Notice of ban

1 Oct 2006

Crawling through my server logs, I've banned the following IPs:

  • 220.181.33.225 - rude bot from China, stupid enough to pump the same .WAV files, like, everyday, sucking more than 2GB of bandwidth in just a couple hundred hits (for two files that never changed!)
  • 60.28.252.77 - same as above
  • 69.31.1.154 aka fuse4.mailanyone.net - don't know what it is nor who is behind it (they use DomainsByProxy to hide their whois info, but it's generating a hell of errors : 13,209 for 82,307 hits in just 48 visits, I don't like that
  • 213.251.180.34 aka seri.lmsa.biz because 1) no info (lmsa.biz redirect you to www.google.fr), 2) it's rude, spawning requests every second, 3) requesting the same URL like 10 times in one second! sucking about 10 times more bandwidth than normal search engines bots

I've also noticed a pattern of errors with malformed GET requests, all containing the following string: "gping="/GLinkPing.aspx". I'm not banning it because it's infrequent, but I don't like it and cannot find any useful information about it (except one pointer to Gravee).

If you run one of the mentionned bots and feel that I'm over-reacting, please drop me a note with explanations.

If you're interested on how I ban various offenders from my site, here are the rules I have placed in my .htaccess file, leaving Apache doing the work (also my host runs mod_security in front of it):

