The Planet Forums > Topsite Spammers

The Planet Forums > System Administration > Other

X-Istence

Aug 17 2007, 07:01 AM

I am currently getting hit hard by some top-site spammers. They use a front-end site that is pornography, and get people to view it, at the same time they included an VERY old link to a top site I used to run (almost 2 years ago), and now they are getting very active.

I am getting about 23 hits a second to a 404 page, which in no way is going to result in anything good for me, and frankly it is annoying me, since my logs look like a mess

The IP address all originate from Turk Telecom, so I am wondering how can I find out what IP space Turk Telecom was handed, so I can drop the packets at the firewall and take some stress off my HTTP server.

CODE

88.226.4.34 www.spammers-paradise.com - [17/Aug/2007:07:10:40 -0500] "GET /top/button.php?id=1108 HTTP/1.1" 404 345 "http://www.dolusex.net/can.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.110.108.6 www.spammers-paradise.com - [17/Aug/2007:07:10:40 -0500] "GET /top/button.php?id=1108 HTTP/1.1" 404 345 "http://www.dolusex.net/can.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Zango 10.0.275.0)"
88.245.243.22 www.spammers-paradise.com - [17/Aug/2007:07:10:40 -0500] "GET /top/button.php?id=1073 HTTP/1.1" 404 345 "http://www.mircsitesi.com/gokhan.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
88.230.163.33 www.spammers-paradise.com - [17/Aug/2007:07:10:40 -0500] "GET /top/button.php?id=1108 HTTP/1.1" 404 345 "http://www.dolusex.net/can.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Oh, and before anyone jumps on me because of the name of my website (http://spammers-paradise.com/), please go visit it before attempting to lynch me. That being said, I have a script currently running just adding IP's to my firewall for anyone that has a referral of dolusex.net, so if you do visit, your attempts to visit my site after wards will NOT work.

So far I have blocked 2537 IP's, in the last 20 minutes.

Bert JW Regeer

X-Istence

Aug 17 2007, 07:33 AM

CODE

[root@defiant /usr/home/xistence]# cat ipban | sort | uniq | wc -l
497230

That is the amount of unique IP addresses that have tried to hit it over the last 4 months. That is INSANE!

(497 230 / 4) / 31 = 4 009.91935

4000 hits a day.

Now, I do have a list of all the IP addies that really love porn

CODE

cat ipban | sort | uniq -c | sort
[...]
654 88.250.216.161
668 85.105.86.113
675 194.27.153.2
695 212.175.133.30
730 203.160.1.45
778 195.87.244.6
972 194.27.38.240
981 81.215.193.168
1477 193.140.142.10
2615 212.174.189.2

TMX

Aug 17 2007, 09:34 PM

Turk Telekom is a sewer. Here is every block I could find of theirs:

62.248.0.0/17
78.160.0.0/11
81.212.0.0/14
81.215.0.0/16
85.96.0.0/12
88.224.0.0/11
193.201.128.0/22
193.218.200.0/24
193.254.252.0/23
194.9.174.0/24
194.54.32.0/19
195.128.32.0/21
195.140.196.0/24
195.174.0.0/15
212.156.0.0/16
212.174.0.0/15
213.138.0.0/19

-Bob

X-Istence

Aug 18 2007, 01:20 AM

TMX,

How would I be able to find this data myself? I have been looking around RIPE and or other places and have been unable to find any information what so ever about what IP ranges are theirs.

Edit: Thanks for the ranges. Traffic dropped down nicely, and the server is able to cope better.

It makes me wonder though, did the owners of that site with all the links back to the topsites think of the bandwidth they are burning through, all the extra load they are putting on other people's resources just to be able to promote a sex site?

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.