homepage Welcome to WebmasterWorld Guest from 54.197.130.16
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

This 46 message thread spans 2 pages: < < 46 ( 1 [2]     
WordPress Comment Spam Escalation
Simple SpamBot Blocking Stops Massive Spamming Attack
incrediBILL




msg:4639123
 11:54 pm on Jan 21, 2014 (gmt 0)

Just to see what would happen I enabled full comments on my WordPress blog and at first I just let the comments pile up in the WordPress moderation queue as I was curious how bad it would get since nothing ever got published.

It quickly ramped up from a few a day to 100s a day, peaking currently at over 500 spam posts a day.

I wrote a simple anti-spam plugin to block and record the details to divert it from the WordPress moderation queue as it's a real pain to delete that quantity at 50 per page after it piles up for a few days.

I installed it around Xmas and it's not even been a month and it's way over 10K spams blocked already. I crunched the data, shown below, and there's the RAW IP data sorted in order of number of return comment post visits then sorted by IP address.

Note the bulk of these are from the Ukraine and China, lots of apparent IP pools so I used code that can identify they're bad based on header information, otherwise I'd have no choice but block a whole broadband provider or the country itself!

This is NOT a blocklist, don't use it as one, it's just for educational purposes to see where WordPress comment spam is originating.

Visits: IP => Hostname
----------------------
485 : 178.137.89.168 => 178-137-89-168-lvv.broadband.kyivstar.net
481 : 46.118.113.140 => SOL-FTTB.140.113.118.46.sovam.net.ua
353 : 46.118.127.49 => SOL-FTTB.49.127.118.46.sovam.net.ua
336 : 134.249.141.83 => 134-249-141-83-gprs.kyivstar.net
310 : 134.249.54.212 => 134-249-54-212-broadband.kyivstar.net
177 : 46.118.126.132 => SOL-FTTB.132.126.118.46.sovam.net.ua
170 : 46.118.116.193 => SOL-FTTB.193.116.118.46.sovam.net.ua
132 : 37.115.186.244 => 37-115-186-244-broadband.kyivstar.net
120 : 212.83.137.44 => 212-83-137-44.rev.poneytelecom.eu
102 : 107.150.60.218 => 107.150.60.218
81 : 91.207.7.234 => 234.7.207.91.unknown.SteepHost.Net
70 : 46.119.126.235 => SOL-FTTB.235.126.119.46.sovam.net.ua
68 : 61.174.63.172 => 61.174.63.172
67 : 46.118.155.149 => SOL-FTTB.149.155.118.46.sovam.net.ua
65 : 66.117.2.38 => 66.117.2.38
63 : 198.204.224.138 => 198.204.224.138
62 : 192.99.13.78 => ks4010803.ip-192-99-13.net
61 : 175.42.91.138 => 175.42.91.138
58 : 37.115.187.50 => 37-115-187-50-broadband.kyivstar.net
56 : 192.187.106.42 => 192.187.106.42
56 : 192.187.125.92 => 192.187.125.92
56 : 66.117.2.34 => 66.117.2.34
55 : 192.187.122.118 => 192.187.122.118
52 : 178.137.19.180 => 178-137-19-180-lvv.broadband.kyivstar.net
51 : 192.187.125.66 => 192.187.125.66
51 : 66.117.9.85 => 66.117.9.85
50 : 192.187.117.237 => 192.187.117.237
50 : 37.115.188.1 => 37-115-188-1-broadband.kyivstar.net
49 : 192.187.102.98 => 192.187.102.98
49 : 192.187.110.221 => 192.187.110.221
49 : 198.204.233.237 => 198.204.233.237
49 : 37.115.190.158 => 37-115-190-158-broadband.kyivstar.net
48 : 66.117.2.30 => 66.117.2.30
47 : 173.208.194.18 => 173.208.194.18
45 : 66.117.9.51 => 66.117.9.51
42 : 142.54.160.98 => 142.54.160.98
41 : 175.44.4.71 => 175.44.4.71
41 : 5.248.83.34 => 5-248-83-34-broadband.kyivstar.net
40 : 134.249.50.9 => 134-249-50-9-broadband.kyivstar.net
39 : 46.119.125.225 => SOL-FTTB.225.125.119.46.sovam.net.ua
38 : 178.137.92.41 => 178-137-92-41-lvv.broadband.kyivstar.net
38 : 192.187.125.109 => 192.187.125.109
37 : 46.118.116.197 => SOL-FTTB.197.116.118.46.sovam.net.ua
36 : 134.249.49.198 => 134-249-49-198-broadband.kyivstar.net
35 : 208.115.124.210 => nvhserver.com
34 : 134.249.51.8 => 134-249-51-8-broadband.kyivstar.net
34 : 142.54.172.132 => 142.54.172.132
34 : 192.151.155.196 => 192.151.155.196
34 : 46.119.126.85 => SOL-FTTB.85.126.119.46.sovam.net.ua
34 : 46.119.127.224 => SOL-FTTB.224.127.119.46.sovam.net.ua
34 : 58.55.127.235 => 58.55.127.235
33 : 134.249.48.1 => 134-249-48-1-broadband.kyivstar.net
33 : 134.249.48.9 => 134-249-48-9-broadband.kyivstar.net
33 : 46.119.115.4 => SOL-FTTB.4.115.119.46.sovam.net.ua
32 : 121.61.118.244 => 121.61.118.244
32 : 134.249.51.209 => 134-249-51-209-broadband.kyivstar.net
32 : 178.137.161.220 => 178-137-161-220-broadband.kyivstar.net
32 : 178.137.164.10 => 178-137-164-10-broadband.kyivstar.net
32 : 178.137.85.227 => 178-137-85-227-lvv.broadband.kyivstar.net
32 : 46.118.123.198 => SOL-FTTB.198.123.118.46.sovam.net.ua
31 : 46.118.157.81 => SOL-FTTB.81.157.118.46.sovam.net.ua
30 : 176.8.89.163 => 176-8-89-163-lvv.broadband.kyivstar.net
