+- Linux-Noob Forums (https://www.linux-noob.com/forums)
+-- Forum: General Stuff (https://www.linux-noob.com/forums/forum-4.html)
+--- Forum: Site News (https://www.linux-noob.com/forums/forum-66.html)
+--- Thread: analysis of a spammer (/thread-2288.html)
analysis of a spammer - znx - 2005-12-23
Quote:znx, you are the script king. :)
:)
analysis of a spammer - anyweb - 2005-12-23
znx
thanks mate
i've made the changes and will keep an eye on things
well done on this suggestion
cheers
anyweb
analysis of a spammer - znx - 2005-12-23
Quote:thanks mate
i've made the changes and will keep an eye on things
well done on this suggestion
yeah well, lets see how this handles, as im sure you are more than aware they could just spam from other names but lets hope that this gives them a kick in the teeth in the meantime....
i suppose we should add another ! not referer in case its internal to internal?
Code:
# skip if empty (ie direct.. and the majority of your traffic)
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.*.)?linux-noob.com.*$ [NC]though its not critical... and i doubt it will cause any significant performance gain
analysis of a spammer - anyweb - 2005-12-27
i've added 'netcathost.com' to my 'drop packets' rule on smoothwall
look here
Quote:Top 10 of 15137 Total Sites# Hits Files KBytes Visits Hostname
1 33775 6.91% 33775 8.03% 199524 1.58% 5 0.02% 67-14-171-98.colodns.com
2 33775 6.91% 33775 8.03% 199524 1.58% 5 0.02% colodns.com
3 28972 5.93% 25283 6.01% 828452 6.58% 136 0.50% googlebot.com
4 26927 5.51% 26927 6.40% 0 0.00% 4 0.01% ip177-131.netcathost.com
5 26927 5.51% 26927 6.40% 0 0.00% 4 0.01% netcathost.com
yup, that netcathost is the spammer (originator) and not only that, it manged to give me 26000 hits with zero visits registered
i'll continue monitoring....
cheers
anyweb
analysis of a spammer - anyweb - 2006-01-03
unfortunately the actions i have taken so far have not helped (see january's stats listed here... [/url][url=http://linux-noob.com/usage/usage_200601.html#TOPREFS]http://linux-noob.com/usage/usage_200601.html#TOPREFS )
so i'm dropping the ips of the spammers directly using iptables on linux-noob.com
here are the dropped hosts so far from my rc.firewall
Code:
# Dropped Hosts
iptables -A INPUT -s 66.250.107.0/24 -j DROP # netcathost.com spammers
iptables -A INPUT -s 216.255.181.107 -j DROP # wgostonemantel.com
iptables -A INPUT -s 69.50.188.11 -j DROP # charlestyrrell-ins.com
iptables -A INPUT -s 66.232.101.120 -j DROP # clickobras.com
iptables -A INPUT -s 66.232.101.121 -j DROP # northeastmetrotec.com
iptables -A INPUT -s 216.255.181.110 -j DROP # syperopts.com
iptables -A INPUT -s 216.255.181.109 -j DROP # isdwebstore.com
iptables -A INPUT -s 69.50.188.11 -j DROP # nativealaaskan.net
iptables -A INPUT -s 216.255.181.107 -j DROP # reesehardin.com
iptables -A INPUT -s 69.50.188.13 -j DROP # skateinstrutor.com
iptables -A INPUT -s 66.232.101.122 -j DROP # vicotriajohnson.comhopefully this will work...
analysis of a spammer - znx - 2006-01-03
Quote:Code:# Dropped Hosts
iptables -A INPUT -s 66.250.107.0/24 -j DROP # netcathost.com spammers
iptables -A INPUT -s 216.255.181.107 -j DROP # wgostonemantel.com
iptables -A INPUT -s 69.50.188.11 -j DROP # charlestyrrell-ins.com
iptables -A INPUT -s 66.232.101.120 -j DROP # clickobras.com
iptables -A INPUT -s 66.232.101.121 -j DROP # northeastmetrotec.com
iptables -A INPUT -s 216.255.181.110 -j DROP # syperopts.com
iptables -A INPUT -s 216.255.181.109 -j DROP # isdwebstore.com
iptables -A INPUT -s 69.50.188.11 -j DROP # nativealaaskan.net
iptables -A INPUT -s 216.255.181.107 -j DROP # reesehardin.com
iptables -A INPUT -s 69.50.188.13 -j DROP # skateinstrutor.com
iptables -A INPUT -s 66.232.101.122 -j DROP # vicotriajohnson.com
<div>
hopefully this will work...
