Spammy IP Addresses: Latest top offenders

susato · 2007-12-10 2:26 pm

Top offenders 10 November - 10 December.

I pulled the list on the front page into Excel and sorted the IP addresses. Here are IP addresses (the first two octets) cited 5 or more times on Russ's front page list of 556 spammers.

124.104.*.* 5 instances
195.2.*.* 8 instances
195.229.*.* 6 instances
200.226.134.53 (all the same) 12 instances
209.62.13.* 18 instances
210.22.158.132 5 instances
212.150.97.114 7 instances
61.61.132.129 7 instances
67.19.251.226 15 instances
70.84.55.* 8 instances
72.232.7.242 10 instances
74.52.3.* 6 instances
85.140.*.* 6 instances
85.21.125.100 11 instances
85.255.120.* 6 instances
87.118.*.* 39 instances - nearly 8% of the total!
87.236.29.207 5 instances
89.149.*.* 9 instances
89.208.*.* 5 instances
91.76.*.* 7 instances

Together these amount to 195 instances of spamming or about 35% of the total reported.

You may decide to ban some or all of these -- When I ban IP ranges or domains, I add them in numerical or alphabetical order to the banlist so that I know which ones have already been added. This strategy also makes it easier to see clusters.

Last edited by susato (2007-12-26 4:35 pm)

susato · 2007-12-26 4:34 pm

IP addresses worth banning: 11 December 2007 - 25 Dec. 2007

385 reports logged; 322 of them unique combinations of IP address, username and email.

Here are IP address blocks with highest number of unique hits, in order of frequency. The number of hits is given for the IP block consisting of the first two octets, e.g. 87.118.*.*.

Hits
on Representative
Block IP Address

11    87.118.106.4
8    74.52.217.218
8    85.114.133.77
7    209.62.13.147
7    61.61.132.129
7    67.19.251.227
7    84.108.213.215
7    85.18.120.100
6    195.2.114.1
6    195.229.242.57
6    67.165.199.76
5    218.58.136.4
5    71.83.130.152
5    72.36.134.242
5    77.50.7.167
5    85.141.193.61

And sorted by IP address:

7 61.61.132.129
6 67.165.199.76
7 67.19.251.227
5 71.83.130.152
5 72.36.134.242
8 74.52.217.218
5 77.50.7.167
7 84.108.213.215
8 85.114.133.77
5 85.141.193.61
7 85.18.120.100
11 87.118.106.4
6 195.2.114.1
6 195.229.242.57
7 209.62.13.147
5 218.58.136.4

Together these amount to 105 independent reports or 32.6% of the reports received.

"Repeat offender" IP ranges:

61.61.132.129 at kgex.com.tw
67.19.251.226 and 227 at theplanet.com in Dallas, TX, USA
74.52.*
87.118.*.* again the largest source, all from keyweb.de in Berlin, Germany
195.2.*.*
195.229.*.*
209.62.13.*

susato · 2008-01-11 4:29 pm

Spammy IP addresses for 12/26/07 - 1/10/08. Please excuse the quirks in formatting.

I recommend blocking the individual IP addresses and occasionally the /24 blocks. A "/24 block" is xxx.yyy.zzz.*; a "/16" is xxx.yyy.*.*

These will be listed first by individual IP addresses, then /24's not already covered by individual IP's, and then /16's.
I'm not listing by e.g. /18's because many forum admin control panels only allow you to use wildcard *'s instead of blocking by octal IP ranges.

Problem IP addresses, 12/26/07-1/10/08, by number of hits

IP Address    Hits
193.230.232.111 9
218.57.11.112    9
72.36.155.146    8
195.2.114.31    7 repeat offender
71.83.130.152    7 repeat offender
62.96.106.202    6
67.19.251.228    5 repeat offender

Problem IP addresses, 12/26/07-1/10/08, in numerical order

IP Address    Hits
62.96.106.202    6
67.19.251.228    5 repeat offender
71.83.130.152    7 repeat offender
72.36.155.146    8
193.230.232.111 9
195.2.114.31    7 repeat offender
218.57.11.112    9

/24 blocks with >4 hits, 12/26/07-1/10/08, by number of hits

Not including those where all hits were on a single IP address.

