Jump to content
Sign in to follow this  
anyweb

analysis of a spammer

Recommended Posts

hi guys

 

it seems that spammers try every method in the book using methods like email, phising, posting on forums (with links to where they want you to click) amongst their methods,

 

while browsing through the statistics of this website (https://www.linux-noob.com) i came across some unfamiliar 'referral links' which drew my interest and later, disgust.

 

The spammers have obviously got some 'spam bots' which crawl websites for one purpose, to falsely leave behind their 'links' in the statistics page of a website.

 

To try and further understand these low-lifes I did some analysis:-

 

look at the statistics posted here

 

http://linux-noob.com/usage/usage_200512.html#TOPREFS

 

 

ok, the first link is listed as a 'direct request' and what that means is any internal link on linux-noob.com that links back to a page/site/forum whatever on linux-noob.com is listed as a direct request, same goes for anyone coming here via a bookmark to linux-noob.com or RSS feed.

 

The second link in the list above is our friend google, nothing strange there.

 

However, if we look at the 3rd to the 12th links listed, things start to become strange,

 

obviously to find out who these 'new' referrals were I clicked on the link only to be surprised that I landed on a 'so called search page'

 

take a look at the first link listed

 

3 1462 0.48% http://charlestyrrell-ins.com/

 

clicking on that will re-direct you to the following website

 

http://www.searchmeup.com/search.php?aid=3...id=this_is_SPAM

 

which is 'marketing' (spamming to you and me) a drug called "lousy spam".

 

"lousy spam" itself (according to google) is a diet pill, but who cares. I don't. I'm not interested. What annoys me is that the 'charlestyrell' link redirects me to a 'search site'. That is the SPAM in action.

 

Let's take the second site listed:-

 

4 1462 0.48% http://wgostonemantel.com/

 

once again, it redirects to the above page

 

http://www.searchmeup.com/search.php?aid=3...id=this_is_SPAM

 

and you can probably guess that the 'aid=36585' part of the link is the method that the spammer has of knowing how successful his spam is.

 

Let's continue with the third link:-

 

5 1340 0.44% http://downjigger.com/

 

redirects to http://www.searchmeup.com/search.php?aid=3...hoes&said=550_1

 

which is the same 'searchmeup.com' website and the same 'aid=36585' but now with a 'new' PHONEY search term.

 

ok,, you get the idea now, so who is running this spamming operation ?

 

let's do some whois ...

 

charlestyrrell-ins.com (Reverse lookup failed)

 

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)

Copyright 1999-2001 William E. Weinman

Request: charlestyrrell-ins.com

connecting to whois.internic.net [198.41.0.6:43]...

connecting to whois.criticalinternet.com [69.50.183.29:43] ...

Registration Service Provided By: ESTDOMAINS

Contact: +372.55647646

Website: http://www.estdomains.com

 

Domain Name: CHARLESTYRRELL-INS.COM

 

Registrant:

Miamy diamond, inc

Andrew Scott (andrewscott600@yahoo.com)

2301 E St Nw

Washington

,20037

US

Tel. +202.4630871

 

Creation Date: 10-Dec-2005

Expiration Date: 10-Dec-2006

 

Domain servers in listed order:

ns1.charlestyrrell-ins.com

ns2.charlestyrrell-ins.com

 

and the next 'link'

 

wgostonemantel.com (Reverse lookup failed)

 

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)

Copyright 1999-2001 William E. Weinman

Request: wgostonemantel.com

connecting to whois.internic.net [198.41.0.6:43]...

connecting to whois.criticalinternet.com [69.50.183.29:43] ...

Registration Service Provided By: ESTDOMAINS

Contact: +372.55647646

Website: http://www.estdomains.com

 

Domain Name: WGOSTONEMANTEL.COM

 

Registrant:

-

Klaus Muller (klausmuller007@yahoo.com)

Sandershauser Strasse 101

Kassel

,34123

DE

Tel. +49.56150003

 

Creation Date: 09-Dec-2005

Expiration Date: 09-Dec-2006

 

Domain servers in listed order:

ns1.wgostonemantel.com

ns2.wgostonemantel.com

 

and the third link

 

downjigger.com (Reverse lookup failed)

 

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)

Copyright 1999-2001 William E. Weinman

Request: downjigger.com

connecting to whois.internic.net [198.41.0.6:43]...

connecting to whois.criticalinternet.com [69.50.183.29:43] ...

