« Time for a copyright law updateMusings on Apple's iPhone »

Spambots and linkage

01/10/07 | by Adam | Categories: Technology

I'm not sure what to make of this one. Checking my logs, there are three posts being repeatedly hit in sequence by different IPs.

I've looked at them and can't find anything that's terribly special. My guess is that it's some generic spambot which not-so-randomly grabs text from posts to try to fool Bayesian filters but I really have no idea. The post on referrer searches seems to also be a popular one for fake domains as it turns up commonly in the "referers" log. It's not doing me any harm other than running up Ritchie's bandwidth and artificially inflating the pageviews on those pages but it is a bit of a mystery and I don't like those.

Any ideas?

 

8 comments

Comment from: Nimble [Member]  

I don’t know - I’ve looked at a few pages of last accesses, and for some reason, those pages are the ones that get picked out of your pages, but many more seem to come from mine.

I run the IP addresses through geolocator web sites, and you could be correct. Two rather different sets of hits came from the Ukraine (NETCATHOSTING seems to be the provider for many of the hits and INHOSTER HOSTING COMPANY for the other many hits. In other news, Ukraine has IP addies of 85.* and 195.*). One weird set focused on my RIP announcement of Amestris from multiple IP addresses in Israel.

It’s definitely the two spots in the Ukraine responsible for most of the traffic. Don’t know what makes them hit the pages they do. If it’s for spam content, why bother constantly accessing the same locations?

Ah, ‘twould be nice to imagine we just had a big fanbase ;) I guess, watch for spam that contains our blog entries…

01/10/07 @ 22:51
Comment from: Nimble [Member]  

Okay, at least for now, I have set up a site-wide IP ban on: 195.225.176.*, 195.225.177.* and 85.255.119.*

If you take a Google for the first two such IP addresses, you find something interesting:

Most Hated Netblock:195.225.176.x - 195.225.177.x (AS31159)
Provider: Netcathost, Kiev, Ukraine
Reason for claim to fame: Hosting exploits, browser hijackers and CoolWebSearch related annoyances since several months. Ignoring, bouncing, or rejecting any complaints to the abuse contacts.

They also spam a hell of a lot of home equity loan crap, etc. etc.

The 85.255.119.* crew are hated for other reasons. There’s a lot of noise on the ‘Net for these guys, but I finally found a non-top-referrers list entry by Slava:

Essentially, all the trackbacks orginated from a single provider: inhoster.com

This host, from the best of my understanding contains no legitimate customers, and serves only as a cover for countless spammers running an innumerable number of spam bots. Lucky for me, and potentially the metaphorical us the trackbacks originated from a very narrow host of addresses. After several attempts, and filtering with a moderation queue my current blocklist and moderation filter contain just three entries, which for your convinience I will post here:

85.255.114
85.255.119
85.255.113

Feel free to add these to your block lists, or at the very least your moderation filter to stop these potential bastards from wasting your juicy bandwidth.

Prepare for a ‘disappointing’ drop in traffic.

Once I felt honoured, now I feel slightly abused, but very glad to have cut out all trackbacks and auto-allowed commenting from these guys.

Starting to get a few questionable registrations on the forums. At least users cannot post until they register themselves, which requires a legitimate e-mail address to be sent back to, which delays things. I can just search on the user names in question and they tend to turn up as ‘new users’ on a bazillion (approximate) forums, sometimes with rather questionable professions or personal web sites listed. Move to /dev/null indeed.

01/11/07 @ 09:11
Comment from: Adam [Member]  
Adam

I’m quite happy not to get invalid hits. I know I’m only writing for an audience of about five people so it’s not a big deal to lose the inflated numbers. Anyway, thanks for doing this.

01/11/07 @ 10:28
Comment from: Nimble [Member]  

You’re welcome. I apologize for not having done it sooner, really.

Things did slow to a trickle today - direct accesses were at 49 this morning when I blocked the IP addresses. The latest direct accesses are at 59.