30 : 178.137.162.9 => 178-137-162-9-broadband.kyivstar.net
30 : 46.118.121.229 => SOL-FTTB.229.121.118.46.sovam.net.ua
30 : 46.118.152.2 => SOL-FTTB.2.152.118.46.sovam.net.ua
30 : 46.119.119.152 => 46.119.119.152
29 : 111.73.45.49 => 111.73.45.49
29 : 134.249.50.148 => 134-249-50-148-broadband.kyivstar.net
29 : 192.187.122.106 => 192.187.122.106
29 : 46.119.116.171 => 46.119.116.171
29 : 94.153.8.213 => 94-153-8-213-lvv.broadband.kyivstar.net
28 : 134.249.48.36 => 134-249-48-36-broadband.kyivstar.net
28 : 176.8.89.95 => 176-8-89-95-lvv.broadband.kyivstar.net
28 : 178.137.160.211 => 178-137-160-211-broadband.kyivstar.net
28 : 178.137.166.161 => 178-137-166-161-broadband.kyivstar.net
28 : 37.115.188.247 => 37-115-188-247-broadband.kyivstar.net
28 : 46.118.119.141 => SOL-FTTB.141.119.118.46.sovam.net.ua
28 : 46.38.62.159 => vps.node74.doloremipsum.com
28 : 94.153.10.67 => 94-153-10-67-lvv.broadband.kyivstar.net
27 : 134.249.49.83 => 134-249-49-83-broadband.kyivstar.net
27 : 134.249.50.182 => 134-249-50-182-broadband.kyivstar.net
27 : 134.249.52.62 => 134-249-52-62-broadband.kyivstar.net
27 : 178.137.167.31 => 178-137-167-31-broadband.kyivstar.net
27 : 46.118.115.85 => SOL-FTTB.85.115.118.46.sovam.net.ua
27 : 46.118.116.62 => SOL-FTTB.62.116.118.46.sovam.net.ua
27 : 46.118.117.96 => SOL-FTTB.96.117.118.46.sovam.net.ua
27 : 46.118.118.117 => SOL-FTTB.117.118.118.46.sovam.net.ua
27 : 46.118.125.72 => SOL-FTTB.72.125.118.46.sovam.net.ua
27 : 46.119.117.97 => 46.119.117.97
27 : 46.119.118.227 => 46.119.118.227
27 : 46.119.119.1 => 46.119.119.1
27 : 46.119.120.6 => SOL-FTTB.6.120.119.46.sovam.net.ua
27 : 5.248.81.41 => 5-248-81-41-broadband.kyivstar.net
27 : 5.248.84.63 => 5-248-84-63-broadband.kyivstar.net
27 : 5.248.86.87 => 5-248-86-87-broadband.kyivstar.net
27 : 5.248.87.17 => 5-248-87-17-broadband.kyivstar.net
27 : 58.55.127.232 => 58.55.127.232
27 : 94.153.9.197 => 94-153-9-197-lvv.broadband.kyivstar.net
26 : 178.137.166.29 => 178-137-166-29-broadband.kyivstar.net
26 : 178.137.166.45 => 178-137-166-45-broadband.kyivstar.net
26 : 178.137.19.244 => 178-137-19-244-lvv.broadband.kyivstar.net
26 : 178.137.81.17 => 178-137-81-17-lvv.broadband.kyivstar.net
26 : 37.115.188.23 => 37-115-188-23-broadband.kyivstar.net
26 : 46.118.121.226 => SOL-FTTB.226.121.118.46.sovam.net.ua
26 : 46.118.155.157 => SOL-FTTB.157.155.118.46.sovam.net.ua
26 : 46.118.157.138 => SOL-FTTB.138.157.118.46.sovam.net.ua
26 : 46.119.118.250 => 46.119.118.250
25 : 176.8.90.205 => 176-8-90-205-lvv.broadband.kyivstar.net
25 : 176.8.91.200 => 176-8-91-200-lvv.broadband.kyivstar.net
25 : 178.137.160.253 => 178-137-160-253-broadband.kyivstar.net
25 : 192.187.110.139 => 192.187.110.139
25 : 37.115.187.27 => 37-115-187-27-broadband.kyivstar.net
25 : 37.115.190.136 => 37-115-190-136-broadband.kyivstar.net
25 : 37.115.190.62 => 37-115-190-62-broadband.kyivstar.net
25 : 37.115.190.75 => 37-115-190-75-broadband.kyivstar.net
25 : 46.118.127.103 => SOL-FTTB.103.127.118.46.sovam.net.ua
25 : 46.118.127.132 => SOL-FTTB.132.127.118.46.sovam.net.ua
25 : 46.118.153.219 => SOL-FTTB.219.153.118.46.sovam.net.ua
25 : 46.118.155.133 => SOL-FTTB.133.155.118.46.sovam.net.ua
25 : 46.119.112.9 => SOL-FTTB.9.112.119.46.sovam.net.ua
25 : 46.119.123.122 => SOL-FTTB.122.123.119.46.sovam.net.ua
25 : 46.119.123.130 => SOL-FTTB.130.123.119.46.sovam.net.ua
25 : 46.119.124.236 => SOL-FTTB.236.124.119.46.sovam.net.ua
25 : 46.119.125.183 => SOL-FTTB.183.125.119.46.sovam.net.ua
25 : 5.248.85.244 => 5-248-85-244-broadband.kyivstar.net
24 : 134.249.48.134 => 134-249-48-134-broadband.kyivstar.net
24 : 134.249.50.74 => 134-249-50-74-broadband.kyivstar.net
24 : 134.249.52.80 => 134-249-52-80-broadband.kyivstar.net
24 : 134.249.53.122 => 134-249-53-122-broadband.kyivstar.net
24 : 134.249.53.48 => 134-249-53-48-broadband.kyivstar.net
24 : 176.8.88.115 => 176-8-88-115-lvv.broadband.kyivstar.net
24 : 178.137.164.14 => 178-137-164-14-broadband.kyivstar.net
24 : 178.137.164.162 => 178-137-164-162-broadband.kyivstar.net
24 : 178.137.19.121 => 178-137-19-121-lvv.broadband.kyivstar.net
24 : 178.137.81.79 => 178-137-81-79-lvv.broadband.kyivstar.net
24 : 178.137.93.33 => 178-137-93-33-lvv.broadband.kyivstar.net
24 : 37.115.184.47 => 37-115-184-47-broadband.kyivstar.net
24 : 37.115.185.236 => 37-115-185-236-broadband.kyivstar.net
24 : 37.115.185.7 => 37-115-185-7-broadband.kyivstar.net
24 : 37.115.188.34 => 37-115-188-34-broadband.kyivstar.net
24 : 37.115.190.164 => 37-115-190-164-broadband.kyivstar.net
24 : 37.115.190.42 => 37-115-190-42-broadband.kyivstar.net
24 : 46.118.112.180 => SOL-FTTB.180.112.118.46.sovam.net.ua