Registration Service Provided By: ESTDOMAINS

Contact: +372.55647646

Website: http://www.estdomains.com

 

Domain Name: DOWNJIGGER.COM

 

Registrant:

-

Klaus Muller (klausmuller007@yahoo.com)

Sandershauser Strasse 101

Kassel

,34123

DE

Tel. +49.56150003

 

Creation Date: 13-Dec-2005

Expiration Date: 13-Dec-2006

 

Domain servers in listed order:

ns1.downjigger.com

ns2.downjigger.com

 

so are the people mentioned above real or fake ? any takers ?

 

the 'searchmeup.com' website has an 'report abuse' link which redirects to

 

https://www.umaxlogin.com/user_page.php?page=FAQ

 

which is a 'pay per click' ad revenue, so we can see that the many links 'left behind' on linux-noob.com's STATS page are designed to get users to 'click' and end up on 'searchmeup'.

 

some is trying to profit here, but who ?

 

I tried to 'report abuse' to the domain name creation site listed above but was left feeling less than impressed (see screenshot)

 

 

 

cmon guys, feel like helping me out here ? who is doing this and how can we stop them ?

 

cheers

 

anyweb

post-1-1134724123.png

Share this post


Link to post
Share on other sites

Quick way to do it with php:

 

One way

switch($_SERVER[''HTTP_REFERER']) {
  case "badsite.com":
  case "nextbadsite.com":
  exit;
  break;
}

 

Two way

$bad = array("badsite.com", "badsite1.com");

if(in_array($_SERVER['HTTP_REFERER', $bad)) exit;

 

Either of these placed at the top of the webpages (i.e. on every page like the header) should just terminate the page early and fail to load it for those site REFERER's.

 

Of course this method isn't perfect as the REFERER can easily be faked.

 

Another method would be to use iptables.. and simply drop traffic from the bad sites...

iptables -A INPUT -s badsite.com -j DROP

 

Again though.. you can get around this, a proxy for instance (or tor?).

 

Just some ideas...

Share this post


Link to post
Share on other sites

Hi anyweb,

 

I was told you could do this by using: mod_setenvif

 

http://httpd.apache.org/docs/1.3/mod/mod_s...f.html#setenvif

 

also you could use mod_rewrite

 

http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html

 

Ill have a look into both and see if I could produce a rule to stop the spamming

znx's method is also good :)

Share this post


Link to post
Share on other sites

ok I had a little chat in #apache and was told do to:

 

setenvifnocase referer ".*charlestyrrell-ins.com.*" deny_these, then as appropriate deny from env=deny_these

Share this post


Link to post
Share on other sites

oh this is just annoying me....

 

they are now increasing the number of 'referral links' and of course the actual sites have nothing to do with the URL they claim to be

 

not only that but how are they doing this ?

 

usually a 'referral' means that someone clicked on a link to end up here, but this is clearly not the case here

 

i'm still thinking about your suggestions above but has anyone else got any ideas ?

 

can i remove the links from webalizer ????

 

3 1765 0.48% http:// networkresourceservices.com/

4 1765 0.48% http:// northeastmetrotec.com/

5 1765 0.48% http:// reesehardin.com/

6 1765 0.48% http:// vicotriajohnson.com/

7 1589 0.44% http:// advertisinggems.com/

8 1589 0.44% http:// clickobras.com/

9 1589 0.44% http:// nativealaaskan.net/

10 1522 0.42% http:// downjigger.com/

11 1522 0.42% http:// hedcore.com/

12 1522 0.42% http:// hellwithgoogle.com/

13 1522 0.42% http:// isdwebstore.com/

14 1522 0.42% http:// redline-entertainement.com/

15 1522 0.42% http:// skateinstrutor.com/

16 1522 0.42% http:// slewfootrecrods.com/

17 1522 0.42% http:// syperopts.com/

18 1462 0.40% http:// charlestyrrell-ins.com/

19 1462 0.40% http:// wgostonemantel.com/

 

be warned the first link (i clicked it to see) is NSFW

 

pretty sure the rest are also bad

 

http://linux-noob.com/usage/usage_200512.html#TOPREFS

Edited by znx

Share this post


Link to post
Share on other sites

I'd avoid posting real links in your posts, you're just helping their PageRank. :)

