Linux-Noob Forums

Full Version: analysis of a spammer
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3

Quote:znx, you are the script king. :)
 

:)


znx

 

thanks mate

 

i've made the changes and will keep an eye on things

 

well done on this suggestion

 

cheers

anyweb


Quote:thanks mate 

i've made the changes and will keep an eye on things

 

well done on this suggestion
 

yeah well, lets see how this handles, as im sure you are more than aware they could just spam from other names but lets hope that this gives them a kick in the teeth in the meantime....

 

i suppose we should add another ! not referer in case its internal to internal?

 



Code:
# skip if empty (ie direct.. and the majority of your traffic)
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.*.)?linux-noob.com.*$ [NC]




 

though its not critical... and i doubt it will cause any significant performance gain


i've added 'netcathost.com' to my 'drop packets' rule on smoothwall

 

look here

 

Quote:Top 10 of 15137 Total Sites# Hits Files KBytes Visits Hostname

1 33775 6.91% 33775 8.03% 199524 1.58% 5 0.02% 67-14-171-98.colodns.com

2 33775 6.91% 33775 8.03% 199524 1.58% 5 0.02% colodns.com

3 28972 5.93% 25283 6.01% 828452 6.58% 136 0.50% googlebot.com

4 26927 5.51% 26927 6.40% 0 0.00% 4 0.01% ip177-131.netcathost.com

5 26927 5.51% 26927 6.40% 0 0.00% 4 0.01% netcathost.com
 

yup, that netcathost is the spammer (originator) and not only that, it manged to give me 26000 hits with zero visits registered

 

i'll continue monitoring....

 

cheers

anyweb


unfortunately the actions i have taken so far have not helped (see january's stats listed here... [/url][url=http://linux-noob.com/usage/usage_200601.html#TOPREFS]http://linux-noob.com/usage/usage_200601.html#TOPREFS )

 

so i'm dropping the ips of the spammers directly using iptables on linux-noob.com

 

here are the dropped hosts so far from my rc.firewall

 



Code:
# Dropped Hosts
iptables -A INPUT -s 66.250.107.0/24 -j DROP # netcathost.com spammers
iptables -A INPUT -s 216.255.181.107 -j DROP # wgostonemantel.com
iptables -A INPUT -s 69.50.188.11 -j DROP # charlestyrrell-ins.com
iptables -A INPUT -s 66.232.101.120 -j DROP # clickobras.com
iptables -A INPUT -s 66.232.101.121 -j DROP # northeastmetrotec.com
iptables -A INPUT -s 216.255.181.110 -j DROP # syperopts.com
iptables -A INPUT -s 216.255.181.109 -j DROP # isdwebstore.com
iptables -A INPUT -s 69.50.188.11 -j DROP # nativealaaskan.net
iptables -A INPUT -s 216.255.181.107 -j DROP # reesehardin.com
iptables -A INPUT -s 69.50.188.13 -j DROP # skateinstrutor.com
iptables -A INPUT -s 66.232.101.122 -j DROP # vicotriajohnson.com




 

hopefully this will work...


Quote:
Code:
# Dropped Hosts
iptables -A INPUT -s 66.250.107.0/24 -j DROP # netcathost.com spammers
iptables -A INPUT -s 216.255.181.107 -j DROP # wgostonemantel.com
iptables -A INPUT -s 69.50.188.11 -j DROP # charlestyrrell-ins.com
iptables -A INPUT -s 66.232.101.120 -j DROP # clickobras.com
iptables -A INPUT -s 66.232.101.121 -j DROP # northeastmetrotec.com
iptables -A INPUT -s 216.255.181.110 -j DROP # syperopts.com
iptables -A INPUT -s 216.255.181.109 -j DROP # isdwebstore.com
iptables -A INPUT -s 69.50.188.11 -j DROP # nativealaaskan.net
iptables -A INPUT -s 216.255.181.107 -j DROP # reesehardin.com
iptables -A INPUT -s 69.50.188.13 -j DROP # skateinstrutor.com
iptables -A INPUT -s 66.232.101.122 -j DROP # vicotriajohnson.com

<div>


 

hopefully this will work...