</div>
this will not stop referer hits im afraid, i suggested it to stop the user accessing us, referers can be provided by ANY ip....
see the access_bad.log this will tell you the IP that the referer hits come from.. drop those instead...
;)
analysis of a spammer - znx - 2006-01-04
bit of discussion in the chan (#linux-noob : efnet) and im wrong..
[/url][url=http://linux-noob.com/usage/usage_200601.html#TOPSITES]http://linux-noob.com/usage/usage_200601.html#TOPSITES
anyweb is correctly blocking the offending accessing IP not the referer :)
analysis of a spammer - anyweb - 2006-01-09
ok now i'm REALLY annoyed
these god dam asswipes are at it again
see here
[/url]http://linux-noob.com/usage/usage_200601.html#TOPREFS
Quote:Top 100 of 1257 Total Referrers# Hits Referreredit by znx: breaking the urls
1 42673 24.42% - (Direct Request)
2 1649 0.94% http:// heraldry2001 com/
3 1649 0.94% http:// mapsforexcellence com
4 1147 0.66% http:// underland-rosow com/
5 1020 0.58% http:// compbiogen com/
6 911 0.52% [url=http://www.google.com/search]http://www.google.com/search
7 735 0.42% http:// charlestyrrell-ins com/
8 728 0.42% http:// wgostonemantel com/
9 721 0.41% http:// clickobras com/
10 721 0.41% http:// northeastmetrotec com/
11 721 0.41% http:// syperopts com/
12 714 0.41% http:// isdwebstore com/
13 714 0.41% http:// nativealaaskan net/
14 714 0.41% http:// reesehardin com/
15 714 0.41% http:// skateinstrutor com/
16 714 0.41% http:// vicotriajohnson com/
17 688 0.39% http:// datascan-inc com/
18 688 0.39% http:// ebayslist com/
19 688 0.39% http:// ibelievejfk com/
20 688 0.39% http:// studisource com/
those DIRTY LOWLIFES are spamming me so much that only two links in the top 20 referrers are REAL
that SUCKS. I hate them !!!!!!!!
ok, how do i fix it ???????????
helppppppppppppppppppppppppppppppppppppppp
it seems that 'dropping' the netcathost.com ip in rc.firewall did NOT help !@!
Code:
DROP all -- 66.250.107.0/24 anywhere
DROP all -- 216.255.181.107 anywhere
DROP all -- 69.50.188.11 anywhere
DROP all -- 66.232.101.120 anywhere
DROP all -- 66.232.101.121 anywhere
DROP all -- 216.255.181.110 anywhere
DROP all -- 216.255.181.109 anywhere
DROP all -- 69.50.188.11 anywhere
DROP all -- 216.255.181.107 anywhere
DROP all -- 69.50.188.13 anywhere
DROP all -- 66.232.101.122 anywhereand based on this
Quote:Top 10 of 5614 Total Sites# Hits Files KBytes Visits Hostname
1 15413 8.82% 15413 10.19% 0 0.00% 8 0.09% ip177-131.netcathost.com
2 15413 8.82% 15413 10.19% 0 0.00% 8 0.09% netcathost.com
they MUST be the spamming LOOSERS that are causing me this pain.
znx, please help, if anyone else has some bright ideas please help
this really annoys me....