Share this post


Link to post
Share on other sites

RewriteEngine on

# skip if empty (ie direct.. and the majority of your traffic)
RewriteCond %{HTTP_REFERER} !^$

# all the bad guys
RewriteCond %{HTTP_REFERER} ^http://(.*.)?networkresourceservices.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?northeastmetrotec.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?reesehardin.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?vicotriajohnson.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?advertisinggems.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?clickobras.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?nativealaaskan.net [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?downjigger.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?hedcore.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?hellwithgoogle.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?isdwebstore.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?redline-entertainement.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?skateinstrutor.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?slewfootrecrods.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?syperopts.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?charlestyrrell-ins.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?wgostonemantel.com.*$ [NC]
# no OR in the last one

# forbid, set enviromental BAD, L means LAST rules
RewriteRule ^(.*) - [F,E=BAD:1,L]

# alter the logs.. to remove the bad guys but still log them so we can see
CustomLog /var/log/apache/access.log combined env=!BAD
CustomLog /var/log/apache/access_bad.log combined env=BAD

 

 

nasty referer's be GONE.. ^_^

Share this post


Link to post
Share on other sites

thanks znx, but where do i put that and what actions must i take inorder for it to do anything ? do i have to install something ?

 

cheers

anyweb

Share this post


Link to post
Share on other sites
thanks znx, but where do i put that and what actions must i take inorder for it to do anything ? do i have to install something ?

 

Oh yeah.. it would have been good to say how to use it .. :P

 

First make sure that the paths are good for your log files (maybe you want to put elsewhere to test?) then you can simply put that in a .htaccess file in the docroot of your site.. and it will protect across the whole site then...

 

If you want to test it out.. you can add my site and try clicking through from it...

 

....
# all the bad guys
RewriteCond %{HTTP_REFERER} ^http://(.*.)?abdn.ac.uk.*$ [NC,OR]
....

 

When you click from my site.. you should reach a Forbidden page.. and it should NOT be logged in access.log and it should be logged in access_bad.log. Neat eh :D

Share this post


Link to post
Share on other sites
Neat eh :D

 

znx, you are the script king. :)

Share this post


Link to post
Share on other sites
znx, you are the script king. :)

 

^_^

Share this post


Link to post
Share on other sites

znx

 

thanks mate

 

i've made the changes and will keep an eye on things

 

well done on this suggestion

 

cheers

anyweb

Share this post


Link to post
Share on other sites
thanks mate

 

i've made the changes and will keep an eye on things

 

well done on this suggestion

 

yeah well, lets see how this handles, as im sure you are more than aware they could just spam from other names but lets hope that this gives them a kick in the teeth in the meantime....

 

i suppose we should add another ! not referer in case its internal to internal?

 

# skip if empty (ie direct.. and the majority of your traffic)
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.*.)?linux-noob.com.*$ [NC]

 

though its not critical... and i doubt it will cause any significant performance gain

Edited by znx

Share this post


Link to post
Share on other sites

i've added 'netcathost.com' to my 'drop packets' rule on smoothwall

 

look here

 

Top 10 of 15137 Total Sites

# Hits Files KBytes Visits Hostname

1 33775 6.91% 33775 8.03% 199524 1.58% 5 0.02% 67-14-171-98.colodns.com

2 33775 6.91% 33775 8.03% 199524 1.58% 5 0.02% colodns.com

3 28972 5.93% 25283 6.01% 828452 6.58% 136 0.50% googlebot.com

4 26927 5.51% 26927 6.40% 0 0.00% 4 0.01% ip177-131.netcathost.com

5 26927 5.51% 26927 6.40% 0 0.00% 4 0.01% netcathost.com

 

yup, that netcathost is the spammer (originator) and not only that, it manged to give me 26000 hits with zero visits registered

 

i'll continue monitoring....

