Notice of ban

Crawling through my server logs, I've banned the following IPs:

  • 220.181.33.225 - rude bot from China, stupid enough to pump the same .WAV files, like, everyday, sucking more than 2GB of bandwidth in just a couple hundred hits (for two files that never changed!)
  • 60.28.252.77 - same as above
  • 69.31.1.154 aka fuse4.mailanyone.net - don't know what it is nor who is behind it (they use DomainsByProxy to hide their whois info, but it's generating a hell of errors : 13,209 for 82,307 hits in just 48 visits, I don't like that
  • 213.251.180.34 aka seri.lmsa.biz because 1) no info (lmsa.biz redirect you to www.google.fr), 2) it's rude, spawning requests every second, 3) requesting the same URL like 10 times in one second! sucking about 10 times more bandwidth than normal search engines bots

I've also noticed a pattern of errors with malformed GET requests, all containing the following string: "gping="/GLinkPing.aspx". I'm not banning it because it's infrequent, but I don't like it and cannot find any useful information about it (except one pointer to Gravee).

If you run one of the mentionned bots and feel that I'm over-reacting, please drop me a note with explanations.

If you're interested on how I ban various offenders from my site, here are the rules I have placed in my .htaccess file, leaving Apache doing the work (also my host runs mod_security in front of it):

