencloudvps.com 93.158.215.90 93.158.215.0 – 93.158.215.255 SERVERIUS NL
mnt-by:
10gbpsnl.greencloudvps.com 93.158.215.92

Research:
lgvn.greencloudvps.com 66.249.69.189

kvmla2.greencloudvps.com 92.210.165.94
lgnl.greencloudvps.com 93.158.203.162

lgnv.Greencloudvps.com 104.194.14.71
104.223.6.19.static.greencloudvps.com 104.223.6.19

107.161.93.161.static.greencloudvps.com 107.161.93.161

lgaz.greencloudvps.com 148.163.90.3

kvmla2.greencloudvps.com 192.210.165.97
kvmla2.greencloudvps.com 192.210.165.96

198.55.115.24.static.greencloudvps.com 198.55.115.24
198.55.115.58.static.greencloudvps.com 198.55.115.58

Permanent link to this post (79 words, 0 images, estimated 19 secs reading time)

hukot.net Tor Exit: Research, Ban

108-36.hukot.net seems to be a Tor exit server. While I am all for the philosophy of net privacy, these Tor servers more often than not are used to content spam me. As a result I ban almost all of them. It is human nature, I suppose, to take something that should be beneficial and, using selfish and personal reasons, turn it to a tool of the bad.

Oh well, who am I to judge. This is my site, I ban content spammers, and I therefore also ban Tor content spammers, exit or not.

hukot.net seems to be an ISP from the Czech Republic.

This is a preview of hukot.net Tor Exit: Research, Ban. Read the full post (202 words, 0 images, estimated 48 secs reading time)