24 : 46.118.120.221 => SOL-FTTB.221.120.118.46.sovam.net.ua
24 : 46.118.121.127 => SOL-FTTB.127.121.118.46.sovam.net.ua
24 : 46.118.123.175 => SOL-FTTB.175.123.118.46.sovam.net.ua
24 : 46.118.124.162 => SOL-FTTB.162.124.118.46.sovam.net.ua
24 : 46.118.124.252 => SOL-FTTB.252.124.118.46.sovam.net.ua
24 : 46.118.158.10 => SOL-FTTB.10.158.118.46.sovam.net.ua
24 : 46.118.158.8 => SOL-FTTB.8.158.118.46.sovam.net.ua
24 : 46.119.114.167 => SOL-FTTB.167.114.119.46.sovam.net.ua
24 : 46.119.116.222 => 46.119.116.222
24 : 46.119.119.82 => 46.119.119.82
24 : 46.119.120.136 => SOL-FTTB.136.120.119.46.sovam.net.ua
24 : 5.248.80.184 => 5-248-80-184-broadband.kyivstar.net
24 : 5.248.84.164 => 5-248-84-164-broadband.kyivstar.net
24 : 94.153.8.22 => 94-153-8-22-lvv.broadband.kyivstar.net
23 : 134.249.49.75 => 134-249-49-75-broadband.kyivstar.net
23 : 134.249.53.100 => 134-249-53-100-broadband.kyivstar.net
23 : 134.249.54.34 => 134-249-54-34-broadband.kyivstar.net
23 : 176.8.89.58 => 176-8-89-58-lvv.broadband.kyivstar.net
23 : 178.137.17.1 => 178-137-17-1-lvv.broadband.kyivstar.net
23 : 178.137.17.139 => 178-137-17-139-lvv.broadband.kyivstar.net
23 : 178.137.17.203 => 178-137-17-203-lvv.broadband.kyivstar.net
23 : 178.137.89.98 => 178-137-89-98-lvv.broadband.kyivstar.net
23 : 178.137.90.227 => 178-137-90-227-lvv.broadband.kyivstar.net
23 : 37.115.185.201 => 37-115-185-201-broadband.kyivstar.net
23 : 46.118.124.55 => SOL-FTTB.55.124.118.46.sovam.net.ua
23 : 46.119.113.12 => SOL-FTTB.12.113.119.46.sovam.net.ua
23 : 46.119.126.188 => SOL-FTTB.188.126.119.46.sovam.net.ua
23 : 94.153.9.158 => 94-153-9-158-lvv.broadband.kyivstar.net
22 : 134.249.51.16 => 134-249-51-16-broadband.kyivstar.net
22 : 178.137.93.230 => 178-137-93-230-lvv.broadband.kyivstar.net
22 : 37.115.190.32 => 37-115-190-32-broadband.kyivstar.net
22 : 46.118.123.213 => SOL-FTTB.213.123.118.46.sovam.net.ua
22 : 46.119.115.78 => SOL-FTTB.78.115.119.46.sovam.net.ua
22 : 5.248.82.178 => 5-248-82-178-broadband.kyivstar.net
21 : 178.137.90.10 => 178-137-90-10-lvv.broadband.kyivstar.net
21 : 178.137.92.167 => 178-137-92-167-lvv.broadband.kyivstar.net
21 : 178.137.92.246 => 178-137-92-246-lvv.broadband.kyivstar.net
21 : 192.99.13.75 => ks4010800.ip-192-99-13.net
21 : 46.118.118.137 => SOL-FTTB.137.118.118.46.sovam.net.ua
21 : 46.118.123.60 => SOL-FTTB.60.123.118.46.sovam.net.ua
21 : 46.118.126.120 => SOL-FTTB.120.126.118.46.sovam.net.ua
21 : 46.118.126.184 => SOL-FTTB.184.126.118.46.sovam.net.ua
21 : 46.119.126.250 => SOL-FTTB.250.126.119.46.sovam.net.ua
20 : 111.73.45.97 => 111.73.45.97
20 : 178.137.165.87 => 178-137-165-87-broadband.kyivstar.net
20 : 178.137.83.199 => 178-137-83-199-lvv.broadband.kyivstar.net
20 : 192.187.122.126 => 192.187.122.126
20 : 192.187.97.53 => 192.187.97.53
20 : 192.99.13.50 => ks4010775.ip-192-99-13.net
20 : 192.99.13.77 => ks4010802.ip-192-99-13.net
20 : 5.248.86.212 => 5-248-86-212-broadband.kyivstar.net
19 : 134.249.52.143 => 134-249-52-143-broadband.kyivstar.net
19 : 178.137.80.102 => 178-137-80-102-lvv.broadband.kyivstar.net
19 : 46.118.154.144 => SOL-FTTB.144.154.118.46.sovam.net.ua
19 : 46.118.154.40 => SOL-FTTB.40.154.118.46.sovam.net.ua
19 : 46.118.158.85 => SOL-FTTB.85.158.118.46.sovam.net.ua
19 : 46.119.118.30 => 46.119.118.30
19 : 46.119.124.2 => SOL-FTTB.2.124.119.46.sovam.net.ua
19 : 5.248.80.28 => 5-248-80-28-broadband.kyivstar.net
19 : 59.175.144.96 => 96.144.175.59.broad.wh.hb.dynamic.163data.com.cn
19 : 94.153.10.121 => 94-153-10-121-lvv.broadband.kyivstar.net
18 : 37.115.186.78 => 37-115-186-78-broadband.kyivstar.net
18 : 46.119.116.46 => 46.119.116.46
17 : 111.73.45.188 => 111.73.45.188
17 : 111.73.45.68 => 111.73.45.68
17 : 176.8.91.227 => 176-8-91-227-lvv.broadband.kyivstar.net
17 : 192.187.98.164 => 192.187.98.164
17 : 198.204.233.228 => 198.204.233.228
17 : 46.119.117.46 => 46.119.117.46
17 : 74.91.17.228 => 74.91.17.228
16 : 120.42.98.102 => 102.98.42.120.broad.xm.fj.dynamic.163data.com.cn
16 : 192.99.13.63 => ks4010788.ip-192-99-13.net
16 : 31.204.152.102 => hosted-by.i3d.net
15 : 178.137.165.254 => 178-137-165-254-broadband.kyivstar.net
15 : 31.204.152.237 => hosted-by.i3d.net
15 : 31.204.152.248 => hosted-by.i3d.net
15 : 46.119.120.212 => SOL-FTTB.212.120.119.46.sovam.net.ua
15 : 94.153.8.184 => 94-153-8-184-lvv.broadband.kyivstar.net
14 : 125.77.219.170 => 170.219.77.125.broad.xm.fj.dynamic.163data.com.cn
14 : 31.204.152.193 => hosted-by.i3d.net
14 : 31.204.153.188 => hosted-by.i3d.net
14 : 37.187.71.183 => ns3362128.ovh.net
13 : 176.8.89.13 => 176-8-89-13-lvv.broadband.kyivstar.net
13 : 192.187.118.245 => 192.187.118.245
13 : 91.236.75.92 => 91.236.75.92