 

cheers

anyweb

Share this post


Link to post
Share on other sites

unfortunately the actions i have taken so far have not helped (see january's stats listed here... http://linux-noob.com/usage/usage_200601.html#TOPREFS )

 

so i'm dropping the ips of the spammers directly using iptables on linux-noob.com

 

here are the dropped hosts so far from my rc.firewall

 

# Dropped Hosts
iptables -A INPUT -s 66.250.107.0/24 -j DROP # netcathost.com spammers
iptables -A INPUT -s 216.255.181.107 -j DROP # wgostonemantel.com
iptables -A INPUT -s 69.50.188.11 -j DROP # charlestyrrell-ins.com
iptables -A INPUT -s 66.232.101.120 -j DROP # clickobras.com
iptables -A INPUT -s 66.232.101.121 -j DROP # northeastmetrotec.com
iptables -A INPUT -s 216.255.181.110 -j DROP # syperopts.com
iptables -A INPUT -s 216.255.181.109 -j DROP # isdwebstore.com
iptables -A INPUT -s 69.50.188.11 -j DROP # nativealaaskan.net
iptables -A INPUT -s 216.255.181.107 -j DROP # reesehardin.com
iptables -A INPUT -s 69.50.188.13 -j DROP # skateinstrutor.com
iptables -A INPUT -s 66.232.101.122 -j DROP # vicotriajohnson.com

 

hopefully this will work...

Share this post


Link to post
Share on other sites
# Dropped Hosts
iptables -A INPUT -s 66.250.107.0/24 -j DROP # netcathost.com spammers
iptables -A INPUT -s 216.255.181.107 -j DROP # wgostonemantel.com
iptables -A INPUT -s 69.50.188.11 -j DROP # charlestyrrell-ins.com
iptables -A INPUT -s 66.232.101.120 -j DROP # clickobras.com
iptables -A INPUT -s 66.232.101.121 -j DROP # northeastmetrotec.com
iptables -A INPUT -s 216.255.181.110 -j DROP # syperopts.com
iptables -A INPUT -s 216.255.181.109 -j DROP # isdwebstore.com
iptables -A INPUT -s 69.50.188.11 -j DROP # nativealaaskan.net
iptables -A INPUT -s 216.255.181.107 -j DROP # reesehardin.com
iptables -A INPUT -s 69.50.188.13 -j DROP # skateinstrutor.com
iptables -A INPUT -s 66.232.101.122 -j DROP # vicotriajohnson.com

 

hopefully this will work...

 

this will not stop referer hits im afraid, i suggested it to stop the user accessing us, referers can be provided by ANY ip....

 

see the access_bad.log this will tell you the IP that the referer hits come from.. drop those instead...

 

;)

Share this post


Link to post
Share on other sites

ok now i'm REALLY annoyed

 

these god dam asswipes are at it again

 

see here

 

http://linux-noob.com/usage/usage_200601.html#TOPREFS

 

Top 100 of 1257 Total Referrers

# Hits Referrer

1 42673 24.42% - (Direct Request)

2 1649 0.94% http:// heraldry2001 com/

3 1649 0.94% http:// mapsforexcellence com

4 1147 0.66% http:// underland-rosow com/

5 1020 0.58% http:// compbiogen com/

6 911 0.52% http://www.google.com/search

7 735 0.42% http:// charlestyrrell-ins com/

8 728 0.42% http:// wgostonemantel com/

9 721 0.41% http:// clickobras com/

10 721 0.41% http:// northeastmetrotec com/

11 721 0.41% http:// syperopts com/

12 714 0.41% http:// isdwebstore com/

13 714 0.41% http:// nativealaaskan net/

14 714 0.41% http:// reesehardin com/

15 714 0.41% http:// skateinstrutor com/

16 714 0.41% http:// vicotriajohnson com/

17 688 0.39% http:// datascan-inc com/

18 688 0.39% http:// ebayslist com/

19 688 0.39% http:// ibelievejfk com/

20 688 0.39% http:// studisource com/

edit by znx: breaking the urls

 

those DIRTY LOWLIFES are spamming me so much that only two links in the top 20 referrers are REAL

 

that SUCKS. I hate them !!!!!!!!

