Vigay.com24
Jun
Search Vigay.com
 
 

A list of rogue 'Bandit' IP addresses and mail domains

Just recently I've been getting more spoof submissions to my various online forums. The way this works is that when people apply to join a forum, the server will ask for an email address and then mail the person wanting to join a verification email - to make sure they did actually want to join and that a friend or someone else hadn't signed up their email address.

Of course, spammers have been trying to signup with fake email addresses. Because the verification email my server sends out automatically will be going to a fake address, it invariably bounces back as undeliverable. This wastes two lots of bandwidth - the outgoing verification email and the failure message bouncing back.

Thus, I've decided to block a number of popular spam domains by configuring them to resolve to localhost on the web server and then /dev/null all emails to that particular domain. This solves both problems - the server will think the address the spammer used was locally hosted, so it won't waste bandwidth by sending out a verification email - or rather it will, but it will be immediately /dev/nulled, which of course means there won't be a failure message bounced back.

The following domains have so far been /dev/nulled.

Suspicious IP addresses to watch out for

Over the past few months the number of spam or hacker attacks on my servers has been growing. Whilst I'm reasonably confident that my firewall and anti-intruder systems will keep them out, it's still wasting bandwidth and server resources dealing with them.

Some of the persistent ones have now been permanently firewalled so they no longer pose a threat, but I'm making this list public in the hopes that it may help alert other people to who the perpetrators are, should the IP addresses appear in your own server logs.

This list is largely no longer updated, because I've locked my firewall down so that only my own IP address can access the server via FTP or SSH so of course, multiple attempted FTP access will be denied, and thus no longer logged.

DateIP addressIANA DBNetnameLocationNotes
10th Jun 200660.195.251.146APNICDXTNETBeijing Teletron Telecom Engineering Co., Ltd>10,000 repeated attempts to gain FTP access via brute force dictionary attack
27th Jun 200661.28.143.222APNICETPIEastern Telecoms Philippines, Inc., Makati City, PhilippinesMultiple attempts to gain FTP access via brute force dictionary attack
29th Jun 200661.241.112.37APNICUNICOMChina United Telecommunications Corporation, Beijing>10,000 repeated attempts to gain FTP access via brute force dictionary attack
Jun 200862.25.96.0RIPEEnergis UKWatford Datacentre, Melbourne Street, LeedsDubious access patterns detected (could be 'spooks')
Jun 200863.110.140.0/24LACNICCybertrailsPhoenix, AZ
Jun 200864.237.36.0/24LACNICReliable Servers c/o Choopa.comHazlet, NJ
Jun 200864.237.37.0/24LACNICReliable Servers c/o Choopa.comHazlet, NJ
18th Mar 200865.54.246.0/24LACNICMicrosoft CorpRedmond, USRepeated Spamming
Jun 200865.110.0.0/19LACNICData Fortress System GroupVancouver, BC, Canada
Jul 200866.232.98.76LACNICNOC4Hosts IncTampa, Florida, USARepeated attempts to retrieve non-existent files from server, but files which may have loopholes in them - ie, not just random file not founds
19th Jun 200669.230.85.62LACNICSouthwestern BellSanFrancisco, USAMultiple attempts to download content, even after being given an automatic server warning for too many repeated fetches.
8th Jul 200680.248.224.34RIPEETTNETISPEttNet AB ISP, SwedenSustained spam attack from www@void.ettnet.se on our MX servers - now firewalled
18th Mar 200686.64.210.0/23RIPEInternet Services GaolandFranceSpamming
19th Jun 200687.106.100.76RIPESchlund AGGBMultiple attempts to access non-existent, but administrative-like files, such as /apache/htdocs/phpMyAdmin + other abuse patterns.
8th Aug 2006201.28.219.152LACNICHexato TecnologiaBrazilSpamming
27th Jun 2006201.238.192.74LACNICCL-GISAJose Andres Olea, Moneda, Santiago, Chile>10,000 repeated attempts to gain FTP access via brute force dictionary attack
26th Jun 2006202.29.16.12APNICTHAINET-THOffice of Information Technology Administration for Educational Development, Chulalongkorn University, Bangkok, Thailand>10,000 repeated attempts to gain FTP access via brute force dictionary attack
8th Aug 2006210.213.247.50APNICPLDTDSLMyDSL_Personal, PhilipinesSpamming
8th Aug 2006211.179.79.112APNICKorea Network Information CenterKoreaSpamming
10th Jun 2006213.226.83.178RIPEGAVLEGARDARNA-SEGavlegardarna AB, Gavle, Sweden>10,000 repeated attempts to gain FTP access via brute force dictionary attack
22nd Jul 2008217.39.130.121RIPEBT-ADSLBT Openworld, UK - A bit closer to home this time, but none the less giving a pattern indicative more of trying to download the entire site rather than view normally.Over 100 repeated attempts to grab pages within a ten minute period.
12th Jun 2008217.118.0.121RIPEAONETAlways-On Networks, ItalyRepeated attempts to grab pages using a random User_Agent string, such as "jv lftmaps5bnvnmo aqpoywsxwedibwp" which seems somewhat suspect.
8th-9th Jun 2006219.136.252.75APNICCHINANET-GDChina Telecom>20,000 repeated attempts to gain FTP access via brute force dictionary attack. I had a rant about this particular one on my weblog

Apache Filtering

If you wish, you can block dodgy IP addresses or unwanted 'bots' from accessing your websites via the following apache configuration snippet. Simply cut and past the following into your apache httpd.conf file, changing the relevant IP address or bots to suite your own requirements.

