Blocking Netcathost
I was reviewing some .htaccess blocks, and realized I’d blocked several IP numbers in these two ranges:
195.225.176.
195.225.177.
I’ve currently got one Italian language (but actually Russian) spammer who keeps switching IP numbers within those ranges.
So, better to just block those two altogether. Since the block belongs to a webhosting company, I don’t see it blocking legitimate surfers. I guess you can live without trackbacks from blogs hosted on Netcathosting, right?
September 10th, 2006 at 9:22 am
Those sound familiar. To quote from our .htaccess:
# NetcatHosting, Ukraine - too much spam and other dubious requests from there
I’ve actually blocked 178 and 179, too.
September 10th, 2006 at 10:32 am
deny from 195.225.176.
deny from 195.225.177.
will work?
September 10th, 2006 at 10:38 am
To Ajay,
Always worked for me. The server isn’t throwing fits, and no more Italian language spam (so far).
September 10th, 2006 at 2:11 pm
Ajay, your method can be optimised:
You can also use CIDR ranges which will save you a lot of typing
Netcathost resides within 195.225.176.0 - 195.225.179.255 so you can easily write the following instead:
Deny from 195.225.176.0/2224 => 195.225.176.
23 => 195.225.176., 195.225.177.
22 => 195.225.176., 195.225.177., 195.225.178., 195.225.179.
These are always multiples of two. 24 also equals a total of 256 addresses. 25 would be 128 addresses and so forth (with 32 as endpoint for a single ip address)
September 13th, 2006 at 9:38 am
One of the things I have come to question quite a bit is, people tend to BLOCK all IP blocks any certain Provider resides in. What is the point of this? Myself, I do not see where or why any dedicated server machine should be transmitting ANY web traffic to another site UNLESS it is reading a news feed to update it’s own site’s news, or to read some other matter on the remote site. Using a dedicated server as means for sending spam or viewing material on another site is completely un-needed. If you want anonimity, use google’s translator or something like that.
We’ve run into this problem with blocking COMPLETE IP blocks for a single machine’s abuse. What is the point of this? Why block a full range for 3-4 abusive IPs? Why not leave the rest of the network available to spam so you can notify the Provider about the abuse? I see no point in the block.
September 13th, 2006 at 10:15 am
An example of what I was talking about in my previous post would be about Ann’s battle with I believe it was hostgator. They had simply nullrouted traffic to her blog from their entire network. She argued how irresponsible that was and how it only allowed people to continually spam on their network, only now she couldn’t report on it. If your going to simply block a provider’s complete ip blocks, why not just have them block you instead? HeH… Just a thought, I’ll wait a few more minutes for critisizm (Sp?)
September 13th, 2006 at 1:06 pm
Alt F4, I don’t like your overgeneralisation of how people are blocking offenders. Everyone has a different strategy and eventually chooses what serves the purpose of blocking spam best. But in general I assume, the larger the network chunks that land on block lists the greater the spam problem is.
Regarding your suggestion of having complainants blocked on the hoster site:
Why not simply terminate the spammer? Why not having ToS that make sure to have the right to shutdown people if necessary? If spammers are your preferred choice then of course many people will start blocking the network, because usually LARTing spam friendly services is a waste of time. No one is forcing the people to block these ranges, but if they do nonetheless, they surely have a reason for it.
Vasily
September 13th, 2006 at 7:32 pm
What I’m saying is… What is the point of being so against spam, if your just going to block the ip block of the network, and continue to wait for other spam? Why not build up your filters on the spam you received from that machine and report it off to the provider? How is it such a waste of time if you have it provide you an automated report? I mean you are all generally very smart with handling spam. Why not provide yourself with a nice evidential write-up to send off manually via email or ticket to the provider and see what happens after 48 hours? I mean if you get no response, why not follow up and see if any response comes then? Wait another 24 hours after the followup. If they don’t respond or don’t take any action, take that as means to block the provider’s netblock(s).
I’m sure we’re going to get the “It’s my server, my bandwidth, my time” crap on this one, but if you put so much time in commenting and writing up articles on hosts such as this one, why not send off the 2 emails and give yourself better leverage to promote the blocking of that provider?
September 14th, 2006 at 2:55 am
To aLt.F4,
I’ve been thinking I’d like to have something that automatically looks up where to send abuse letters. But there’s a problem with it. The letters would come in such bulk, I’d probably be blacklisted with the webhosts.
But I think I see where you’re coming from - you don’t get enough notice there are bad guys on your network, and you want something like spamcop to make sure you get notified more quickly.
But right now, it’s a bit too theoretical. Like for instance, exactly where does the spam end up? If not on my blog, then how could I complain? Would we have ANOTHER database filled with spam, then? Just asking.
September 14th, 2006 at 3:21 am
The whole issue with automated reporting is it itself is used for spam. I’m not talking about having the script see where to send it to and send it. I’m saying have it output a generic reporting message in which will contain some relevent evidences. I mean sure, get spammed, block the machine, not the whole network!? For people who are into anti-spam, why not just ask the network to block you? If your going to block the whole network, how are you to continue with your anti-spam efforts if you’ve already blocked the whole network? Honestly, When people look at whois, or they have automated programs such as spamcop, they send to ALL email addresses in whois. This is rediculous and completely unneeded. Your spamming the company yourself. There is 1 place to report abuse, that’s the OrgAbuseEmail. If the company your sending to asks that you report via their website, go do that! Why is it so much of a difference for people to report to the companies that they’de rather write a multi page report on the spammer, and respond to commenting parties, and NEVER report it to the provider!? If your having connectivity trouble to a network, you contact the OrgTechEmail. I mean you don’t email all 3 just to get an abuse report in. Abuse is the only division you need to contact.
September 14th, 2006 at 3:30 am
To aLt.F4,
It’s not always that easy. Take xoomer.alice.it. I still haven’t sent an abuse complaint to them. Why? Because I can’t find an address to send to, and I can’t find a webform. Why? Because I don’t understand Italian.
And just because your company has a working abuse system, doesn’t mean every other company does.
But I like your idea about software to pull relevant data. The problem is, it would have to be custom fitted to each site if you need to include log snippets too.
Your idea, if implemented, could be a good tool for anti-spammers. Pull out stuff automatically, then send manually. Not sure I’d call it a blocklist, and not sure I’d use those two functionalities together. But something that standardizes complaints, ala Spamcop, might be of interest.
Are you offering to code it too?
September 14th, 2006 at 3:54 am
Ann, xoomer.alice.it is a perfect example of why NOT to report to the provider, you truly CAN’T. I’m not saying report to EVERY single provider in which you receive spam from, I mean if your unsuccessful the first time with them, sure, don’t waste your time. But if you’re just starting with that provider on spam, why shouldn’t you report?
The thing I am talking about with automated output is to simply get the data for you to give you a leg up on why to report the spam.
Depending on how the system worked, I would ofcourse contribute to the project. But as always, I already have enough under my belt for now
November 30th, 2006 at 2:48 pm
[…] The domain names used for the email addresses are all hosted on the same server: 195.225.176.115, which belongs to NetcatHosting in the Ukraine. In other words: Nothing good will be coming from there. […]
June 10th, 2007 at 4:52 pm
why talk about the server address? why not the home address? maybe it should be personal.