/24 block    /Hits Comments
195.2.114    9 7 of 9 one IP address 195.2.114.31
85.255.120    6 Throughout the /24 block. (85.255.112.0 - 85.255.127.255 belong to ukrtelegroup.com.ua)
72.232.7    6 Throughout block (72.232.*.* belongs to layeredtech.com)

/16 blocks with >4 hits, 12/26/07-1/10/08

Not including cases covered above as individual IP's or /24 blocks.

/16 block /Hits
195.2 9 7 of 9 from 195.2.114.31, don't block them all
87.118 17 see note below.
85.140 6 see note below
72.36 10 8 out of 10 from 72.36.155.146, don't block them all
67.19 6 5 of 6 one address, don't block them all

Concering the 85.140.*.* block, the entire range belongs to mtu.ru. I may recommend blocking all in future - but as we had only 6 spams from over 16 million IP addresses, blocking the whole range seems like overkill for now.

Concerning the 87.118 /16 block, we get a LOT of unique spam hits from there, and many of them are multiply reported, which indicates that each spammy registration is being perpetrated on a wide range of forums or is being repeated. Most if not all offenders in this address range are from keyweb.de, a free email provider, and from Eastern European ISPs. However the block also includes many legitimate ISP's from northwestern Europe (.nl, .be etc) which should not be blocked. In this IP range, I recommend blocking only the following /24's from which forum spam has actually been logged.

87.118.98.*
87.118.106.*
87.118.108.*
87.118.109.*
87.118.110.*
87.118.112.*
87.118.114.*
87.118.116.*
87.118.118.*
87.118.120.*

Summary of last 15 days' repeat offenders

61.61.132.129 completely absent this time, has kgex cleaned up? :woot:
67.19.251.226 and 227 at theplanet.com in Dallas, TX, USA still problematic
74.52.* took a vacation from 12/21 through 1/7 but back now.
74.52.0.0 - 74.54.255.255 belongs to theplanet.com in Dallas, TX.
87.118.*.* again the largest source, but don't block the whole thing, see above.
195.2.*.* repeat offender again, 7 of 9 are from 195.2.114.31.
195.2.114.0 - 195.2.114.31 belongs to a wireless service provider in Latvia, microlink.lv.
195.229.*.* only 3 spams this time, all from 195.229.242.57, who was on vacation 12/26 - 1/7 and started up again 1/8/08.
195.229.240.0 - 195.229.255.255 belongs to emirates.net.ae
209.62.13.* completely absent this time - has ev1servers.net cleaned up? :woot:

When you get spam from a repeat offender source, consider reporting it to the ISP's abuse department, abuse@ the domains listed in the note. BE POLITE, good abuse admins are our allies, and help them learn how to confirm instances of forum spam through search engine searches and Russ's terrific database right here.

See you all in 2 weeks with the next report.

Last edited by susato (2008-01-12 9:12 pm)

susato · 2008-01-27 8:12 pm

Spammy IP addresses for 1/11/08 - 1/25/08. Please excuse any formatting glitches.

I recommend blocking the individual IP addresses "/32's" and sometimes the /24 blocks (xxx.yyy.zzz.*), but never the /16's (xxx.yyy.*.*)

683 unique spammy registration attempts were reported during this time period, plus 48 additional replicates.

