I just cleaned out my database, and found these:
212.138.64.171
212.138.64.172
212.138.64.173
212.138.64.174
212.138.64.175
212.138.64.176
212.138.64.177
212.138.64.178
212.138.64.179
212.138.64.180
82.137.247.131
82.137.247.132
82.137.247.134
Spambots for hire? Ban!
One of my sites showed a spike in accesses, and I investigated. Turned out to be this one:
69.57.190.188
Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)
Start [17/Nov/2006:05:08:13 -0700]
Finish [17/Nov/2006:05:15:02 -0700]
2719 requests
It loads css files but no image files. It gets lost on forums and wikis.
Beware!
I saw two other IP numbers with the same (fake) user agent, but they only loaded a few pages each:
24.54.247.123, 85.11.188.85
I just found a new spambot set represented among the spam comments received since last night:
205.134.172.131 , www131.powerstorm.ai.net
205.134.172.133 , www133.powerstorm.ai.net
205.134.172.137 , www137.powerstorm.ai.net
205.134.172.138 , www138.powerstorm.ai.net
205.134.172.139 , www139.powerstorm.ai.net
205.134.172.141 , www141.powerstorm.ai.net
The Israeli was on of the outfits represented (or rather, the spam was totally consistent with their MO). There was also spam for a porn outfit, with this whois:
Losie Janert ottmac@yahoo.com
55896 kolirer Rue
Paris
Leone
44589
FR
Phone: +1.6136140491
NS1.FUZZYNS.COM 67.15.133.2
NS2.FUZZYNS.COM 209.200.14.229
What’s interesting, is that this spammer uses the same dns servers as the Israeli, although the IP is 66.98.251.26, while the spam from the Israeli is (currently) on 205.134.172.136, and another domain on 205.134.172.135 - smack in the middle of the spambot range.
Hmmm, the whois for fuzzyns.com is textbook Israeli:
Susan Harris contact@top-contact-4u.com
Susan Harris
275 Main Street
St Lucia
VG
A2v W1
VG
Phone: +1.2852297362
Other’s have complained about these spambots as well:
Boblycat, Willmac 1, Willmac 2
According to Willmac, the spambots have been operational since the end of July at least!
I found these in my logs:
208.66.195.1
208.66.195.2
208.66.195.4
208.66.195.6
208.66.195.7
208.66.195.8
208.66.195.11
208.66.195.14
208.66.195.15
208.66.195.21
208.66.195.23
Some are very hungry. We’re talking about a few hundred megabytes between them. And the bot is clueless, as this GET should illustrate:
GET /w/index.php?title=Special:Listadmins&%3Blimit=500&%3Boffset=0&feed=rss
Project Honeypot determined that this one was most likely a spam harvester. V7n also noticed it’s behavior and recomended blocking.
I was reviewing some .htaccess blocks, and realized I’d blocked several IP numbers in these two ranges:
195.225.176.
195.225.177.
I’ve currently got one Italian language (but actually Russian) spammer who keeps switching IP numbers within those ranges.
So, better to just block those two altogether. Since the block belongs to a webhosting company, I don’t see it blocking legitimate surfers. I guess you can live without trackbacks from blogs hosted on Netcathosting, right?
I just got a referrer from 43people.com. They’re publishing my blog - somewhere else. Yep, I said, my blog. The whole posts. I must have forgotten to bring the copyright infringement notice over from my previous host, because it’s not there. But they obviously haven’t read my copyright notice either (it’s at the top of the right pane on the main page), because it says outright that what they’re doing isn’t allowed.
Some thought went into this, because they have my photo and a short bio as well. It’s like a small website. Now that I don’t like. My website is here, not over there.
So, what to do. I guess I’ll let them grab this post, and then think about blocking.
So, how to block…
Their robot has this user agent:
http://www.robotcoop.com
And the IP number is: 65.61.137.66
And to the one user who’s accessing my site through that service: Sorry, you’ll have to find another aggregator.
