I have verified though painstaking means and lots of searching though countless log files on different sites, that each and every one of these ips have attempted to search or use formmail to spam through my server.

Usually they will search for formmail in /cgi-bin/ on my users sites and the return statis is a 404 page not found. Then they go to /cgi-sys/ and do the same thing. Now if you look up these ips on the RBL lists you will find that most of them are blacklisted with more then one RBL.

So with that said, i dont mind posting their ips in public, which i dont normally do, but if they are going to hit my system on a daily basis it serves them right.

NOTE: I found alot of these ips hitting not just one server by more then 1 that own.

200.246.46.131 <--- The worst one
216.228.192.43
64.107.124.98
200.230.113.4
62.235.237.144
218.145.25.112
209.52.50.3
203.114.169.19
12.220.37.38
194.206.1.42
62.211.58.43
211.20.131.242
208.181.21.195
210.404.41.13
64.180.138.174
207.44.218.96

-EOF

now I could have sworn when I first started using WHM that it allowed you to block certain IPs but now when I am looking for it, I cannot find it.

Any ideas?

--Tone

This looks like an ip that rackshack abuse should be made aware of, 207.44.x.x is a rackshack subnet.

Also, theres one ip that is 210.404.41.13, was that supposed to be 40?

Thanks for this most valuable info, Aussie!

yeah, forgot to thank you, i have taken steps to block them as well.

Thanks Aussie.

Thanks Aussie... I feel I going to be post alot of Thanks your way.
Shawn