Comment Spam Flood #3: Goodnight Russia
Comment Spam Flood #3: Goodnight Russia
Ok, our friend the comment spammer has picked up the pace. Today he hit me with 217 comment spams, all in the course of an hour and a half. The comment spam all came from the IP:
Let's do a little bit of investigating of this.
We have several pieces of information to work with.
These three pieces of information tell us a lot about our spammer.
First the IP address begins with '62.33.x.x'. This IP range is assigned to the country of Russia. Looking farther tells us that '62.33.12.x' is owned by domain 'pskov.ru'. The DNS name confirms this. This is actually the third IP address in the 62.33.12.x IP range that I've received spam from.S
econd, we see the DNS name. The first part 'dialup-24' tells us that our spammer is connecting to the Internet through a dialup connection. In other words, our spammer is spamming the world using a 56K modem! In the DNS name, we also see 'pskov.ru', which is the domain he is connecting from. This is no doubt the name of his dialup Internet provider. This again is confirmed by looking up the information on the IP.
Third, we see the User Agent. The User Agent is the program that he used to send the comment spam. From the User Agent recording in my server logs, we see that this guy is sending the comment spams using Internet Explorer 6.0 (IE6.0) on Windows XP (Windows NT 5.1). This is unusual. Most 'professional' spammers use scripts to send the spams automatically in large batches. This User Agent tells us that our spammer is entering his spams manually, one by one! This guy wasted an hour and a half manually spamming my web site using Internet Explorer!
Based on the fact that this is the third IP that I've received from the same Internet provider in Russia, and that our spammer is dialing into the Internet leads me to believe that all three of these IP addresses are the same spammer. Since he's on dialup, that means that his ISP likely provides him an IP address using DHCP. This means that he could get a different IP every time he dials into the Internet. I had banned the last two IP addresses individually. Since it seems to be a pattern with this guy, I decided to ban the entire '62.33.12.x' IP range (his entire ISP, or at least a good chunk of it).
If you are running Apache as your web server, you ban IP addresses by adding some lines to a file named '.htaccess' (note the period as the first chracter). This file contains various commands to Apache on how to run your web site. Here is the code you would put in to ban this IP range:
Note how there are only 3 numbers listed on that 'deny from' line? That means ban all IPs that start with those 3 numbers. This will ban 126.96.36.199 through 188.8.131.52. If you want to ban individual IP addresses, just add another 'deny from' line with the IP address you want. You can have as many 'deny from' lines as you want. Make sure you put all these 'deny from' lines between th e'order allow,deny' line and the 'allow from all'.
One less spammer harrassing me.
Quote: "This User Agent tells us that our spammer is entering his spams manually, one by one!"
Oh please! Maybe it also means that you lack a small piece of information? For example that most (spammers/browsers/scrapers/) software can set the "user agent" string to whatever they like?
Spammers just use these user agents, because they are in common use today, so you won't be able to block them on the "user agent string" without blocking some legitimate users too.
03/31/08 @ 10:00
I am aware that the referer can be faked, however, based on the relatively small number of comments and the long period of time between each comment, I doubt this was done using some kind of script. If they'd ben using a script, the comments would have been very close together timewise.
Irregardless, I blocked the IP range so they won't be bothering me again.
Also, I welcome constructive criticism, but your attitude in this comment was very condescending. I don't appreciate being insulted. If you want to present an alternate analysis, by all means do so. I'll happily post it and consider it, but be polite about it.
04/03/08 @ 22:14
c'mon! this is definitely a bot! default features in contemprary bots are not only custom user agents and time relays for posting and so on. furtherthe guy certainly used an unsecured proxy, which means he 90% chance he isn't russian at all...
(btw: no intend stand up for the russian, i found this site while i was looking for a range of russian ips i can ban on my sites....)
11/17/08 @ 10:47
Copyright © 2005 - 2013, Rick Ekle
Comments? Contact me at firstname.lastname@example.org or visit me on Twitter at @rekle