12 : 112.111.175.153 => 112.111.175.153
12 : 31.204.152.149 => hosted-by.i3d.net
12 : 46.118.115.141 => SOL-FTTB.141.115.118.46.sovam.net.ua
11 : 111.73.45.149 => 111.73.45.149
11 : 178.137.18.202 => 178-137-18-202-lvv.broadband.kyivstar.net
11 : 178.137.94.127 => 178-137-94-127-lvv.broadband.kyivstar.net
11 : 46.118.116.168 => SOL-FTTB.168.116.118.46.sovam.net.ua
11 : 46.119.119.110 => 46.119.119.110
11 : 46.119.121.42 => SOL-FTTB.42.121.119.46.sovam.net.ua
10 : 175.44.53.250 => 175.44.53.250
10 : 178.137.94.155 => 178-137-94-155-lvv.broadband.kyivstar.net
10 : 192.95.22.136 => 192-95-22-136.ovh.net
10 : 192.95.37.253 => 192.95.37.253
10 : 198.204.247.83 => 198.204.247.83
10 : 219.139.81.190 => 219.139.81.190
10 : 31.204.152.111 => hosted-by.i3d.net
10 : 46.119.126.130 => SOL-FTTB.130.126.119.46.sovam.net.ua
10 : 5.248.84.41 => 5-248-84-41-broadband.kyivstar.net
9 : 111.73.45.2 => 111.73.45.2
9 : 175.44.11.58 => 175.44.11.58
9 : 178.137.162.106 => 178-137-162-106-broadband.kyivstar.net
9 : 178.137.162.87 => 178-137-162-87-broadband.kyivstar.net
9 : 178.137.82.183 => 178-137-82-183-lvv.broadband.kyivstar.net
9 : 192.151.155.51 => 192.151.155.51
9 : 198.204.225.98 => 198.204.225.98
9 : 31.204.153.195 => hosted-by.i3d.net
9 : 37.115.185.198 => 37-115-185-198-broadband.kyivstar.net
9 : 46.118.156.7 => SOL-FTTB.7.156.118.46.sovam.net.ua
9 : 46.119.125.201 => SOL-FTTB.201.125.119.46.sovam.net.ua
8 : 117.30.151.150 => 150.151.30.117.broad.xm.fj.dynamic.163data.com.cn
8 : 142.54.181.83 => 142.54.181.83
8 : 175.44.12.158 => 175.44.12.158
8 : 199.168.96.37 => 199.168.96.37
8 : 213.238.175.57 => 57-175-238-213.ip.idealhosting.net.tr
8 : 5.248.84.6 => 5-248-84-6-broadband.kyivstar.net
8 : 74.91.23.98 => 74.91.23.98
7 : 111.73.45.90 => 111.73.45.90
7 : 134.249.52.191 => 134-249-52-191-broadband.kyivstar.net
7 : 178.137.81.126 => 178-137-81-126-lvv.broadband.kyivstar.net
7 : 178.137.91.9 => 178-137-91-9-lvv.broadband.kyivstar.net
7 : 192.187.108.202 => 192.187.108.202
7 : 192.187.125.110 => 192.187.125.110
7 : 31.204.152.205 => hosted-by.i3d.net
7 : 46.118.124.92 => SOL-FTTB.92.124.118.46.sovam.net.ua
7 : 46.119.120.251 => SOL-FTTB.251.120.119.46.sovam.net.ua
7 : 63.141.250.116 => 63.141.250.116
6 : 111.73.45.115 => 111.73.45.115
6 : 111.73.45.73 => 111.73.45.73
6 : 111.73.45.91 => 111.73.45.91
6 : 112.111.175.218 => 112.111.175.218
6 : 134.249.51.58 => 134-249-51-58-broadband.kyivstar.net
6 : 141.105.68.118 => 141.105.68.118
6 : 175.44.34.169 => 175.44.34.169
6 : 175.44.9.97 => 175.44.9.97
6 : 176.8.88.187 => 176-8-88-187-lvv.broadband.kyivstar.net
6 : 178.137.167.40 => 178-137-167-40-broadband.kyivstar.net
6 : 178.137.81.94 => 178-137-81-94-lvv.broadband.kyivstar.net
6 : 37.115.188.183 => 37-115-188-183-broadband.kyivstar.net
6 : 37.115.191.117 => 37-115-191-117-broadband.kyivstar.net
6 : 37.187.79.141 => ns3367731.ovh.net
6 : 46.118.116.49 => SOL-FTTB.49.116.118.46.sovam.net.ua
6 : 46.118.120.182 => SOL-FTTB.182.120.118.46.sovam.net.ua
6 : 46.118.153.59 => SOL-FTTB.59.153.118.46.sovam.net.ua
6 : 46.119.118.172 => 46.119.118.172
6 : 58.22.70.191 => 58.22.70.191
6 : 91.200.13.96 => 91.200.13.96
6 : 94.153.9.223 => 94-153-9-223-lvv.broadband.kyivstar.net
5 : 111.193.230.86 => 111.193.230.86
5 : 111.73.45.163 => 111.73.45.163
5 : 112.111.173.90 => 112.111.173.90
5 : 112.111.183.210 => 112.111.183.210
5 : 134.249.53.198 => 134-249-53-198-broadband.kyivstar.net
5 : 134.249.53.2 => 134-249-53-2-broadband.kyivstar.net
5 : 175.44.12.242 => 175.44.12.242
5 : 175.44.7.60 => 175.44.7.60
5 : 176.8.88.82 => 176-8-88-82-lvv.broadband.kyivstar.net
5 : 178.137.160.113 => 178-137-160-113-broadband.kyivstar.net
5 : 178.137.80.4 => 178-137-80-4-lvv.broadband.kyivstar.net
5 : 178.137.86.204 => 178-137-86-204-lvv.broadband.kyivstar.net
5 : 178.137.90.250 => 178-137-90-250-lvv.broadband.kyivstar.net
5 : 192.187.102.198 => 192.187.102.198
5 : 192.95.22.246 => 192.95.22.246
5 : 198.204.243.115 => 198.204.243.115
5 : 198.50.187.98 => 198.50.187.98
5 : 199.15.233.176 => 199.15.233.176
5 : 37.115.184.218 => 37-115-184-218-broadband.kyivstar.net
5 : 37.115.185.85 => 37-115-185-85-broadband.kyivstar.net
5 : 37.115.186.3 => 37-115-186-3-broadband.kyivstar.net
5 : 37.115.187.244 => 37-115-187-244-broadband.kyivstar.net
5 : 37.115.189.147 => 37-115-189-147-broadband.kyivstar.net
5 : 46.118.116.47 => SOL-FTTB.47.116.118.46.sovam.net.ua
5 : 46.118.153.134 => SOL-FTTB.134.153.118.46.sovam.net.ua
5 : 46.118.156.105 => SOL-FTTB.105.156.118.46.sovam.net.ua
5 : 46.119.113.150 => SOL-FTTB.150.113.119.46.sovam.net.ua
5 : 46.119.117.157 => 46.119.117.157
5 : 46.119.123.145 => SOL-FTTB.145.123.119.46.sovam.net.ua