</div>
 

this will not stop referer hits im afraid, i suggested it to stop the user accessing us, referers can be provided by ANY ip....

 

see the access_bad.log this will tell you the IP that the referer hits come from.. drop those instead...

 

;)


bit of discussion in the chan (#linux-noob : efnet) and im wrong..

 

[/url][url=http://linux-noob.com/usage/usage_200601.html#TOPSITES]http://linux-noob.com/usage/usage_200601.html#TOPSITES

 

anyweb is correctly blocking the offending accessing IP not the referer :)


ok now i'm REALLY annoyed

 

these god dam asswipes are at it again

 

see here

 

[/url]http://linux-noob.com/usage/usage_200601.html#TOPREFS

 

Quote:Top 100 of 1257 Total Referrers# Hits Referrer

1 42673 24.42% - (Direct Request)

2 1649 0.94% http:// heraldry2001 com/

3 1649 0.94% http:// mapsforexcellence com

4 1147 0.66% http:// underland-rosow com/

5 1020 0.58% http:// compbiogen com/

6 911 0.52% [url=http://www.google.com/search]http://www.google.com/search

7 735 0.42% http:// charlestyrrell-ins com/

8 728 0.42% http:// wgostonemantel com/

9 721 0.41% http:// clickobras com/

10 721 0.41% http:// northeastmetrotec com/

11 721 0.41% http:// syperopts com/

12 714 0.41% http:// isdwebstore com/

13 714 0.41% http:// nativealaaskan net/

14 714 0.41% http:// reesehardin com/

15 714 0.41% http:// skateinstrutor com/

16 714 0.41% http:// vicotriajohnson com/

17 688 0.39% http:// datascan-inc com/

18 688 0.39% http:// ebayslist com/

19 688 0.39% http:// ibelievejfk com/

20 688 0.39% http:// studisource com/
edit by znx: breaking the urls

 

those DIRTY LOWLIFES are spamming me so much that only two links in the top 20 referrers are REAL

 

that SUCKS. I hate them !!!!!!!!

 

ok, how do i fix it ???????????

 

helppppppppppppppppppppppppppppppppppppppp

 

it seems that 'dropping' the netcathost.com ip in rc.firewall did NOT help !@!

 



Code:
DROP       all  --  66.250.107.0/24      anywhere
DROP       all  --  216.255.181.107      anywhere
DROP       all  --  69.50.188.11         anywhere
DROP       all  --  66.232.101.120       anywhere
DROP       all  --  66.232.101.121       anywhere
DROP       all  --  216.255.181.110      anywhere
DROP       all  --  216.255.181.109      anywhere
DROP       all  --  69.50.188.11         anywhere
DROP       all  --  216.255.181.107      anywhere
DROP       all  --  69.50.188.13         anywhere
DROP       all  --  66.232.101.122       anywhere




 

and based on this

 

Quote:Top 10 of 5614 Total Sites# Hits Files KBytes Visits Hostname

1 15413 8.82% 15413 10.19% 0 0.00% 8 0.09% ip177-131.netcathost.com

2 15413 8.82% 15413 10.19% 0 0.00% 8 0.09% netcathost.com
 

they MUST be the spamming LOOSERS that are causing me this pain.

 

znx, please help, if anyone else has some bright ideas please help

 

this really annoys me....

