static.vdc.vn is regular content scraper, but it did POST to me and left its IP address. I have been trying to track this one down for a while, but it uses such a wide variety of IP addresses that this is difficult. I could ban large ranges but this would also ban a wide swath of Vietnam, which I do not wish.
static.vdc.vn 126.96.36.199 2017-feb-27
static.vdc.vn 188.8.131.52 2016-nov-03
static.vdc.vn 184.108.40.206 2017-jan-14
static.vdc.vn 220.127.116.11 2016-nov-22
static.vdc.vn 18.104.22.168 2016-oct-31
static.vdc.vn 22.214.171.124 2017-jan-18
static.vdc.vn 126.96.36.199 2016-dec-27
static.vdc.vn 188.8.131.52 2017-feb-20
dynamic.vdc.vn 184.108.40.206 2016-dec-26
dynamic.vdc.vn 220.127.116.11 2017-jan-30
dynamic.vdc.vn 18.104.22.168 2017-jan-23
dynamic.vdc.vn 22.214.171.124 2016-dec-18
dynamic.vdc.com.vn 126.96.36.199 2017-jan-22
dynamic.vdc.vn 188.8.131.52 2016-oct-21
dynamic.vdc.vn 184.108.40.206 2017-feb-08
dynamic.vdc.vn 220.127.116.11 2017-jan-09
dynamic.vdc.vn 18.104.22.168 2016-nov-21
dynamic.vdc.vn 22.214.171.124 2016-nov-25
static.vdc.vn 126.96.36.199 2016-nov-03
static.vdc.vn 188.8.131.52 2016-dec-23
static.vdc.vn host name 184.108.40.206 actual 220.127.116.11
vivawebhost.com visited me with a “-” user agent, suspicious at best and certainly a bot. Please, identify yourself.
lucky.vivawebhost.com h 18.104.22.168
Permanent link to this post
(58 words, 0 images, estimated 14 secs reading time)
extendcp.co.uk had a user agent name of “-” so I thought to look them up and prepare if they attack me.
They use the last octet in their host name, but the first three can vary. Three or 4 ip ranges should do for banning.
web32.extendcp.co.uk 22.214.171.124 126.96.36.199 – 188.8.131.52 Heart Internet
Not overly annoying, secureserver.net is a regular content spammer on my site. I thought it would be good to track them down. Their host names lookup properly and they seem to ban properly, so there seems to not be anything tricky or suspicious.
Permanent link to this post
(90 words, 0 images, estimated 22 secs reading time)
The whole concept of tor is a sound one, allowing those in repressive or privacy-optional countries (Canada, US) to anonymously use the internet. Unfortunately this anonymity has been hijacked by the spamming community, taking a benevolent tool and using it for ill. Any IP or hostname used for spamming is game for being banned, tor or not.
tor.exit.babylon.network has a network of tor servers that are content spamming me. Normally tor server IPs are stable, so once you ban them they stay banned. These guys move around a bit, and there are a number of them. If you ban a tor server, or any other hostname, and they return to spam again, then you know they evaded your security efforts. You need to do more research.
as51430.net spammed me, so here is the research for tracking and banning. as51430.net is out of Luxembourg. I did not get spammed by its three sister host names, lux-net-ip.as51430.net, nld-net-ip.as51430.net, and swe-net-ip.as51430.net.
lu-customer-ip.as51430.net found the following IPs:
Further research found the following host names that change often: lux-net-ip.as51430.net, nld-net-ip.as51430.net, and swe-net-ip.as51430.net. Maybe they stand for Luxembourg, Netherlands, Sweden? Here is the complete list by ip address, so you can ban all three.
a228.sub72.net78.udm.net passed me a porn referrer address. I do not tolerate referrer spam on my site, so I looked them up.
Fourth, 85, third, then first octet from the host name. It is essentially a reversed ip, except they omit the second octet, the 85.