Still, we’re pretty good in the search rankings on a few things ;)

01/11/07 @ 17:03
Comment from: Nimble [Member]  

I added an IP Deny to 69.31.80.218, because they were making many, many requests per day to the same limited sets of pages every few minutes (and perhaps pumping up the blacklisted numbers, too).

Apart from that, I’m disturbed at the referrers that are showing up which, if you go try to look at their web pages, come up with SERVER ERROR or the like, and they are sometimes sites with stupid-looking alterations on a regular name like tar5get.com or bestb7uy.com.

No biggie, since we all have our trackbacks turned off and haven’t had a single skin with top referrers for a very long time. Just… annoying.

01/21/07 @ 14:39
Comment from: Nimble [Member]  

Plenty of 4-random-letter sites showing up, too, and they always like the same four URLs* on here, and they also always show a SERVER ERROR when you go looking at their home pages.

So good-bye, qwye.com and whichever keyboard typing barf comes up next.

Oh, look at that, their name server is NS1.TARGE5T.COM - no big surprise that they’re related to the intentionally-misspelled company name pages. However, they claim the registrar is “Tucows Inc".

Interesting thread over here: http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=943423&trail=210#209 related to targe5t.com, which seems to be the name server for a lot of spam referrer sources.

(*URLs they love:
http://blogs.nimblebrain.net/index.php?blog=2&title=not_learning_fast_enough&more=1&c=1&tb=1&pb=1
http://blogs.nimblebrain.net/index.php?blog=5&title=referrer_searches&more=1&c=1&tb=1&pb=1
http://blogs.nimblebrain.net/index.php?blog=5&title=spambots_and_linkage&more=1&c=1&tb=1&pb=1
http://blogs.nimblebrain.net/index.php?blog=1&disp=comments)

02/09/07 @ 13:32
Comment from: Nimble [Member]  

I think we can nearly guarantee that if someone is accessing the “Rest In Peace, Amestris” page directly these days, that they stand a good 99% chance of being a zombie. I just checked up on the locations of the addresses of the last several IPs to access the page:

203.123.180.198 IN INDIA - - PACIFIC INTERNET LIMITED
202.205.109.57 CN CHINA - - INFORMATION RESOURCES DEPT OF CERNET
211.237.185.17 KR KOREA, REPUBLIC OF KYONGGI-DO SEOUL CABLELINE-INFRA
200.196.234.43 BR BRAZIL SãO PAULO SãO PAULO COMITE GESTOR DA INTERNET NO BRASIL
125.90.64.74 CN CHINA GUANGDONG GUANGZHOU CHINANET GUANGDONG PROVINCE NETWORK
84.16.80.44 CH SWITZERLAND - - INFOMANIAK NETWORK SA - HOSTING
218.30.84.110 CN CHINA BEIJING BEIJING CHINANET SHAANXI PROVINCE NETWORK
211.147.215.134 CN CHINA - - CETC-CHINACOMM COMMUNICATIONS CO. LTD
61.142.80.104 CN CHINA GUANGDONG GUANGZHOU CHINANET GUANGDONG PROVINCE NETWORK
211.138.91.30 CN CHINA - - CHINA MOBILE COMMUNICATIONS CORPORATION - NEIMENG COMPANY
222.191.251.51 CN CHINA JIANGSU JIANGSU CHINANET JIANGSU PROVINCE NETWORK

Pretty low damned chance that so much China is all that interested in the fate of a button quail, isn’t it?

02/10/07 @ 16:33
Comment from: Adam [Member]  
Adam

A bit depressing looking at the stats now, but at least they’re closer to accurate. I’d therefore like to give a big howdy to my three daily visitors!

02/12/07 @ 10:02
December 2021
Sun Mon Tue Wed Thu Fri Sat
 << <   > >>
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  
"Ready, Aye, Ready" was a slogan used by Canadian politicians to indicate Canada's willingness to assist the British Empire in any conflict. It remains in use as a motto for some of the Canadian military. It has almost nothing to do with the content of this blog.

Search

  XML Feeds

powered by b2evolution