Chieftain
Tue 21st Oct '08, 10:06pm
http://www.oregonlive.com/business/oregonian/index.ssf?/base/business/1224564910237820.xml&coll=7
That's a link to an excellent article from this morning's Portland Oregonian, and some information about the ongoing war against bots and botnets.
I put up an article earlier this month at my small website about banning certain e-mail addresses here because of the assault the website has been under since the 1st of October. That assault has not slowed, although we are effectively protecting the site by banning entire blocks of IP addresses. Let me explain...
We had someone sign up here using a cute username and a gmail.com e-mail address (xXxBarbieGirlxXx you know the type...). I ran the IP for this User, and here's what I got back...
Quote:
IP: 78.157.143.204
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
ReferralServer: whois://whois.ripe.net:43
NetRange: 78.0.0.0 - 78.255.255.255
CIDR: 78.0.0.0/8
NetName: 78-RIPE
NetHandle: NET-78-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
The RIPE Network is one of the most notorious EU spamming networks around. Notice the range of possible IP Addresses that RIPE has assigned to this particular spammer:
NetRange: 78.0.0.0 - 78.255.255.255
That means this particular spammer has access to every single IP address within that Range, courtesy of the RIPE Network. He can take those IP addresses and mount one hell of a spam campaign that is difficult to stop without the proper tools. Using the newest and most up-to-date version of vBulletin, we can (and do) ban the entire RIPE IP NetRange by banning 78.*.*.* in the Admin CP under "User Banning Options". That means any IP address that begins with 78 is simply not allowed access to the site.
In the past, we would ban that spammer, and he would come right back with a new IP in that range and just sign up again.
Over this past weekend I had a troll sign up here, and when I ran his IP Address, it came back as belonging to a small electrical contractor somewhere in the US. Someone had obviously hacked into their machine, and was using it to peddle knock-off pharmaceuticals (Viva Viagra, of course...) on other sites. I knew it was a troll immediately, because real Clarkblog.org users don't use the "USViagraNet .com" as their e-mail address.
In addition we have had to take the extraordinary step of banning specific e-mail providers because they make it far too easy for spammers to get a supposedly "valid" email address. Just for informational and conversational purposes, here is a list of e-mail addresses that are not valid for signups at my website, as I have them listed in the Admin CP Banning Options, because they have been repeatedly used by spammers to gain access to the site.
*@ru
*@gmail.com
*@mail.ru
.ru
gmail.com
mail.ru
xmail.com
@xmail.com
@email.com
email.com
*.email.com
gawab.com
*@gawab.co@tmail.com
tmail.com
tmail
*@tmail.org
tmail.org
*@hotmail.org
hotmail.org
@fensite.net
fensite.net
@viagrabe.com
@email.org
email.org
@e-mail.org
e-mail.org
@gmail.net
@e-mail.com
e-mail.com
@rambler.ru
@e-mail.net
e-mail.net
@xmail.net
xmail.net
x-mail.net
xmail.com
x-mail.com
@gmail.org
gmail.org
@g-mail.org
g-mail.org
@list.ru
list.ru
@inbox.ru
inbox.ru
in-box.ru
email.net
@xmail.org
xmail.org
@x-mail.org
x-mail.org
luckymail.com
mail.com
mail.org
mail.net
@yahoo.co.uk
@usviagra.net
usviagra.net
viagra.net
viagranet.com
viagranet.net
As you can see, we've been busy taking out the trash here at Clarkblog.org. On Sunday alone I had nine trolls sign up here wanting to peddle who knows what.
I ban their IP, their e-mail address, and completely delete them from the system, and I do it fast enough that most of their clever little usernames never show up on the front page as a new member. That way the next time they slease back in here, all they get is a notice that they cannot view this site. They can still come to our home page, but they get no further than that.
My real members are signing up with Comcast e-mail addresses or other services that are easily ID'd as local. All new members require Admin approval and they get a fast anal exam via:
http://www.networksolutions.com/whois/index.jsp
And you should see my ever-growing IP ban list....I never thought it would come to this, but there simply isn't any other choice than to use surgical IP banning as a troll preventer. These idiots generate so many hits all by themselves it renders my stats almost meaningless...
Anyway, back on topic, this article is a great explanation about how to effectively protect your computer from being hijacked, as well as the ongoing law enforcement efforts to control this scourge. I don't know about your site, by my Stats tell me that a significant number of these people come in by searching on the word "vBulletin".
I'm interested in hearing from any other webmasters running current VBulletin blogs, forums, websites, or whatever; and hear if anyone else has been inundated this month by RIPE, Asian, and Latin American Network trolls, and what other control measures anyone suggests that I haven't covered.