5 : 5.248.80.104 => 5-248-80-104-broadband.kyivstar.net
5 : 59.60.120.196 => 196.120.60.59.broad.pt.fj.dynamic.163data.com.cn
4 : 110.86.39.103 => 103.39.86.110.broad.xm.fj.dynamic.163data.com.cn
4 : 112.111.173.122 => 112.111.173.122
4 : 120.42.121.232 => 232.121.42.120.broad.xm.fj.dynamic.163data.com.cn
4 : 120.42.89.167 => 167.89.42.120.broad.xm.fj.dynamic.163data.com.cn
4 : 120.42.93.75 => 75.93.42.120.broad.xm.fj.dynamic.163data.com.cn
4 : 134.249.48.143 => 134-249-48-143-broadband.kyivstar.net
4 : 134.249.52.67 => 134-249-52-67-broadband.kyivstar.net
4 : 134.249.53.248 => 134-249-53-248-broadband.kyivstar.net
4 : 134.249.53.65 => 134-249-53-65-broadband.kyivstar.net
4 : 175.44.10.197 => 175.44.10.197
4 : 175.44.5.236 => 175.44.5.236
4 : 175.44.6.230 => 175.44.6.230
4 : 176.8.88.34 => 176-8-88-34-lvv.broadband.kyivstar.net
4 : 176.8.89.233 => 176-8-89-233-lvv.broadband.kyivstar.net
4 : 176.8.89.26 => 176-8-89-26-lvv.broadband.kyivstar.net
4 : 178.137.162.99 => 178-137-162-99-broadband.kyivstar.net
4 : 178.137.163.212 => 178-137-163-212-broadband.kyivstar.net
4 : 178.137.164.112 => 178-137-164-112-broadband.kyivstar.net
4 : 178.137.166.242 => 178-137-166-242-broadband.kyivstar.net
4 : 178.137.167.52 => 178-137-167-52-broadband.kyivstar.net
4 : 178.137.17.70 => 178-137-17-70-lvv.broadband.kyivstar.net
4 : 178.137.19.179 => 178-137-19-179-lvv.broadband.kyivstar.net
4 : 178.137.83.61 => 178-137-83-61-lvv.broadband.kyivstar.net
4 : 178.137.89.228 => 178-137-89-228-lvv.broadband.kyivstar.net
4 : 178.137.90.167 => 178-137-90-167-lvv.broadband.kyivstar.net
4 : 178.137.90.212 => 178-137-90-212-lvv.broadband.kyivstar.net
4 : 178.137.92.110 => 178-137-92-110-lvv.broadband.kyivstar.net
4 : 178.137.94.66 => 178-137-94-66-lvv.broadband.kyivstar.net
4 : 178.137.95.45 => 178-137-95-45-lvv.broadband.kyivstar.net
4 : 192.187.123.107 => 192.187.123.107
4 : 192.187.97.54 => 192.187.97.54
4 : 198.27.127.97 => 198.27.127.97
4 : 199.15.233.139 => 199.15.233.139
4 : 199.15.233.164 => 199.15.233.164
4 : 199.15.233.178 => 199.15.233.178
4 : 220.161.103.54 => 54.103.161.220.broad.pt.fj.dynamic.163data.com.cn
4 : 37.115.184.121 => 37-115-184-121-broadband.kyivstar.net
4 : 37.115.184.62 => 37-115-184-62-broadband.kyivstar.net
4 : 37.115.185.29 => 37-115-185-29-broadband.kyivstar.net
4 : 37.115.186.32 => 37-115-186-32-broadband.kyivstar.net
4 : 37.115.186.33 => 37-115-186-33-broadband.kyivstar.net
4 : 37.115.186.69 => 37-115-186-69-broadband.kyivstar.net
4 : 37.115.187.59 => 37-115-187-59-broadband.kyivstar.net
4 : 37.115.188.170 => 37-115-188-170-broadband.kyivstar.net
4 : 37.115.189.211 => 37-115-189-211-broadband.kyivstar.net
4 : 46.118.112.254 => SOL-FTTB.254.112.118.46.sovam.net.ua
4 : 46.118.113.104 => SOL-FTTB.104.113.118.46.sovam.net.ua
4 : 46.118.114.15 => SOL-FTTB.15.114.118.46.sovam.net.ua
4 : 46.118.115.138 => SOL-FTTB.138.115.118.46.sovam.net.ua
4 : 46.118.115.50 => SOL-FTTB.50.115.118.46.sovam.net.ua
4 : 46.118.118.142 => SOL-FTTB.142.118.118.46.sovam.net.ua
4 : 46.118.119.14 => SOL-FTTB.14.119.118.46.sovam.net.ua
4 : 46.118.121.151 => SOL-FTTB.151.121.118.46.sovam.net.ua
4 : 46.118.122.39 => SOL-FTTB.39.122.118.46.sovam.net.ua
4 : 46.118.127.13 => SOL-FTTB.13.127.118.46.sovam.net.ua
4 : 46.118.127.37 => SOL-FTTB.37.127.118.46.sovam.net.ua
4 : 46.118.154.103 => SOL-FTTB.103.154.118.46.sovam.net.ua
4 : 46.118.157.137 => SOL-FTTB.137.157.118.46.sovam.net.ua
4 : 46.118.157.233 => SOL-FTTB.233.157.118.46.sovam.net.ua
4 : 46.118.158.233 => SOL-FTTB.233.158.118.46.sovam.net.ua
4 : 46.119.113.251 => SOL-FTTB.251.113.119.46.sovam.net.ua
4 : 46.119.114.148 => SOL-FTTB.148.114.119.46.sovam.net.ua
4 : 46.119.117.24 => 46.119.117.24
4 : 46.119.118.115 => 46.119.118.115
4 : 46.119.121.77 => SOL-FTTB.77.121.119.46.sovam.net.ua
4 : 46.119.122.162 => SOL-FTTB.162.122.119.46.sovam.net.ua
4 : 46.119.125.172 => SOL-FTTB.172.125.119.46.sovam.net.ua
4 : 5.248.82.63 => 5-248-82-63-broadband.kyivstar.net
4 : 5.248.86.217 => 5-248-86-217-broadband.kyivstar.net
4 : 5.248.86.220 => 5-248-86-220-broadband.kyivstar.net
4 : 5.248.86.225 => 5-248-86-225-broadband.kyivstar.net
4 : 5.248.86.51 => 5-248-86-51-broadband.kyivstar.net
4 : 5.248.87.141 => 5-248-87-141-broadband.kyivstar.net
4 : 5.248.87.67 => 5-248-87-67-broadband.kyivstar.net
4 : 5.248.87.78 => 5-248-87-78-broadband.kyivstar.net
4 : 5.248.87.98 => 5-248-87-98-broadband.kyivstar.net
4 : 63.141.233.149 => 63.141.233.149
4 : 91.207.7.238 => 238.7.207.91.unknown.SteepHost.Net
4 : 94.153.10.77 => 94-153-10-77-lvv.broadband.kyivstar.net
4 : 94.153.8.61 => 94-153-8-61-lvv.broadband.kyivstar.net

