Ok, our friend the comment spammer has picked up the pace. Today he hit me with 217 comment spams, all in the course of an hour and a half. The comment spam all came from the IP:
Let's do a little bit of investigating of this.
We have several pieces of information to work with.
- The IP address used to post the comment spam: 18.104.22.168
- The DNS name of that IP address: dialup-24.pskov.ru
- The User Agent used to send these comment spams (found in my server logs): "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
These three pieces of information tell us a lot about our spammer.
First the IP address begins with '62.33.x.x'. This IP range is assigned to the country of Russia. Looking farther tells us that '62.33.12.x' is owned by domain 'pskov.ru'. The DNS name confirms this. This is actually the third IP address in the 62.33.12.x IP range that I've received spam from.
econd, we see the DNS name. The first part 'dialup-24' tells us that our spammer is connecting to the Internet through a dialup connection. In other words, our spammer is spamming the world using a 56K modem! In the DNS name, we also see 'pskov.ru', which is the domain he is connecting from. This is no doubt the name of his dialup Internet provider. This again is confirmed by looking up the information on the IP.
Third, we see the User Agent. The User Agent is the program that he used to send the comment spam. From the User Agent recording in my server logs, we see that this guy is sending the comment spams using Internet Explorer 6.0 (IE6.0) on Windows XP (Windows NT 5.1). This is unusual. Most 'professional' spammers use scripts to send the spams automatically in large batches. This User Agent tells us that our spammer is entering his spams manually, one by one! This guy wasted an hour and a half manually spamming my web site using Internet Explorer!
Based on the fact that this is the third IP that I've received from the same Internet provider in Russia, and that our spammer is dialing into the Internet leads me to believe that all three of these IP addresses are the same spammer. Since he's on dialup, that means that his ISP likely provides him an IP address using DHCP. This means that he could get a different IP every time he dials into the Internet. I had banned the last two IP addresses individually. Since it seems to be a pattern with this guy, I decided to ban the entire '62.33.12.x' IP range (his entire ISP, or at least a good chunk of it).
If you are running Apache as your web server, you ban IP addresses by adding some lines to a file named '.htaccess' (note the period as the first chracter). This file contains various commands to Apache on how to run your web site. Here is the code you would put in to ban this IP range:
deny from 62.33.12
allow from all
Note how there are only 3 numbers listed on that 'deny from' line? That means ban all IPs that start with those 3 numbers. This will ban 22.214.171.124 through 126.96.36.199. If you want to ban individual IP addresses, just add another 'deny from' line with the IP address you want. You can have as many 'deny from' lines as you want. Make sure you put all these 'deny from' lines between th e'order allow,deny' line and the 'allow from all'.
One less spammer harrassing me.