Update: So why don’t I like websites syndicating my site, unless I’ve OK’d it in advance? Two reasons: 1) Some of the syndicators are ad driven. I don’t want someone else earning money on my work. 2) You don’t see the comments if you only read the syndicated stuff on another website. This is different from syndication software, that tells you when something’s new, and often gives you a shorter snippet.
Syndication software and websites like bloglines are great, because they enable you to keep up on loads of websites. But I don’t like being syndicated on someone else’s website unless it gives me something valuable in return. Some have gotten my blessing to do it, but those OK’s were usually in place prior to 2006.
I just found a new hungry java-bot in my logs:
Java1.4.0_01
In the past, the java-bots have all begun like this:
Java/1.
So time to update the .htaccess blocks!
This one was wielded from:
70.19.6.16
greenwich.vettro.com
(in Verizon space)
173 accesses from 05/Jun/2006:02:41:55 to 05/Jun/2006:02:46:11
I had another spike in my bandwidth meter today.
Perpetrator:
210.177.215.29
from Hong Kong
User agent:
Java/1.4.1_04
This one wasn’t too bad in terms of how much I downloaded. I think. I haven’t checked it for sure.
But 152 requests from 10:01:21 to 10:04:34 is VERY inconsiderate at best.
I’m tired of this. I’ll block anything with Java in the user agent, unless you guys can find some reason not to?
Here’s another hungry bot:
Hungry Java bot
Oh, and I ran a grep on my logs, a few days in February netted these with a Java/1.4 something bot:
62.163.12.31 (came back another time)
63.230.22.115
82.170.231.97
84.36.69.19
84.176.66.18
84.176.74.179
84.178.149.81
163.17.205.1
207.91.139.189
I’ve been so busy this last week, I haven’t posted.
Comment spam has really exploded lately. I think Rathamahata might be right - probably lots of newbie Russian spammers out there.
So I took a random comment spam, and turned it inside out. It happened to be the last one to arrive.
valentine-day-gift-idea.50megs.com
has a javascript that ultimately leads to affiliate ID: 49221 at topsearch10, as well as links from the body pointing the same place.
What was interesting with the free webhost here, is that when I tried to load the javascript in wannabrowser, I got an error, but it worked in a regular browser. Now, WHY is that? Got something to hide?
K, back to the spammer.
This is a low volume spammmer, unlike some of the others I’ve seen lately.
User agent:
libwww-perl/5.803
I’ve had hits with that user agent from others. Some asking for robots.txt, some legitimate spiders. And one legitimate feed reader: XmlRssTimingBot/2.03 (libwww-perl/5.803). I’m leaning towards blocking POST as a request type with this user agent. I’ve also seen other versions of this user agent. Other software revisions. So block libwww-perl with POST.
IP:
204.15.149.58
It’s a proxy
Other IP addresses seen with that user agent (various versions), posting comments:
201.6.101.190 (proxy in Brazil)
64.246.42.58 (proxy. EV1 server)
202.57.138.131 (proxy in Bangkok)
E-mail address:
xanax@yandex.ru
(I got a few others from that address, and so far that corresponds with the user agent)
I got thoroughly spidered yesterday, by some unknown entity.
205 MB from 23/Jan/2006:03:28:34 to 23/Jan/2006:11:47:00 -0600
IP number:
83.64.251.92
User agent:
Snoopy v1.2
Which led me to this little project:
What’s interesting is that it tried to retrieve pages on this form:
GET /index.php?year=2005&monthnum=07&day=06&name=revenge-referrer-run&page=
It’s a site ripper. But I’m not keen on that kind of inconsiderate ripping, so I’d advocate banning all of snoopy. Not by IP number, but by user agent.
The IP number is revealing by itself, though. It’s some sort of news site in German, owned by someone on Mallorca in Spain. It doesn’t appear to have any incoming links, and the domain name is from December last year. Looks like it’s owned by some SEO types, which makes me all the more suspicious.
Hmm, on further thought, block the IP as well…