 

ok, how do i fix it ???????????

 

helppppppppppppppppppppppppppppppppppppppp

 

it seems that 'dropping' the netcathost.com ip in rc.firewall did NOT help !@!

 

DROP	   all  --  66.250.107.0/24	  anywhere
DROP	   all  --  216.255.181.107	  anywhere
DROP	   all  --  69.50.188.11		 anywhere
DROP	   all  --  66.232.101.120	   anywhere
DROP	   all  --  66.232.101.121	   anywhere
DROP	   all  --  216.255.181.110	  anywhere
DROP	   all  --  216.255.181.109	  anywhere
DROP	   all  --  69.50.188.11		 anywhere
DROP	   all  --  216.255.181.107	  anywhere
DROP	   all  --  69.50.188.13		 anywhere
DROP	   all  --  66.232.101.122	   anywhere

 

and based on this

 

Top 10 of 5614 Total Sites

# Hits Files KBytes Visits Hostname

1 15413 8.82% 15413 10.19% 0 0.00% 8 0.09% ip177-131.netcathost.com

2 15413 8.82% 15413 10.19% 0 0.00% 8 0.09% netcathost.com

 

they MUST be the spamming LOOSERS that are causing me this pain.

 

znx, please help, if anyone else has some bright ideas please help

 

this really annoys me....

 

:(

Share this post


Link to post
Share on other sites

analysis of access_log shows me

 

lots of this

 

195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:19:33 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
85.50.66.61 - - [09/Jan/2006:06:19:56 +0100] "GET /favicon.ico HTTP/1.1" 404 10804 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
72.232.30.46 - - [09/Jan/2006:06:20:08 +0100] "GET /forums/ssi.php?a=out&f=14&show=10&type=rss HTTP/1.0" 200 6073 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:20:29 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"
72.232.30.46 - - [09/Jan/2006:06:21:08 +0100] "GET /forums/ssi.php?a=out&f=14&show=10&type=rss HTTP/1.0" 200 6073 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:21:24 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"
66.154.102.111 - - [09/Jan/2006:06:21:36 +0100] "GET /forums/index.php?act=Post&CODE=02&f=14&t=1916&qpid=6881 HTTP/1.0" 200 32860 "-" "Gigabot/2.0"
85.50.66.61 - - [09/Jan/2006:06:21:58 +0100] "GET /SecureXP/configureIIS.htm HTTP/1.1" 200 1395 "http://www.windows-noob.com/SecureXP/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
88.106.74.99 - - [09/Jan/2006:06:22:05 +0100] "GET /computers/gaming/doom3/linux-noob%20(1).html HTTP/1.1" 200 1056 "http://images.google.co.uk/imgres?imgurl=http://anyweb.kicks-ass.net/computers/gaming/doom3/images/linux-noob%2520(1).jpg&imgrefurl=http://anyweb.kicks-ass.net/computers/gaming/doom3/linux-noob%2520(1).html&h=480&w=640&sz=38&tbnid=TVQNHWTOyJQJ:&tbnh=101&tbnw=135&hl=en&start=109&prev=/images%3Fq%3Dnoob%26start%3D100%26svnum%3D10%26hl%3Den%26lr%3D%26rls%3DGGLG,GGLG:2005-39,GGLG:en%26sa%3DN" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
88.106.74.99 - - [09/Jan/2006:06:22:05 +0100] "GET /computers/gaming/doom3/images/linux-noob%20(1).jpg HTTP/1.1" 200 38350 "http://anyweb.kicks-ass.net/computers/gaming/doom3/linux-noob%20(1).html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
72.232.30.46 - - [09/Jan/2006:06:22:08 +0100] "GET /forums/ssi.php?a=out&f=14&show=10&type=rss HTTP/1.0" 200 6073 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
85.50.66.61 - - [09/Jan/2006:06:22:11 +0100] "GET /favicon.ico HTTP/1.1" 404 10804 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://datascan-inc.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://compbiogen.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://ebayslist.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://ibelievejfk.com/" "(compatible; MSIE 5.0; Windows NT)"
195.225.177.131 - - [09/Jan/2006:06:22:19 +0100] "HEAD / HTTP/1.1" 200 0 "http://studisource.com/" "(compatible; MSIE 5.0; Windows NT)"

 

so i guess that 195.225 ip is the offender ????