RewriteEngine On
RewriteBase /
# User-Agents with no privileges (mostly spambots/spybots/offline downloaders that ignore robots.txt)
# see http://diveintomark.org/archives/2003/02/26/how_to_block_spambots_ban_spybots_and_tell_unwanted_robots_to_go_to_hell
RewriteCond %{REMOTE_ADDR} ^220\.181\.33\.225 [OR] #rude bot
RewriteCond %{REMOTE_ADDR} ^60\.28\.252\.77 [OR] #rude bot
RewriteCond %{REMOTE_ADDR} ^69\.31\.1\.154 [OR] #rude bot
RewriteCond %{REMOTE_ADDR} ^24\.86\.103\.176 [OR] #spammer
RewriteCond %{REMOTE_ADDR} ^81\.95\.146\.162 [OR] #spammer
RewriteCond %{REMOTE_ADDR} ^193\.252\.177\.186 [OR] #spammer
RewriteCond %{REMOTE_ADDR} "^63\.148\.99\.2(2[4-9]|[3-4][0-9]|5[0-5])$" [OR] # Cyveillance spybot
RewriteCond %{REMOTE_ADDR} ^12\.148\.196\.(12[8-9]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])$ [OR] # NameProtect spybot
RewriteCond %{REMOTE_ADDR} ^12\.148\.209\.(19[2-9]|2[0-4][0-9]|25[0-5])$ [OR] # NameProtect spybot
RewriteCond %{REMOTE_ADDR} ^64\.140\.49\.6([6-9])$ [OR] # Turnitin spybot
RewriteCond %{HTTP_REFERER} iaea\.org [OR] # spambot
RewriteCond %{HTTP_REFERER} neopets\.com [OR] # referrer spam
RewriteCond %{HTTP_REFERER} spampoison\.com [OR] # looks exactly like a spambot
RewriteCond %{HTTP_REFERER} riaa\.com [OR] # some bot
RewriteCond %{HTTP_REFERER} cxa\.de [OR] # porn site
RewriteCond %{HTTP_REFERER} filthserver\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} wastedpartygirls\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} amateurxpass\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} mature--young\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} bloglisting\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} nudecelebblogs\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} sexrabbit\.de [OR] # porn site
RewriteCond %{HTTP_REFERER} busty2\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} adult-models\.biz [OR] # porn site
RewriteCond %{HTTP_REFERER} freenudecelebrity\.net [OR] # porn site
RewriteCond %{HTTP_REFERER} limolimo\.net [OR] # dont know
RewriteCond %{HTTP_REFERER} shatteredreality\.net [OR] # spammer site
RewriteCond %{HTTP_USER_AGENT} ^[A-Z]+$ [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} anarchie [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} cherry.?picker [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "compatible ; MSIE 6.0" [OR] # spambot (note extra space before semicolon)
RewriteCond %{HTTP_USER_AGENT} crescent [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "^DA \d\.\d+" [OR] # OD
RewriteCond %{HTTP_USER_AGENT} "DTS Agent" [OR] # OD
RewriteCond %{HTTP_USER_AGENT} "^Download" [OR] # OD
RewriteCond %{HTTP_USER_AGENT} EasyDL/\d\.\d+ [OR] # OD
RewriteCond %{HTTP_USER_AGENT} e?mail.?(collector|magnet|reaper|siphon|sweeper|harvest|collect|wolf) [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} express [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} extractor [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "Fetch API Request" [OR] # OD
RewriteCond %{HTTP_USER_AGENT} flashget [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} FlickBot [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} FrontPage [OR] # stupid user trying to edit my site
RewriteCond %{HTTP_USER_AGENT} getright [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} go.?zilla [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "efp@gmx\.net" [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} grabber [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} imagefetch [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} httrack [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "Indy Library" [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "^Internet Explore" [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} ^IE\ \d\.\d\ Compatible.*Browser$ [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "LINKS ARoMATIZED" [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "mister pix" [NC,OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} "^Mozilla/4.0$" [OR] # dumb bot
RewriteCond %{HTTP_USER_AGENT} "^Mozilla/\?\?$" [OR] # formmail attacker
RewriteCond %{HTTP_USER_AGENT} MSIECrawler [OR] # IE's "make available offline" mode
RewriteCond %{HTTP_USER_AGENT} ^NG [OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} offline [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} net.?(ants|mechanic|spider|vampire|zip) [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} nicerspro [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} ninja [NC,OR] # Download Ninja OD
RewriteCond %{HTTP_USER_AGENT} NPBot [OR] # NameProtect spybot
RewriteCond %{HTTP_USER_AGENT} PersonaPilot [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} snagger [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} Sqworm [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} SurveyBot [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} tele(port|soft) [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} TurnitinBot [OR] # Turnitin spybot
RewriteCond %{HTTP_USER_AGENT} web.?(auto|bandit|collector|copier|devil|downloader|fetch|hook|mole|miner|mirror|reaper|sauger|sucker|site|snake|stripper|weasel|zip) [NC,OR] # ODs
RewriteCond %{HTTP_USER_AGENT} vayala [OR] # dumb bot, doesn't know how to follow links, generates lots of 404s
RewriteCond %{HTTP_USER_AGENT} zeus [NC,OR]
# Below are filtered requests (mostly virus and other security holes sniffers)
RewriteCond %{REQUEST_URI} formmail [NC,OR]
RewriteCond %{REQUEST_URI} _vti_bin [NC,OR]
RewriteCond %{REQUEST_URI} MSOffice [OR]
RewriteCond %{REQUEST_URI} mail.?(pl|cgi) [NC]
RewriteRule .* - [F,L]

mensuelles Archives

Recent Entries

  • Steve Jobs

    "Remembering that I’ll be dead soon is the most important tool I’ve ever encountered to help me make the big choices in life. Because...

  • Your privacy on MOTOBLUR by Motorola

    After the Nokia Ovi Store carelessness, it's now Motorola who's allowing strangers to get access to your private information on their MOTOBLUR portal. Exactly like...

  • How to resume a broken ADC download

    (I'm documenting this trick for myself to remember, but it can be useful for others…) Apple, on its Apple Developer Connection site, has a bad...

  • WTF is this ‘myEventWatcherDiv’ doing in my web?

    All of a sudden I started to find the following line in most of the web pages I was browsing, including ones I made where...

  • Your privacy on Nokia Ovi Store

    My friend Adam Greenfield recently complained about the over-engineering culture at Nokia: I was given an NFC phone, and told to tap it against the...