RIPE has been a thorn in my side since I stood up my site almost 3 years ago, but they have been particularly aggressive this month...
That's a link to an excellent article from this morning's Portland Oregonian, and some information about the ongoing war against bots and botnets.
I put up an article earlier this month at my small website about banning certain e-mail addresses here because of the assault the website has been under since the 1st of October. That assault has not slowed, although we are effectively protecting the site by banning entire blocks of IP addresses. Let me explain...
We had someone sign up here using a cute username and a gmail.com e-mail address (xXxBarbieGirlxXx you know the type...). I ran the IP for this User, and here's what I got back...
Quote:
IP: 78.157.143.204
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
ReferralServer: whois://whois.ripe.net:43
NetRange: 78.0.0.0 - 78.255.255.255
CIDR: 78.0.0.0/8
NetName: 78-RIPE
NetHandle: NET-78-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
The RIPE Network is one of the most notorious EU spamming networks around. Notice the range of possible IP Addresses that RIPE has assigned to this particular spammer:
NetRange: 78.0.0.0 - 78.255.255.255
That means this particular spammer has access to every single IP address within that Range, courtesy of the RIPE Network. He can take those IP addresses and mount one hell of a spam campaign that is difficult to stop without the proper tools. Using the newest and most up-to-date version of vBulletin, we can (and do) ban the entire RIPE IP NetRange by banning 78.*.*.* in the Admin CP under "User Banning Options". That means any IP address that begins with 78 is simply not allowed access to the site.
In the past, we would ban that spammer, and he would come right back with a new IP in that range and just sign up again.
Over this past weekend I had a troll sign up here, and when I ran his IP Address, it came back as belonging to a small electrical contractor somewhere in the US. Someone had obviously hacked into their machine, and was using it to peddle knock-off pharmaceuticals (Viva Viagra, of course...) on other sites. I knew it was a troll immediately, because real Clarkblog.org users don't use the "USViagraNet .com" as their e-mail address.
In addition we have had to take the extraordinary step of banning specific e-mail providers because they make it far too easy for spammers to get a supposedly "valid" email address. Just for informational and conversational purposes, here is a list of e-mail addresses that are not valid for signups at my website, as I have them listed in the Admin CP Banning Options, because they have been repeatedly used by spammers to gain access to the site.
*@ru
*@gmail.com
*@mail.ru
.ru
gmail.com
mail.ru
xmail.com
@xmail.com
@email.com
email.com
*.email.com
gawab.com
*@gawab.co@tmail.com
tmail.com
tmail
*@tmail.org
tmail.org
*@hotmail.org
hotmail.org
@fensite.net
fensite.net
@viagrabe.com
@email.org
email.org
@e-mail.org
e-mail.org
@gmail.net
@e-mail.com
e-mail.com
@rambler.ru
@e-mail.net
e-mail.net
@xmail.net
xmail.net
x-mail.net
xmail.com
x-mail.com
@gmail.org
gmail.org
@g-mail.org
g-mail.org
@list.ru
list.ru
@inbox.ru
inbox.ru
in-box.ru
email.net
@xmail.org
xmail.org
@x-mail.org
x-mail.org
luckymail.com
mail.com
mail.org
mail.net
@yahoo.co.uk
@usviagra.net
usviagra.net
viagra.net
viagranet.com
viagranet.net
As you can see, we've been busy taking out the trash here at Clarkblog.org. On Sunday alone I had nine trolls sign up here wanting to peddle who knows what.
I ban their IP, their e-mail address, and completely delete them from the system, and I do it fast enough that most of their clever little usernames never show up on the front page as a new member. That way the next time they slease back in here, all they get is a notice that they cannot view this site. They can still come to our home page, but they get no further than that.
My real members are signing up with Comcast e-mail addresses or other services that are easily ID'd as local. All new members require Admin approval and they get a fast anal exam via:
http://www.networksolutions.com/whois/index.jsp
And you should see my ever-growing IP ban list....I never thought it would come to this, but there simply isn't any other choice than to use surgical IP banning as a troll preventer. These idiots generate so many hits all by themselves it renders my stats almost meaningless...
Anyway, back on topic, this article is a great explanation about how to effectively protect your computer from being hijacked, as well as the ongoing law enforcement efforts to control this scourge. I don't know about your site, by my Stats tell me that a significant number of these people come in by searching on the word "vBulletin".
I'm interested in hearing from any other webmasters running current VBulletin blogs, forums, websites, or whatever; and hear if anyone else has been inundated this month by RIPE, Asian, and Latin American Network trolls, and what other control measures anyone suggests that I haven't covered.
RIPE has been a thorn in my side since I stood up my site almost 3 years ago, but they have been particularly aggressive this month...