[edited by: incrediBILL at 12:00 am (utc) on Jan 22, 2014]

 

graeme_p




msg:4639534
 8:10 am on Jan 23, 2014 (gmt 0)

I find Spam Karma very effective - although I do not get anything like that level of spam it still adds up to 40,000 blocked since I installed SK 2 a few years ago and only a handful of spam comments have shown in the moderation queue in that time.

@ergophobe, Yes, hidden form fields work surprisingly well. Bot writers do not seem to handle them as successfully as Capthcha even though I would have imagined it is much easier.

blend27




msg:4639561
 12:11 pm on Jan 23, 2014 (gmt 0)

Bill,

As you mentioned, Most of the entries on your list are from broadband.kyivstar.net(big PITA lately), 163data.com.cn and sovam.net.ua. Those are blocked on all of the sites I manage. Flat out 403.

I have Yet to see a normal visitors on all sites I run from kyivstar or sovam. My content just does not rank in UA to bring in visitors.

I think I've mentioned it before on this forum... I've set up 2 open forums that are pretty much SPAM Magnet. Those forums feed IP data into one central location(MySQL DB). Hosting ranges get no access, bad headers gets IP in DB, having a referrer as adomain name that ends with ".ru/" or ".ua/" is a one way ticket for sure.

The IPs that are not already in DB checked against STOPFORUMSPAM(has a lot of plugins) and PROJECTHONEYPOT(same here) just to make sure, surprisingly never fails, almost all comeback as badies.

I don't do moderation on those forums. Data tables with comments and newly created threads get truncated every few days or so automagicaly. Any requests to deleted thread URLs are a sure way to get in DB. Bam. DB gets reseeded with a few threads that would contain text equivalent to everything I just wrote, but the words would be in the random order. Something like "would in but be random the order words the".

No self respecting Human ever did or will leave a comment on these 2 forums. It did catch me some human visitor IPs from INDIA, same IPs were later used by some with "blue-widgets + link exchange" in referrer from GOOGLE on one of the main sites. OH, And Search Engines are not allowed past the home page and forum index, so no harm there...

By the time they(bots) get to my normal sites, it's too late for them.

It cost me $5.95 a month to host it and gets written off as business expense/productivity enhancement at the end of the year :).

incrediBILL




msg:4639624
 3:52 pm on Jan 23, 2014 (gmt 0)

I've set up 2 open forums that are pretty much SPAM Magnet.


That was pretty much the purpose of the blog initially, to experiment with the spambots, and then I started actually using it and the more I posted the higher the volume of spam that flooded the site.

Quite amusing to watch it unfold.

chicagohh




msg:4639690
 9:00 pm on Jan 23, 2014 (gmt 0)

It's painfully easy to send 2000, 4000, 8000, etc.. successful spam blog posts per day.

"Goes to show you this isn't some script kiddie, this is industrial strength spamming. "

No, you can do most of this with a simple $99 purchase. Or roll your own. Sending bulk spam posts requires proxy servers - this may cause some people to think the traffic originates from China or elsewhere when the spammer may be sitting next door.