 

:(


analysis of access_log shows me

 

lots of this

 



Code:
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
85.50.66.61 - - [09/Jan/2006:06:19:56 +0100] "GET /favicon.ico HTTP/1.1" 404 10804 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
72.232.30.46 - - [09/Jan/2006:06:20:08 +0100] "GET /forums/ssi.php?a=out&f=14&show=10&type=rss HTTP/1.0" 200 6073 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"
72.232.30.46 - - [09/Jan/2006:06:21:08 +0100] "GET /forums/ssi.php?a=out&f=14&show=10&type=rss HTTP/1.0" 200 6073 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"
66.154.102.111 - - [09/Jan/2006:06:21:36 +0100] "GET /forums/index.php?act=Post&CODE=02&f=14&t=1916&qpid=6881 HTTP/1.0" 200 32860 "-" "Gigabot/2.0"
85.50.66.61 - - [09/Jan/2006:06:21:58 +0100] "GET /SecureXP/configureIIS.htm HTTP/1.1" 200 1395 "http://www.windows-noob.com/SecureXP/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
88.106.74.99 - - [09/Jan/2006:06:22:05 +0100] "GET /computers/gaming/doom3/linux-noob%20(1).html HTTP/1.1" 200 1056 "http://images.google.co.uk/imgres?imgurl=http://anyweb.kicks-ass.net/computers/gaming/doom3/images/linux-noob%2520(1).jpg&imgrefurl=http://anyweb.kicks-ass.net/computers/gaming/doom3/linux-noob%2520(1).html&h=480&w=640&sz=38&tbnid=TVQNHWTOyJQJ:&tbnh=101&tbnw=135&hl=en&start=109&prev=/images%3Fq%3Dnoob%26start%3D100%26svnum%3D10%26hl%3Den%26lr%3D%26rls%3DGGLG,GGLG:2005-39,GGLG:en%26sa%3DN" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
88.106.74.99 - - [09/Jan/2006:06:22:05 +0100] "GET /computers/gaming/doom3/images/linux-noob%20(1).jpg HTTP/1.1" 200 38350 "http://anyweb.kicks-ass.net/computers/gaming/doom3/linux-noob%20(1).html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
72.232.30.46 - - [09/Jan/2006:06:22:08 +0100] "GET /forums/ssi.php?a=out&f=14&show=10&type=rss HTTP/1.0" 200 6073 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
85.50.66.61 - - [09/Jan/2006:06:22:11 +0100] "GET /favicon.ico HTTP/1.1" 404 10804 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"




 

so i guess that 195.225 ip is the offender ????

 

cheers

 

anyweb


Rev2 !

 



Code:
RewriteEngine on

# drop HEAD
RewriteCond %{THE_REQUEST} "^HEAD" [NC,OR]

# bad User Agents, extremely odd to start with "(" ..
RewriteCond %{HTTP_USER_AGENT} "^(" [NC,OR]

# skip if empty (ie direct.. and the majority of your traffic)
RewriteCond %{HTTP_REFERER} !^$

# all the bad guys
RewriteCond %{HTTP_REFERER} ^http://(.*.)?networkresourceservices.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?northeastmetrotec.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?reesehardin.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?vicotriajohnson.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?advertisinggems.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?clickobras.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?nativealaaskan.net [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?downjigger.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?hedcore.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?hellwithgoogle.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?isdwebstore.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?redline-entertainement.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?skateinstrutor.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?slewfootrecrods.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?syperopts.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?charlestyrrell-ins.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?wgostonemantel.com.*$ [NC]

# no OR in the last one

# forbid, set enviromental BAD, L means LAST rules
RewriteRule ^(.*) - [F,E=BAD:1,L]

# alter the logs.. to remove the bad guys but still log them so we can see
CustomLog /var/log/apache/access.log combined env=!BAD
CustomLog /var/log/apache/access_bad.log combined env=BAD




 

nasty referer's be GONE!!!! :)

 

 

Minimal (which might do it)



Code:
RewriteEngine on
RewriteCond %{THE_REQUEST} "^HEAD" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "^(" [NC]
RewriteRule ^(.*) - [F,E=BAD:1,L]

CustomLog /var/log/apache/access.log combined env=!BAD
CustomLog /var/log/apache/access_bad.log combined env=BAD




Pages: 1 2 3