2005-12-23, 06:17 PM
Quote:znx, you are the script king. :)
:)
|
analysis of a spammer
|
2005-12-23, 08:28 PM
znx thanks mate i've made the changes and will keep an eye on things well done on this suggestion cheers anyweb  Quote:thanks mate yeah well, lets see how this handles, as im sure you are more than aware they could just spam from other names but lets hope that this gives them a kick in the teeth in the meantime.... i suppose we should add another ! not referer in case its internal to internal? Code: # skip if empty (ie direct.. and the majority of your traffic)
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.*.)?linux-noob.com.*$ [NC]though its not critical... and i doubt it will cause any significant performance gain
2005-12-27, 10:46 PM
i've added 'netcathost.com' to my 'drop packets' rule on smoothwall look here Quote:Top 10 of 15137 Total Sites# Hits Files KBytes Visits Hostname yup, that netcathost is the spammer (originator) and not only that, it manged to give me 26000 hits with zero visits registered i'll continue monitoring.... cheers anyweb
2006-01-03, 09:29 AM
unfortunately the actions i have taken so far have not helped (see january's stats listed here... [/url][url=http://linux-noob.com/usage/usage_200601.html#TOPREFS]http://linux-noob.com/usage/usage_200601.html#TOPREFS ) so i'm dropping the ips of the spammers directly using iptables on linux-noob.com here are the dropped hosts so far from my rc.firewall Code: # Dropped Hosts
iptables -A INPUT -s 66.250.107.0/24 -j DROP # netcathost.com spammers
iptables -A INPUT -s 216.255.181.107 -j DROP # wgostonemantel.com
iptables -A INPUT -s 69.50.188.11 -j DROP # charlestyrrell-ins.com
iptables -A INPUT -s 66.232.101.120 -j DROP # clickobras.com
iptables -A INPUT -s 66.232.101.121 -j DROP # northeastmetrotec.com
iptables -A INPUT -s 216.255.181.110 -j DROP # syperopts.com
iptables -A INPUT -s 216.255.181.109 -j DROP # isdwebstore.com
iptables -A INPUT -s 69.50.188.11 -j DROP # nativealaaskan.net
iptables -A INPUT -s 216.255.181.107 -j DROP # reesehardin.com
iptables -A INPUT -s 69.50.188.13 -j DROP # skateinstrutor.com
iptables -A INPUT -s 66.232.101.122 -j DROP # vicotriajohnson.comhopefully this will work...
2006-01-03, 10:15 PM
Quote: this will not stop referer hits im afraid, i suggested it to stop the user accessing us, referers can be provided by ANY ip.... see the access_bad.log this will tell you the IP that the referer hits come from.. drop those instead... ;)
2006-01-04, 01:26 PM
bit of discussion in the chan (#linux-noob : efnet) and im wrong.. [/url][url=http://linux-noob.com/usage/usage_200601.html#TOPSITES]http://linux-noob.com/usage/usage_200601.html#TOPSITES anyweb is correctly blocking the offending accessing IP not the referer :) ok now i'm REALLY annoyed these god dam asswipes are at it again see here [/url]http://linux-noob.com/usage/usage_200601.html#TOPREFS Quote:Top 100 of 1257 Total Referrers# Hits Referreredit by znx: breaking the urls those DIRTY LOWLIFES are spamming me so much that only two links in the top 20 referrers are REAL that SUCKS. I hate them !!!!!!!! ok, how do i fix it ??????????? helppppppppppppppppppppppppppppppppppppppp it seems that 'dropping' the netcathost.com ip in rc.firewall did NOT help !@! Code: DROP all -- 66.250.107.0/24 anywhere
DROP all -- 216.255.181.107 anywhere
DROP all -- 69.50.188.11 anywhere
DROP all -- 66.232.101.120 anywhere
DROP all -- 66.232.101.121 anywhere
DROP all -- 216.255.181.110 anywhere
DROP all -- 216.255.181.109 anywhere
DROP all -- 69.50.188.11 anywhere
DROP all -- 216.255.181.107 anywhere
DROP all -- 69.50.188.13 anywhere
DROP all -- 66.232.101.122 anywhereand based on this Quote:Top 10 of 5614 Total Sites# Hits Files KBytes Visits Hostname they MUST be the spamming LOOSERS that are causing me this pain. znx, please help, if anyone else has some bright ideas please help this really annoys me.... :( analysis of access_log shows me lots of this Code: 195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
85.50.66.61 - - [09/Jan/2006:06:19:56 +0100] "GET /favicon.ico HTTP/1.1" 404 10804 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