RewriteEngine On
RewriteBase /
# User-Agents with no privileges (mostly spambots/spybots/offline downloaders that ignore robots.txt)
# see http://diveintomark.org/archives/2003/02/26/how_to_block_spambots_ban_spybots_and_tell_unwanted_robots_to_go_to_hell
RewriteCond %{REMOTE_ADDR} ^220\.181\.33\.225 [OR] #rude bot
RewriteCond %{REMOTE_ADDR} ^60\.28\.252\.77 [OR] #rude bot
RewriteCond %{REMOTE_ADDR} ^69\.31\.1\.154 [OR] #rude bot
RewriteCond %{REMOTE_ADDR} ^24\.86\.103\.176 [OR] #spammer
RewriteCond %{REMOTE_ADDR} ^81\.95\.146\.162 [OR] #spammer
RewriteCond %{REMOTE_ADDR} ^193\.252\.177\.186 [OR] #spammer
RewriteCond %{REMOTE_ADDR} "^63\.148\.99\.2(2[4-9]|[3-4][0-9]|5[0-5])$" [OR] # Cyveillance spybot
RewriteCond %{REMOTE_ADDR} ^12\.148\.196\.(12[8-9]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])$ [OR] # NameProtect spybot
RewriteCond %{REMOTE_ADDR} ^12\.148\.209\.(19[2-9]|2[0-4][0-9]|25[0-5])$ [OR] # NameProtect spybot
RewriteCond %{REMOTE_ADDR} ^64\.140\.49\.6([6-9])$ [OR] # Turnitin spybot
RewriteCond %{HTTP_REFERER} iaea\.org [OR] # spambot
RewriteCond %{HTTP_REFERER} neopets\.com [OR] # referrer spam
RewriteCond %{HTTP_REFERER} spampoison\.com [OR] # looks exactly like a spambot
RewriteCond %{HTTP_REFERER} riaa\.com [OR] # some bot
RewriteCond %{HTTP_REFERER} cxa\.de [OR] # porn site
RewriteCond %{HTTP_REFERER} filthserver\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} wastedpartygirls\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} amateurxpass\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} mature--young\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} bloglisting\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} nudecelebblogs\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} sexrabbit\.de [OR] # porn site
RewriteCond %{HTTP_REFERER} busty2\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} adult-models\.biz [OR] # porn site
RewriteCond %{HTTP_REFERER} freenudecelebrity\.net [OR] # porn site
RewriteCond %{HTTP_REFERER} limolimo\.net [OR] # dont know
RewriteCond %{HTTP_REFERER} shatteredreality\.net [OR] # spammer site
RewriteCond %{HTTP_USER_AGENT} ^[A-Z]+$ [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} anarchie [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} cherry.?picker [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "compatible ; MSIE 6.0" [OR] # spambot (note extra space before semicolon)
RewriteCond %{HTTP_USER_AGENT} crescent [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "^DA \d\.\d+" [OR] # OD
RewriteCond %{HTTP_USER_AGENT} "DTS Agent" [OR] # OD
RewriteCond %{HTTP_USER_AGENT} "^Download" [OR] # OD
RewriteCond %{HTTP_USER_AGENT} EasyDL/\d\.\d+ [OR] # OD
RewriteCond %{HTTP_USER_AGENT} e?mail.?(collector|magnet|reaper|siphon|sweeper|harvest|collect|wolf) [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} express [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} extractor [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "Fetch API Request" [OR] # OD
RewriteCond %{HTTP_USER_AGENT} flashget [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} FlickBot [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} FrontPage [OR] # stupid user trying to edit my site
RewriteCond %{HTTP_USER_AGENT} getright [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} go.?zilla [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "efp@gmx\.net" [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} grabber [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} imagefetch [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} httrack [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "Indy Library" [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "^Internet Explore" [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} ^IE\ \d\.\d\ Compatible.*Browser$ [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "LINKS ARoMATIZED" [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "mister pix" [NC,OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} "^Mozilla/4.0$" [OR] # dumb bot
RewriteCond %{HTTP_USER_AGENT} "^Mozilla/\?\?$" [OR] # formmail attacker
RewriteCond %{HTTP_USER_AGENT} MSIECrawler [OR] # IE's "make available offline" mode
RewriteCond %{HTTP_USER_AGENT} ^NG [OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} offline [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} net.?(ants|mechanic|spider|vampire|zip) [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} nicerspro [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} ninja [NC,OR] # Download Ninja OD
RewriteCond %{HTTP_USER_AGENT} NPBot [OR] # NameProtect spybot
RewriteCond %{HTTP_USER_AGENT} PersonaPilot [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} snagger [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} Sqworm [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} SurveyBot [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} tele(port|soft) [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} TurnitinBot [OR] # Turnitin spybot
RewriteCond %{HTTP_USER_AGENT} web.?(auto|bandit|collector|copier|devil|downloader|fetch|hook|mole|miner|mirror|reaper|sauger|sucker|site|snake|stripper|weasel|zip) [NC,OR] # ODs
RewriteCond %{HTTP_USER_AGENT} vayala [OR] # dumb bot, doesn't know how to follow links, generates lots of 404s
RewriteCond %{HTTP_USER_AGENT} zeus [NC,OR]
# Below are filtered requests (mostly virus and other security holes sniffers)
RewriteCond %{REQUEST_URI} formmail [NC,OR]
RewriteCond %{REQUEST_URI} _vti_bin [NC,OR]
RewriteCond %{REQUEST_URI} MSOffice [OR]
RewriteCond %{REQUEST_URI} mail.?(pl|cgi) [NC]
RewriteRule .* - [F,L]

Posted by François Nonnenmacher on Sunday, October 1, 2006 at 6:30 PM

Filed in

Leave a comment

Gallery

Prev Next

Recent Entries

  • Moving on

    If everything goes well, next week I shall be the happy founder and owner of a shiny brand new company, under which I'll incorporate my...

  • Movable Type 4.2 is out

    Movable Type 4.2 is here with a lot of good news and new features. The new set of licences, if I get things correctly, is...

  • Using Movable Type as a CMS and NewsML feeds generator

    I'm putting the last touches on a CMS to generate custom NewsML feeds for internet portals. It's based on Movable Type 4.2 and allows for...

  • Google lets GMail certificate expire

    This expired certificate alert just showed up for my GMail account. Apparently Google let the SSL certificate expire for the smtp.gmail.com domain. In the...

  • Bon appétit

    We wanted to strip away all the nonsense. Do we really need a sommelier? Do we really need all the other accoutrements that you see...

Close