# Pauls additions to block access to people/things we don't like
SetEnvIf Remote_Addr "62.25.109.195" bad_bot
SetEnvIf Remote_Addr "^64.246" bad_bot
SetEnvIf Remote_Addr "^66.98" bad_bot
SetEnvIf Remote_Addr "^83.233" bad_bot
SetEnvIf Remote_Addr "^216.127" bad_bot
SetEnvIfNoCase User-Agent "^WGet" bad_bot
SetEnvIfNoCase User-Agent "^EmailSiphon" bad_bot
SetEnvIfNoCase User-Agent "^EmailWolf" bad_bot
SetEnvIfNoCase User-Agent "^Baiduspider" bad_bot

# vhost or directory you wish to protect
<Directory "/data/vhosts">
    Options +Includes +ExecCGI
    AllowOverride All
    Order allow,deny
    Allow from all
    Deny from env=bad_bot
</Directory>

There's a more comprehensive list of 'bad bots' available at www.askapache.com/htaccess/fight-blog-spam-with-apache.html

Another way of getting apache to filter accesses to your web domains is by using the mod_rewrite module, which is probably better than the method above, if you have the facility. The reason being that it's a bit more flexible and also doesn't necessarily clog up your apache error logs with 100s of 'access denied by server configuration' messages.

You can use something similar to the following, which can either be configured to issue a standard '403 denied' message to unwanted guests, or can redirect to a page of your choosing.

RewriteEngine on
RewriteCond %{Remote_Addr} 38.100.41.1 [OR]
RewriteCond %{Remote_Addr} 62.25.109.195 [OR]
RewriteCond %{Remote_Addr} ^64.246 [OR]
RewriteCond %{Remote_Addr} ^66.98. [OR]
RewriteCond %{Remote_Addr} 83.187.221.76 [OR]
RewriteCond %{Remote_Addr) 83.205.1.150 [OR]
RewriteCond %{Remote_Addr} ^216.127 [OR]
RewriteCond %{Remote_Addr} 217.118.0.121
RewriteRule .* http://vhost1.vigay.com/403error.html [L,R]
# The following are bad bots
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^-$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrubNG [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*Indy [OR]
RewriteCond %{HTTP_USER_AGENT} ^semanticdiscovery [OR]
RewriteCond %{HTTP_USER_AGENT} ^shelob
RewriteRule .* http://vhost1.vigay.com/403error.html [L,R]

There are actually two lists here, one for 'dodgy' IP addresses and the other for bad bots. Each entry is fairly self-explanatory and is ended by [OR], except the last condition in each list. The RewriteRule then, in this example, matches anything (.*) and redirects to http://vhost1.vigay.com/403error.html which is my standard "You're blocked!" page, which is stored in a different vhost to my other domains (otherwise the 403error would itself be blocked).

My automatic bad_bot script

I maintain a frequently updated list of bad bots and dodgy IP addresses on my server, and have written a script to automatically generate you a list of appropriate apache configuration commands depending upon whether you want to use the SetEnvIf or Rewrite methods above. Simply click on the appropriate type below and my server will automatically generate the relevant lines that you can paste into your apache httpd.conf file. (automatically opens in a new window)

Personally, my own server uses even stricter filtering and blocks all unknown user agents.

User-Agent Notes

After examination of my server logs, I thought I'd compile a short database of user-agent notes, providing a handy reference to find out a bit more about unknown bots and browsers. This list is a work in progress so check back occasionally if you want to stay up to date.

A good database of user agents is www.user-agents.org/ and another useful list at www.useragentstring.com/

If you have any additional notes, comments or other dodgy IP addresses or user agents you would like to share, please feel free to contact me.

Add a comment to this article

I am sorry to report that no further comments are to be left for articles here. We thank you for past comments. This feature has been disabled.

Email Email this page to a friend

Last edit: 10th Apr 2016 at 1:58pm
(440 days ago)

Bookmark with:What are these?
delicious Deliciousdigg Diggreddit redditfacebook Facebookstumbleupon StumbleUpon

RSS Feed

Viewed 3406 times since 9th Jul 2006,
~ 0 views per day

^
 
Valid HTML 4.01!
Valid CSS!
Best viewed with a cup of tea Crafted by RISC OS