 

cheers

 

anyweb

Share this post


Link to post
Share on other sites

Rev2 !

 

RewriteEngine on

# drop HEAD
RewriteCond %{THE_REQUEST} "^HEAD" [NC,OR]

# bad User Agents, extremely odd to start with "(" .. 
RewriteCond %{HTTP_USER_AGENT} "^(" [NC,OR]

# skip if empty (ie direct.. and the majority of your traffic)
RewriteCond %{HTTP_REFERER} !^$

# all the bad guys
RewriteCond %{HTTP_REFERER} ^http://(.*.)?networkresourceservices.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?northeastmetrotec.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?reesehardin.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?vicotriajohnson.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?advertisinggems.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?clickobras.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?nativealaaskan.net [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?downjigger.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?hedcore.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?hellwithgoogle.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?isdwebstore.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?redline-entertainement.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?skateinstrutor.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?slewfootrecrods.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?syperopts.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?charlestyrrell-ins.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.*.)?wgostonemantel.com.*$ [NC]

# no OR in the last one

# forbid, set enviromental BAD, L means LAST rules
RewriteRule ^(.*) - [F,E=BAD:1,L]

# alter the logs.. to remove the bad guys but still log them so we can see
CustomLog /var/log/apache/access.log combined env=!BAD
CustomLog /var/log/apache/access_bad.log combined env=BAD

 

nasty referer's be GONE!!!! ^_^

 

 

Minimal (which might do it)

RewriteEngine on
RewriteCond %{THE_REQUEST} "^HEAD" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "^(" [NC]
RewriteRule ^(.*) - [F,E=BAD:1,L]

CustomLog /var/log/apache/access.log combined env=!BAD
CustomLog /var/log/apache/access_bad.log combined env=BAD

Share this post


Link to post
Share on other sites

Here is what I got:

 

CustomLog /var/log/apache/access.log common env=good
CustomLog /dev/null common env=!good

<IfModule mod_setenvif.c>
SetEnvIf Referer ".*charlestyrrell-ins. 		!good
SetEnvIf Referer ".*networkresourceservices. 	!good
SetEnvIf Referer ".*northeastmetrotec. 		!good
	SetEnvIf Referer ".*reesehardin. 			!good
	SetEnvIf Referer ".*vicotriajohnson. 		!good
SetEnvIf Referer ".*advertisinggems. 		!good
SetEnvIf Referer ".*clickobras. 			!good
SetEnvIf Referer ".*nativealaaskan. 		!good
SetEnvIf Referer ".*downjigger. 			!good
SetEnvIf Referer ".*hedcore. 				!good
SetEnvIf Referer ".*hellwithgoogle. 		!good
SetEnvIf Referer ".*isdwebstore. 			!good
SetEnvIf Referer ".*redline-entertainement.	!good
SetEnvIf Referer ".*skateinstrutor. 		!good
SetEnvIf Referer ".*slewfootrecrods. 		!good
SetEnvIf Referer ".*syperopts. 			!good
SetEnvIf Referer ".*charlestyrrell-ins.		!good
SetEnvIf Referer ".*wgostonemantel.			!good
SetEnvIfNoCase User-Agent ^(		!good
</IfModule>

 

Might need tewaking.

Share this post


Link to post
Share on other sites

I don't know if this is any use to you, anyweb, but I thought it would be worth asking:

 

http://skyzyx.com/projects/blocker/

Share this post


Link to post
Share on other sites

thanks guys

 

what I have done is to implement three things

 

1. blocked the ENTIRE netcathost C class ip range via iptables

 

DROP	   all  --  195.225.177.0/255.255.255.0	  anywhere

 

 

2. implemented znx's .htaccess script in the root of the webserver

 

note: in the code below znx asked me to remove the line that had HEAD in it, I still don't know why, perhaps he will explain here !

