|good riddance to bad robots|
| 11:46 pm on Jun 15, 2013 (gmt 0)|
For people looking to fatten their Deny lists, here's the result of some recent housecleaning. I'm currently afflicted by two botnets that I know as the "indexphp botnet" and the "hovercraft" botnet because of their site-specific behavior. No idea what the robots' underlying script is; obviously they haven't singled me out among all the world's billions of www sites :)
18.104.22.168 and ..20
22.214.171.124/21 Sweden, may be some kind of proxy, assigned to "webexxpurts" (sic) belonging to one Deepak Mehta with address in Tallinn, no country specified. ("That's funny! You don't look Estonian.")
126.96.36.199 (exact but repeated)
188.8.131.52/18 Germany 23media and/or NodeDeploy (Something about the name element "Node" makes me instantly suspicious.)
184.108.40.206 and ..250.75
220.127.116.11/18 Singlehop (can you put "Singlehop" and "benefit of the doubt" into the same sentence?)
18.104.22.168/21 assorted places involving... well, fancy that. Two different people don't know how to spell "experts", and they both have the same name (in fairness, there do exist men in English-speaking countries whose name truly is John Smith) and live at the same address in Tallinn. Guess he assumes IANA knows what country it's in.
22.214.171.124 and ..113.252
126.96.36.199/18 US Eonix Corp., hosting and colo, nuff said
Bit of a headscratcher here. Do we go with UK (BurstNet) or further east (packetlabs.ro) or still further east (address entirely in Chinese, and it's not because browser has inadvertently changed to UTF-16).
Aah, the heck with it, let's just lock out the whole
188.8.131.52 and ..204.145
184.108.40.206/18 PegTech range mentioned elsewhere. The exact area 204.72-79 seems to belong to someone in China, but not worth investigating closer.
220.127.116.11/18 OVH Montreal (I cannot get the initials O,V,H to stand for "Francophone robot" but that seems to be what it means)
18.104.22.168 and ..46
22.214.171.124/17 Avante Hosting, somewhere in Canada. This is a recently opened range. Don't have exact dates, but a few months ago it was on my bogons list.
126.96.36.199 and ..159.79
188.8.131.52/18 Singlehop. Yawn.
184.108.40.206/21 (NodesDirect, see above about name elements that can only cause suspicion) but it turns out I've met other robots from the neighborhood so let's proceed directly to
220.127.116.11/20 T.E.S.T. Where would a botnet be without a Ukrainian?
18.104.22.168, ..9, ..12, ..14, ..16
very active neighborhood, unique in offering representatives of both my current botnets. Another head-scratcher, because it goes back to
in an apparently human Turkish range, and I do meet the occasional human from Turkey, so let's compromise with
which looks as if it's sublet to someone in Austria.
| 7:16 pm on Jun 16, 2013 (gmt 0)|
I had all but two of those ranges blocked; extras now added.
And thanks for starting an IP on its own line: makes it much easier and quicker to paste the IP into my database, even with the extras after it! :)
| 6:25 pm on Jun 17, 2013 (gmt 0)|
Thanks. Checked them all and already have them all blocked... so feeling better about keeping on top of these cesspools.