|
Last edit: 10th Apr 2016 at 1:58pm |
|
Viewed 6918 times since 9th Jul 2006, | ||||||||||
Just recently I've been getting more spoof submissions to my various online forums. The way this works is that when people apply to join a forum, the server will ask for an email address and then mail the person wanting to join a verification email - to make sure they did actually want to join and that a friend or someone else hadn't signed up their email address.
Of course, spammers have been trying to signup with fake email addresses. Because the verification email my server sends out automatically will be going to a fake address, it invariably bounces back as undeliverable. This wastes two lots of bandwidth - the outgoing verification email and the failure message bouncing back.
Thus, I've decided to block a number of popular spam domains by configuring them to resolve to localhost on the web server and then /dev/null all emails to that particular domain. This solves both problems - the server will think the address the spammer used was locally hosted, so it won't waste bandwidth by sending out a verification email - or rather it will, but it will be immediately /dev/nulled, which of course means there won't be a failure message bounced back.
The following domains have so far been /dev/nulled.
Over the past few months the number of spam or hacker attacks on my servers has been growing. Whilst I'm reasonably confident that my firewall and anti-intruder systems will keep them out, it's still wasting bandwidth and server resources dealing with them.
Some of the persistent ones have now been permanently firewalled so they no longer pose a threat, but I'm making this list public in the hopes that it may help alert other people to who the perpetrators are, should the IP addresses appear in your own server logs.
This list is largely no longer updated, because I've locked my firewall down so that only my own IP address can access the server via FTP or SSH so of course, multiple attempted FTP access will be denied, and thus no longer logged.
| Date | IP address | IANA DB | Netname | Location | Notes |
|---|---|---|---|---|---|
| 10th Jun 2006 | 60.195.251.146 | APNIC | DXTNET | Beijing Teletron Telecom Engineering Co., Ltd | >10,000 repeated attempts to gain FTP access via brute force dictionary attack |
| 27th Jun 2006 | 61.28.143.222 | APNIC | ETPI | Eastern Telecoms Philippines, Inc., Makati City, Philippines | Multiple attempts to gain FTP access via brute force dictionary attack |
| 29th Jun 2006 | 61.241.112.37 | APNIC | UNICOM | China United Telecommunications Corporation, Beijing | >10,000 repeated attempts to gain FTP access via brute force dictionary attack |
| Jun 2008 | 62.25.96.0 | RIPE | Energis UK | Watford Datacentre, Melbourne Street, Leeds | Dubious access patterns detected (could be 'spooks') |
| Jun 2008 | 63.110.140.0/24 | LACNIC | Cybertrails | Phoenix, AZ | |
| Jun 2008 | 64.237.36.0/24 | LACNIC | Reliable Servers c/o Choopa.com | Hazlet, NJ | |
| Jun 2008 | 64.237.37.0/24 | LACNIC | Reliable Servers c/o Choopa.com | Hazlet, NJ | |
| 18th Mar 2008 | 65.54.246.0/24 | LACNIC | Microsoft Corp | Redmond, US | Repeated Spamming |
| Jun 2008 | 65.110.0.0/19 | LACNIC | Data Fortress System Group | Vancouver, BC, Canada | |
| Jul 2008 | 66.232.98.76 | LACNIC | NOC4Hosts Inc | Tampa, Florida, USA | Repeated attempts to retrieve non-existent files from server, but files which may have loopholes in them - ie, not just random file not founds |
| 19th Jun 2006 | 69.230.85.62 | LACNIC | Southwestern Bell | SanFrancisco, USA | Multiple attempts to download content, even after being given an automatic server warning for too many repeated fetches. |
| 8th Jul 2006 | 80.248.224.34 | RIPE | ETTNETISP | EttNet AB ISP, Sweden | Sustained spam attack from www@void.ettnet.se on our MX servers - now firewalled |
| 18th Mar 2006 | 86.64.210.0/23 | RIPE | Internet Services Gaoland | France | Spamming |
| 19th Jun 2006 | 87.106.100.76 | RIPE | Schlund AG | GB | Multiple attempts to access non-existent, but administrative-like files, such as /apache/htdocs/phpMyAdmin + other abuse patterns. |
| 8th Aug 2006 | 201.28.219.152 | LACNIC | Hexato Tecnologia | Brazil | Spamming |
| 27th Jun 2006 | 201.238.192.74 | LACNIC | CL-GISA | Jose Andres Olea, Moneda, Santiago, Chile | >10,000 repeated attempts to gain FTP access via brute force dictionary attack |
| 26th Jun 2006 | 202.29.16.12 | APNIC | THAINET-TH | Office of Information Technology Administration for Educational Development, Chulalongkorn University, Bangkok, Thailand | >10,000 repeated attempts to gain FTP access via brute force dictionary attack |
| 8th Aug 2006 | 210.213.247.50 | APNIC | PLDTDSL | MyDSL_Personal, Philipines | Spamming |
| 8th Aug 2006 | 211.179.79.112 | APNIC | Korea Network Information Center | Korea | Spamming |
| 10th Jun 2006 | 213.226.83.178 | RIPE | GAVLEGARDARNA-SE | Gavlegardarna AB, Gavle, Sweden | >10,000 repeated attempts to gain FTP access via brute force dictionary attack |
| 22nd Jul 2008 | 217.39.130.121 | RIPE | BT-ADSL | BT Openworld, UK - A bit closer to home this time, but none the less giving a pattern indicative more of trying to download the entire site rather than view normally. | Over 100 repeated attempts to grab pages within a ten minute period. |
| 12th Jun 2008 | 217.118.0.121 | RIPE | AONET | Always-On Networks, Italy | Repeated attempts to grab pages using a random User_Agent string, such as "jv lftmaps5bnvnmo aqpoywsxwedibwp" which seems somewhat suspect. |
| 8th-9th Jun 2006 | 219.136.252.75 | APNIC | CHINANET-GD | China Telecom | >20,000 repeated attempts to gain FTP access via brute force dictionary attack. I had a rant about this particular one on my weblog |
If you wish, you can block dodgy IP addresses or unwanted 'bots' from accessing your websites via the following apache configuration snippet. Simply cut and past the following into your apache httpd.conf file, changing the relevant IP address or bots to suite your own requirements.