72.232.30.46 - - [09/Jan/2006:06:20:08 +0100] "GET /forums/ssi.php?a=out&f=14&show=10&type=rss HTTP/1.0" 200 6073 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"
72.232.30.46 - - [09/Jan/2006:06:21:08 +0100] "GET /forums/ssi.php?a=out&f=14&show=10&type=rss HTTP/1.0" 200 6073 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"
66.154.102.111 - - [09/Jan/2006:06:21:36 +0100] "GET /forums/index.php?act=Post&CODE=02&f=14&t=1916&qpid=6881 HTTP/1.0" 200 32860 "-" "Gigabot/2.0"
85.50.66.61 - - [09/Jan/2006:06:21:58 +0100] "GET /SecureXP/configureIIS.htm HTTP/1.1" 200 1395 "http://www.windows-noob.com/SecureXP/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
88.106.74.99 - - [09/Jan/2006:06:22:05 +0100] "GET /computers/gaming/doom3/linux-noob%20(1).html HTTP/1.1" 200 1056 "http://images.google.co.uk/imgres?imgurl=http://anyweb.kicks-ass.net/computers/gaming/doom3/images/linux-noob%2520(1).jpg&imgrefurl=http://anyweb.kicks-ass.net/computers/gaming/doom3/linux-noob%2520(1).html&h=480&w=640&sz=38&tbnid=TVQNHWTOyJQJ:&tbnh=101&tbnw=135&hl=en&start=109&prev=/images%3Fq%3Dnoob%26start%3D100%26svnum%3D10%26hl%3Den%26lr%3D%26rls%3DGGLG,GGLG:2005-39,GGLG:en%26sa%3DN" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
88.106.74.99 - - [09/Jan/2006:06:22:05 +0100] "GET /computers/gaming/doom3/images/linux-noob%20(1).jpg HTTP/1.1" 200 38350 "http://anyweb.kicks-ass.net/computers/gaming/doom3/linux-noob%20(1).html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
72.232.30.46 - - [09/Jan/2006:06:22:08 +0100] "GET /forums/ssi.php?a=out&f=14&show=10&type=rss HTTP/1.0" 200 6073 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
85.50.66.61 - - [09/Jan/2006:06:22:11 +0100] "GET /favicon.ico HTTP/1.1" 404 10804 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"so i guess that 195.225 ip is the offender ???? cheers anyweb Rev2 ! Code: RewriteEngine on
# drop HEAD
RewriteCond %{THE_REQUEST} "^HEAD" [NC,OR]
# bad User Agents, extremely odd to start with "(" ..
RewriteCond %{HTTP_USER_AGENT} "^(" [NC,OR]
# skip if empty (ie direct.. and the majority of your traffic)
RewriteCond %{HTTP_REFERER} !^$
# all the bad guys
RewriteCond %{HTTP_REFERER} ^http://(.*.)?networkresourceservices.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?northeastmetrotec.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?reesehardin.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?vicotriajohnson.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?advertisinggems.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?clickobras.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?nativealaaskan.net [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?downjigger.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?hedcore.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?hellwithgoogle.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?isdwebstore.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?redline-entertainement.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?skateinstrutor.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?slewfootrecrods.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?syperopts.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?charlestyrrell-ins.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?wgostonemantel.com.*$ [NC]
# no OR in the last one
# forbid, set enviromental BAD, L means LAST rules
RewriteRule ^(.*) - [F,E=BAD:1,L]
# alter the logs.. to remove the bad guys but still log them so we can see
CustomLog /var/log/apache/access.log combined env=!BAD
CustomLog /var/log/apache/access_bad.log combined env=BADnasty referer's be GONE!!!! :) Minimal (which might do it) Code: RewriteEngine on
RewriteCond %{THE_REQUEST} "^HEAD" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "^(" [NC]
RewriteRule ^(.*) - [F,E=BAD:1,L]
CustomLog /var/log/apache/access.log combined env=!BAD
CustomLog /var/log/apache/access_bad.log combined env=BAD |
|
« Next Oldest | Next Newest »
|
Users browsing this thread: 2 Guest(s)