:(
analysis of a spammer - anyweb - 2006-01-09
analysis of access_log shows me
lots of this
Code:
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
85.50.66.61 - - [09/Jan/2006:06:19:56 +0100] "GET /favicon.ico HTTP/1.1" 404 10804 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
72.232.30.46 - - [09/Jan/2006:06:20:08 +0100] "GET /forums/ssi.php?a=out&f=14&show=10&type=rss HTTP/1.0" 200 6073 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"
72.232.30.46 - - [09/Jan/2006:06:21:08 +0100] "GET /forums/ssi.php?a=out&f=14&show=10&type=rss HTTP/1.0" 200 6073 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"
66.154.102.111 - - [09/Jan/2006:06:21:36 +0100] "GET /forums/index.php?act=Post&CODE=02&f=14&t=1916&qpid=6881 HTTP/1.0" 200 32860 "-" "Gigabot/2.0"
85.50.66.61 - - [09/Jan/2006:06:21:58 +0100] "GET /SecureXP/configureIIS.htm HTTP/1.1" 200 1395 "http://www.windows-noob.com/SecureXP/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
88.106.74.99 - - [09/Jan/2006:06:22:05 +0100] "GET /computers/gaming/doom3/linux-noob%20(1).html HTTP/1.1" 200 1056 "http://images.google.co.uk/imgres?imgurl=http://anyweb.kicks-ass.net/computers/gaming/doom3/images/linux-noob%2520(1).jpg&imgrefurl=http://anyweb.kicks-ass.net/computers/gaming/doom3/linux-noob%2520(1).html&h=480&w=640&sz=38&tbnid=TVQNHWTOyJQJ:&tbnh=101&tbnw=135&hl=en&start=109&prev=/images%3Fq%3Dnoob%26start%3D100%26svnum%3D10%26hl%3Den%26lr%3D%26rls%3DGGLG,GGLG:2005-39,GGLG:en%26sa%3DN" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
88.106.74.99 - - [09/Jan/2006:06:22:05 +0100] "GET /computers/gaming/doom3/images/linux-noob%20(1).jpg HTTP/1.1" 200 38350 "http://anyweb.kicks-ass.net/computers/gaming/doom3/linux-noob%20(1).html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
72.232.30.46 - - [09/Jan/2006:06:22:08 +0100] "GET /forums/ssi.php?a=out&f=14&show=10&type=rss HTTP/1.0" 200 6073 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
85.50.66.61 - - [09/Jan/2006:06:22:11 +0100] "GET /favicon.ico HTTP/1.1" 404 10804 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"so i guess that 195.225 ip is the offender ????
cheers
anyweb
analysis of a spammer - znx - 2006-01-09
Rev2 !
Code:
RewriteEngine on
# drop HEAD
RewriteCond %{THE_REQUEST} "^HEAD" [NC,OR]
# bad User Agents, extremely odd to start with "(" ..
RewriteCond %{HTTP_USER_AGENT} "^(" [NC,OR]
# skip if empty (ie direct.. and the majority of your traffic)
RewriteCond %{HTTP_REFERER} !^$
# all the bad guys
RewriteCond %{HTTP_REFERER} ^http://(.*.)?networkresourceservices.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?northeastmetrotec.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?reesehardin.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?vicotriajohnson.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?advertisinggems.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?clickobras.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?nativealaaskan.net [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?downjigger.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?hedcore.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?hellwithgoogle.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?isdwebstore.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?redline-entertainement.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?skateinstrutor.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?slewfootrecrods.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?syperopts.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?charlestyrrell-ins.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?wgostonemantel.com.*$ [NC]
# no OR in the last one
# forbid, set enviromental BAD, L means LAST rules
RewriteRule ^(.*) - [F,E=BAD:1,L]
# alter the logs.. to remove the bad guys but still log them so we can see
CustomLog /var/log/apache/access.log combined env=!BAD
CustomLog /var/log/apache/access_bad.log combined env=BADnasty referer's be GONE!!!! :)
Minimal (which might do it)
Code:
RewriteEngine on
RewriteCond %{THE_REQUEST} "^HEAD" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "^(" [NC]
RewriteRule ^(.*) - [F,E=BAD:1,L]
CustomLog /var/log/apache/access.log combined env=!BAD
CustomLog /var/log/apache/access_bad.log combined env=BAD