# Pauls additions to block access to people/things we don't like
SetEnvIf Remote_Addr "62.25.109.195" bad_bot
SetEnvIf Remote_Addr "^64.246" bad_bot
SetEnvIf Remote_Addr "^66.98" bad_bot
SetEnvIf Remote_Addr "^83.233" bad_bot
SetEnvIf Remote_Addr "^216.127" bad_bot
SetEnvIfNoCase User-Agent "^WGet" bad_bot
SetEnvIfNoCase User-Agent "^EmailSiphon" bad_bot
SetEnvIfNoCase User-Agent "^EmailWolf" bad_bot
SetEnvIfNoCase User-Agent "^Baiduspider" bad_bot
# vhost or directory you wish to protect
<Directory "/data/vhosts">
Options +Includes +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Deny from env=bad_bot
</Directory>
There's a more comprehensive list of 'bad bots' available at www.askapache.com/htaccess/fight-blog-spam-with-apache.html
Another way of getting apache to filter accesses to your web domains is by using the mod_rewrite module, which is probably better than the method above, if you have the facility. The reason being that it's a bit more flexible and also doesn't necessarily clog up your apache error logs with 100s of 'access denied by server configuration' messages.
You can use something similar to the following, which can either be configured to issue a standard '403 denied' message to unwanted guests, or can redirect to a page of your choosing.
RewriteEngine on
RewriteCond %{Remote_Addr} 38.100.41.1 [OR]
RewriteCond %{Remote_Addr} 62.25.109.195 [OR]
RewriteCond %{Remote_Addr} ^64.246 [OR]
RewriteCond %{Remote_Addr} ^66.98. [OR]
RewriteCond %{Remote_Addr} 83.187.221.76 [OR]
RewriteCond %{Remote_Addr) 83.205.1.150 [OR]
RewriteCond %{Remote_Addr} ^216.127 [OR]
RewriteCond %{Remote_Addr} 217.118.0.121
RewriteRule .* http://vhost1.vigay.com/403error.html [L,R]
# The following are bad bots
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^-$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrubNG [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*Indy [OR]
RewriteCond %{HTTP_USER_AGENT} ^semanticdiscovery [OR]
RewriteCond %{HTTP_USER_AGENT} ^shelob
RewriteRule .* http://vhost1.vigay.com/403error.html [L,R]
There are actually two lists here, one for 'dodgy' IP addresses and the other for bad bots. Each entry is fairly self-explanatory and is ended by [OR], except the last condition in each list. The RewriteRule then, in this example, matches anything (.*) and redirects to http://vhost1.vigay.com/403error.html which is my standard "You're blocked!" page, which is stored in a different vhost to my other domains (otherwise the 403error would itself be blocked).
I maintain a frequently updated list of bad bots and dodgy IP addresses on my server, and have written a script to automatically generate you a list of appropriate apache configuration commands depending upon whether you want to use the SetEnvIf or Rewrite methods above. Simply click on the appropriate type below and my server will automatically generate the relevant lines that you can paste into your apache httpd.conf file. (automatically opens in a new window)
Personally, my own server uses even stricter filtering and blocks all unknown user agents.
After examination of my server logs, I thought I'd compile a short database of user-agent notes, providing a handy reference to find out a bit more about unknown bots and browsers. This list is a work in progress so check back occasionally if you want to stay up to date.
A good database of user agents is www.user-agents.org/ and another useful list at www.useragentstring.com/
If you have any additional notes, comments or other dodgy IP addresses or user agents you would like to share, please feel free to contact me.
|
Last edit: 10th Apr 2016 at 1:58pm |
|
Viewed 6918 times since 9th Jul 2006, | ||||||||||
| ||||||||||||||||||||||||
  |   |
|||||||||||||||||||||||
Email this page to a friend
Delicious
Digg
reddit
Facebook
StumbleUpon