Problem IP's by number of unique hits:

Hits IP address
14 72.36.155.146
14 85.255.120.182
13 85.255.120.174
12 70.84.197.162
10 195.2.114.31
9 70.84.2.226
9 85.12.46.92
9 89.149.253.61
9 85.255.120.165
8 67.205.68.203
8 85.255.120.158
7 70.86.131.58
7 84.47.171.42
6 61.136.63.125
6 66.199.231.218
6 75.125.114.146
6 84.16.224.112
5 61.61.132.129
5 70.86.143.178
5 72.36.210.186
5 202.84.17.42
5 208.74.175.160

Problem IP's in numerical order, with whois info:

# IP
5 61.61.132.129 KGEx.com in Taiwan.
6 61.136.63.125 Tianjin Province Network, China: ywb.online.tj.cn
6 66.199.231.218 AccessIT - Hosting Services in New York, NY, ezzi.net
8 67.205.68.203 IWEB-HOSTING.COM (iweb.ca) in Montreal, CA
9 70.84.2.226 THEPLANET.COM in Dallas, TX, US
12 70.84.197.162 THEPLANET.COM in Dallas, TX, US
7 70.86.131.58 THEPLANET.COM in Dallas, TX, US
5 70.86.143.178 THEPLANET.COM in Dallas, TX, US
14 72.36.155.146 layeredtech.com in New York City, US
5 72.36.210.186 layeredtech.com in New York City, US
6 75.125.114.146 Everyone's Internet, ev1servers.net in Houston, TX, US
6 84.16.224.112 netdirect-net in Germany, netdirekt.de
7 84.47.171.42 the /24 is MNEVNIKI-NET3 in Moscow, mnevniki.ru
9 85.12.46.92 euroaccess.nl
8 85.255.120.158 ukrtelegroup.com.ua in Ukraine
9 85.255.120.165 ukrtelegroup.com.ua in Ukraine
13 85.255.120.174 ukrtelegroup.com.ua in Ukraine
14 85.255.120.182 ukrtelegroup.com.ua in Ukraine
9 89.149.253.61 netdirect-net in Germany, netdirekt.de
10 195.2.114.31 Microlink Latvia, microlink.lv
5 202.84.17.42 China Internet Corporation, hk.china.com

Spammy /24 blocks, read below before deciding to block:
Hits /24 Block
49 85.255.120.*
12 85.12.46.*
4 90.156.169.*
85.255.112.0 - 85.255.127.255 belong to ukrtelegroup.com.ua, All spams in the 85.225.120.* block came from .158, .165, .174, .182, .218 and .219
85.12.46.0 - 85.12.46.127 belong to euroaccess.nl, but all the spams came from .89 and .92
90.156.168.0 - 90.156.175.255 belongs to maxhosting.ru, but with only 4 spams from the /24, I don't recommend banning the whole block.

/16 Blocks: FYI only, don't ban the whole block!
Hits /16 Block
22 72.36.*.*
13 75.125.*.*
13 87.118.*.*

Concerning the 72.36 /16 block: all spams came from only 3 IP addresses,
72.36.155.146 (14 spams), 72.36.210.186 (5) and 72.36.246.52 (3).
Concerning the 75.125 block: all spams came from only 3 IP addresss,
75.125.114.126 (6 spams) , 75.125.97.128 (4 spams), and 75.125.0.130 (3 spams).
Concerning the 87.118 block, spam from these addresses is way down since the last report. Nearly all the spambots logged came from the following /24 blocks, which I recommend banning:
87.118.98.*
87.118.106.*
87.118.118.*

Among the 683 unique spams, the top email domains linked with them were:
152 gmail.com
47 gmx.com (nearly all associated with spams from the 85.255.120.* block)
39 mail.ru
31 yahoo.co.uk
13 mymail-in.net and mymail-in.com
2 gawab.com

Clearly we are all getting better at blocking the obvious forum spam sources, like gawab.com and mail.ru. When they're blocked, we don't see the spams so only the newest members, and honeypots, are reporting them here.

#1 2007-12-10 2:26 pm

Spammy IP Addresses: Latest top offenders

#2 2007-12-26 4:34 pm

Re: Spammy IP Addresses: Latest top offenders

#3 2008-01-11 4:29 pm

Re: Spammy IP Addresses: Latest top offenders

#4 2008-01-27 8:12 pm

Re: Spammy IP Addresses: Latest top offenders

Board footer