As someone has already suggested - target websites are found by scraping search results for specific phrases. Removing all canned responses that Wordpress or other blog/CMS software uses will make a dramatic difference.

Even then, it's very easy to scrape for target sites in a multi-step process:

- scrape for "comments +name +email" (use many variations)
- check all positive results for [yoursite]/wp-login.php
- now you have a large list of 'clever' Wordpress sites

Akismet is your friend.

Honey pot blogs are also used by spammers to find targets.
Take spam posts on your honey pot and scrape Google for matching posts. The results will be websites that don't moderate posting - and will then be added to the list.

incrediBILL




msg:4639741
 11:39 pm on Jan 23, 2014 (gmt 0)

It's painfully easy to send 2000, 4000, 8000, etc.. successful spam blog posts per day.


I think you missed my global point that it's NOT painfully easy to send 500 spams to tens of thousands of blogs daily. Do the math, that's some serious scalability issues for people just sending a mail list with 10K members, let alone spamming the whole web of WordPress blogs.

My point was it's not some kiddies running a script off a single computer, this is a serious operation and based on the input I've gotten about the range of these IPs, it's a frighteningly large operation.

I'd really like to know the total scope of this spambot operation as you know a ton of people hit this page looking for the IP that didn't bother posting.

We're facing a serious threat IMO that might need drastic measures to neutralize like blocking whole ISP or countries which is what I do on my serious websites. I put a big red circle and slash on the Great Firewall of China, Ukraine, Russia, Nigeria, Vietnam, etc. ad nauseum which means based on traffic I've determined that entire countries or ISPs were more of a threat than a benefit and locked them out.

Many others so the same thing and how far does this have to go before members of those ISP pools finally realize what's happening to block their access to the world before they finally revolt and get those spamming vermin offline?

Sadly, in those locations, I'll conjecture those IPs might even be accessed for a small fee via installed proxy server software on PCs throughout that network, but that's just speculation as it's hard to imagine Comcast customers wouldn't eventually have a full blown riot if they had this problem and the source of the problem would be squished.

blend27




msg:4639752
 1:40 am on Jan 24, 2014 (gmt 0)

These are with at least 100 spam posts per range in the past month:

193.106.136.*
119.147.*
183.62.115.*
218.66.250.*
175.44.27.'*
27.159.2'*
112.111.190.*
112.111.189.*
112.111.188.*
220.181.*
117.27.138.*
121.205.*
91.223.75.*
31.11.220.*
91.236.74.*
91.223.75.*
91.207.9.*
91.207.4.*
91.200.13.*
188.143.232.*
37.139.52.*
37.115.188.*
178.140.172.*
178.137.163.*
178.137.165.*
178.137.166.'*
109.120.157.*


CN, RU and UA.


Akismet is your friend.

How does it work?

Each time a new comment, trackback, or pingback is added to your site it's submitted to the Akismet web service which runs hundreds of tests on the comment and returns a thumbs up or thumbs down. As a result, you don't have to waste your time sorting through and deleting spammy comments from your blog.

Sure thing, but that is after the fact.... The Necromonger in me warns them to stay away. But the Furyan in me ... likes plain 403s when the request is made and hopes they will listen...

tangor




msg:4639755
 2:09 am on Jan 24, 2014 (gmt 0)

I presume most have noted that these spambot ranges are very near, if not identical, to many of the bad search bot ranges. I killed all my open comments several years back... and it looks like it has become even more agressive than it was back then.

wilderness




msg:4639758
 2:40 am on Jan 24, 2014 (gmt 0)

these spambot ranges are very near, if not identical


tangor,
There is some duplication, however I'd advise caution in such an assumption.

incrediBILL




msg:4639793
 6:12 am on Jan 24, 2014 (gmt 0)

Akismet web service


That's the central flaw, that it's a web service. If the spammers ever wanted to do some biblical stuff and DDOS them out of existence, like they did Blue Frog, then what would all the Askimet users do besides drown in spam?

I really don't like anything reliant on a centralized server for 100% of it's functionality and my spam blocker worked easily just be looking at the headers sent by the spambots and if it didn't look like a browser header, punt it.

It was really that easy.

Even if they fixed the headers, a large percentage of the user agents being used are defective, another easy criteria to use to toss spam.

Using the logic I employed there was nothing left to send to Askimet had I used it.

Yes, it does let real humans post comments too as I tested it and some real comments got posted in the same time frame 10K spams got tossed so I'm pretty sure it was working properly.

I can see a day when we'll need the processing power of the cloud to sort out traffic hitting multiple sites to stop scrapers and spammers but we're hardly there yet, it's a waste of bandwdith, and a centralized service is just a big fat target for spammers to attack.

dstiles




msg:4640001
 9:46 pm on Jan 24, 2014 (gmt 0)

incrediBILL - The drain on individual ISP bandwidth is small in relative terms. Think of a 1000-IP botnet running on (eg) AT&T - no impact at all. Even scaling up by 10 or 100 is unlikely to be noticed within the normal fluctuations of an ISP's total bandwidth, especially now that people download and share so many videos and films.

Botnets are cheap. They are a commodity, $10 per hundred IPs or whatever. There are millions of compromised machines so plenty of sub-networks for rent. It actually does come down to a script kiddy with a single computer: he just has a botnet to run the script through. And in many instances a very fast botnet, since lots of people are using the latest fast computers nowadays.

And not a great deal of point in specifically blocking countries. As I noted above, some countries' computers really are more easily compromised but in the end the botnets are really only specialised proxies for the real criminals. In general I get as many phishes from America as from anywhere else (I spend more time watching mail than web, hence the bias). And remember that computers are mainly compromised through phishing emails.

As to a serious threat: that began years ago. It's just that it's easier now to compromise computers. I was stating six/seven years ago that the internet was seriously broken but no one took any notice. The internet was never very well built to begin with and hasn't improved much since. Look at the threat blogs: the evidence is there.

For reference, Kaspersky's recent list of malware runs...