 

 

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} "^(" [NC]
RewriteRule ^(.*) - [F,E=BAD:1,L]

CustomLog /var/log/apache/access.log combined env=!BAD
CustomLog /var/log/apache/access_bad.log combined env=BAD

 

3. added user/pass for the stats usage page (for now) if you want access to it contact me or znx

 

Still waiting to accomplish the following:-

 

use grep and other tools to filter out all references to the spammed URLS from my Apache access_log, referrer_log etc.

 

 

 

cheers

anyweb

Share this post


Link to post
Share on other sites
1. blocked the ENTIRE netcathost C class ip range via iptables

 

This is probably a good thing but proxies are so easy to find these days.. nevertheless could stop those that are just automating attacks

 

2. implemented znx's .htaccess script in the root of the webserver

 

note: in the code below znx asked me to remove the line that had HEAD in it, I still don't know why, perhaps he will explain here !

 

Indeed the matching of the ua should be enough, therefore there is no need to remove HEAD. The removal of HEAD wouldn't restrict normal browsers of your site in anyway but certain utilities use HEAD to confirm pages exist and even some browsers to assist with preloading a site, hence unless we have to I think we should try to keep HEAD active.

 

Also maybe I should have pointed out this is the htaccess:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} "^(" [NC]
RewriteRule ^(.*) - [F,E=BAD:1,L]

 

This is the modification to logging (inside the httpd.conf you will already have a CustomLog line):

CustomLog /var/log/apache/access.log combined env=!BAD
CustomLog /var/log/apache/access_bad.log combined env=BAD

 

Unfortunately I'm not much convinced about the matching of ua, the little test we did.. it didn't seem to 403 me..as it should do :( We will need to experiment a wee bit more.

 

3. added user/pass for the stats usage page (for now) if you want access to it contact me or znx

 

This of course is the killer, no longer can your stats be googlefied and as such it is pointless for the spammers to spam referers anymore. Doesn't me we don't want to purge the spammers though.

 

Still waiting to accomplish the following:-

 

use grep and other tools to filter out all references to the spammed URLS from my Apache access_log, referrer_log etc.

 

Shouldn't be too hard... taking the small snip from above we can clear the logs with relative ease, strip the HEAD entries and thats it... of course we should confirm that no others are getting purged so.

 

Test the removal with:

grep -E "^195.225.177.*HEAD" access_log > wouldberemoved

 

If all the entries in that new file are duds... then procede with:

grep -Ev "^195.225.177.*HEAD" access_log > new_access_log

 

As long as the referers are all of a similar style.. we should be fine.

 

^_^ we shall prevail .. no?

Share this post


Link to post
Share on other sites

DOH DOH DOH ! :D

 

i know my error now :)

 

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^\( [NC]
RewriteRule ^(.*) - [F,E=BAD:1,L]

 

the ( is of course being picked up as part of a regex match.. so we needed to escape it :)

 

WOOT... so alter the htaccess.. alter the httpd.conf (CustomLog lines) and all should be well

 

PHEW ^_^

 

[PS: thanks to McDuck for the server space to test on]

Share this post


Link to post
Share on other sites

so far so good

 

those spamming basta@ds NETCATHOST (spammers)

 

are blocked by iptables ! and it's working so far

 

heres a very interesting article on the spamming subject

 

cheers

anyweb

Share this post


Link to post
Share on other sites

znx please check the usage stats

now i am being spammed by 888 casinos

 

in fact, ever month a new spammer seems to take up the action, my rc.firewall is getting big with all these losers ip's and having to check the stats daily to figure out whats bad from good is getting a bit annoying

 

any advice ?

 

cheers

anyweb

Share this post


Link to post
Share on other sites
any advice ?

 

I will look into.. I have a copy of your access_log and rc.firewall, will give it a look over soon .. apologies for the delay :)

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...