Top 5 malware hosting countries
United States
Russia
The Netherlands
Germany
United Kingdom

Top 5 countries with the highest frequency of web attacks
Russia
Tajikistan
Azerbaijan
Armenia
Kazakhstan

Top 5 countries where infected files are most frequently discovered
Bangladesh
Sudan
Malawi
Tanzania
Rwanda

Top 5 countries with lowest infection rates
Denmark
Japan
Finland
Sweden
Czech Republic

Note the missing countries we continually accuse of hacking us. I'm not saying Ukraine, China, Korea etc are not high on the baddies list but they are not the worst, according to the above list.

incrediBILL




msg:4640021
 1:42 am on Jan 25, 2014 (gmt 0)

Botnets are cheap. They are a commodity, $10 per hundred IPs or whatever.


Guess I was thinking how much spam per machine kind of bandwidth as the frequent spammers hitting me seems to mostly come from a small range of IPs so I didn't suspect a botnet. It looked like we well organized spamming operation with a few machines and an IP pool. I could be wrong, could just be some real high-end gear compromised giving them a better spam platform for now.

dstiles




msg:4640145
 7:43 pm on Jan 25, 2014 (gmt 0)

There are spammers who hire space with uncaring server providers or ISPs, but look at it this way: If you do not want to be arrested you would need to lie about who you were etc, otherwise unpleasant policemen might come knocking on your door.

This DOES happen (both hiring space and getting busted) but it's easier and safer to rent an anonymous botnet. The fact that a lot of stuff comes from a single or related group of IPs could simply mean a small botnet is in use - say, 100 machines. It's possible the rented machines are high-power computers or even part of a compromised server farm: there are several of those around.

incrediBILL




msg:4640242
 3:52 am on Jan 26, 2014 (gmt 0)

Thought I'd post the results of a SPAM BY DATE report just to see the escalation and peak spam dates.

2013-12-25 74
2013-12-26 158
2013-12-27 145
2013-12-28 122
2013-12-29 91
2013-12-30 165
2013-12-31 240
2014-01-01 161
2014-01-02 270
2014-01-03 471
2014-01-04 618 < WOW!
2014-01-05 450
2014-01-06 494
2014-01-07 535
2014-01-08 498
2014-01-09 498
2014-01-10 539
2014-01-11 447
2014-01-12 442
2014-01-13 533
2014-01-14 471
2014-01-15 463
2014-01-16 523
2014-01-17 538
2014-01-18 531
2014-01-19 387
2014-01-20 488
2014-01-21 459
2014-01-22 458
2014-01-23 388
2014-01-24 439
2014-01-25 301

These are the stats from the WP_COMMENTS table as I noticed it ramping up BEFORE installing the spam blocker, notice the gradual increase:

2013-10-16 14
2013-10-17 13
2013-10-18 19
2013-10-19 23
2013-10-20 18
2013-10-21 20
2013-10-22 12
2013-10-23 15
2013-10-24 10
2013-10-25 20
2013-10-26 38
2013-10-27 23
2013-10-28 35
2013-10-29 16
2013-10-30 18
2013-10-31 12
2013-11-01 5
2013-11-02 19
2013-11-03 17
2013-11-04 11
2013-11-05 15
2013-11-06 12
2013-11-07 31
2013-11-08 22
2013-11-09 27
2013-11-10 21
2013-11-11 19
2013-11-12 30
2013-11-13 38
2013-11-14 24
2013-11-15 33
2013-11-16 53
2013-11-17 12
2013-11-18 22
2013-11-19 20
2013-11-20 16
2013-11-21 17
2013-11-22 23
2013-11-23 14
2013-11-24 6
2013-11-25 21
2013-11-26 27
2013-11-27 37
2013-11-28 46
2013-11-29 69
2013-11-30 52
2013-12-01 21
2013-12-02 35
2013-12-03 47
2013-12-04 54
2013-12-05 40
2013-12-06 28
2013-12-07 25
2013-12-08 22
2013-12-09 24
2013-12-10 37
2013-12-11 55
2013-12-12 90
2013-12-13 143
2013-12-14 136
2013-12-15 123
2013-12-16 143
2013-12-17 140
2013-12-18 127
2013-12-19 140
2013-12-20 139
2013-12-21 175
2013-12-22 186
2013-12-23 168
2013-12-24 169
2013-12-25 147

Notice 2013-12-12 is the day it shifted gears and skyrocketed ever since.

Not sure what changed, but that's when the party started.

dstiles




msg:4640325
 7:21 pm on Jan 26, 2014 (gmt 0)

It seems from your results that there is no significant "daily" component. I find here (UK) that both web and mail have far fewer baddies on the weekend (and on holidays such as Christmas / new year) - something like 10%.

This might suggest a more automated approach - fire it off and let it run as long as it likes as against fire it off every morning I can be bothered to get out of bed.

Which in your context probably makes sense: they are spamming forums; they do not need to analyse or react to any break-ins.

Lorel




msg:4640606
 11:21 pm on Jan 27, 2014 (gmt 0)

I use Akismet also and get very few comments that I need to approve as it trashes most of them.

iomfan




msg:4641501
 9:39 am on Jan 31, 2014 (gmt 0)

Domains like broadband.kyivstar.net, sovam.net.ua, corbina.ru, etc. got on my modest "ABSOLUTEY NO GO" filter list #2 when they started doing their stupid stuff. The frequency of their hits seems to be declining - no idea whether them getting 0-byte responses has anything to do with that.

I haven't seen more than 2 or 3 possibly legitimate access attempts from there, so in my case this kind of filter seems OK.

Another group of bots come looking for "wp-..." files and such; they get a zero-byte 410 via my "ABSOLUTELY NO GO" filter list #1 (shown right below with the caveat that sice some sites have directories called "public", or serve javascript files, etc., it would obviously have to be adapted to each specific enviroment)


RewriteRule (admin|allow|cgi|client|config|datab|db) - [NC,G]
RewriteRule (default|disable|document|editor|fopen) - [NC,G]
RewriteRule (http|licence|login|manage|mysql|php|plugin) - [NC,G]
RewriteRule (public|user|script|search|template|wordp) - [NC,G]
RewriteRule (web[a\-\_]) - [G]
RewriteRule (wp\-) - [G]
RewriteRule \.(asp|js) - [NC,G]
RewriteRule \/js - [NC,G]
RewriteRule \\ - [G]


China is blocked altogether via zero-byte 403 - to much pressure from there (especially and no way to sort out legitimate traffic from attacks...

This 46 message thread spans 2 pages: < < 46 ( 1 [2]
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved