Tuesday, August 08, 2006

Inhoster Blog Spam Haven Servers Blocked

Inhosting is just filthy with blog spammers which is bizarre as usually I find a mix of activity on dedicated servers but this place seems to be overflowing with nothing but spammers and just one scraper, Snoopy.

I'm positive they are all spammers as every IP address listed below, except Snoopy, ONLY accessed my post form on a specific server, nothing else.

They host some of the usual garden variety bullshit spammers and Snoopy the scraper:

85.255.116.178 "Snoopy v1.2" "/"
85.255.117.218 "PussyCat 1.0, Murzillo compatible"
85.255.117.222 "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
85.255.117.226 ""
85.255.118.106 "PussyCat 1.0, Murzillo compatible"
85.255.118.114 "PussyCat 1.0, Murzillo compatible"
Then they have a few of the amazing changing user agent spammers from this IP sorted by user agent for your viewing pleasure:
85.255.117.250 "Mozilla/4.0 (compatible; MSIE 4.0; MSN 2.6; Windows 95; Gateway2000)"
85.255.117.250 "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
85.255.117.250 "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
85.255.117.250 "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)"
85.255.117.250 "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95; USA On-Site)"
85.255.117.250 "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
85.255.117.250 "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98; 981)"
85.255.117.250 "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98; QXW0332q)"
85.255.117.250 "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
85.255.117.250 "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; DT)"
85.255.117.250 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
85.255.117.250 "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9) Gecko/20020311"
85.255.117.250 "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc1) Gecko/20020417"
85.255.117.250 "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc2) Gecko/20020510"
85.255.117.250 "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3) Gecko/20020523"
85.255.117.250 "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1a) Gecko/20020611"
85.255.117.250 "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1b) Gecko/20020721"
85.255.117.250 "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2a) Gecko/20020910"
85.255.117.250 "Opera/6.01 (Windows 98; U) [en]"
85.255.117.250 "Opera/6.04 (Windows 2000; U) [en]"
85.255.117.250 "Opera/6.04 (Windows 98; U) [en]"
85.255.117.250 "Opera/6.04 (Windows XP; U) [en]"
85.255.117.250 "Opera/7.0 (Windows 2000; U) [en]"
85.255.117.250 "Opera/7.0 (Windows NT 5.0; U) [en]"
85.255.117.250 "Opera/7.02 Bork-edition (Windows NT 5.0; U) [en]"
Another of the same rotating user agent shit on a different IP
85.255.117.251 "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95; USA On-Site)"
85.255.117.251 "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
85.255.117.251 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
85.255.117.251 "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.7) Gecko/20011221"
85.255.117.251 "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) Gecko/20020530"
85.255.117.251 "Opera/7.02 Bork-edition (Windows NT 5.0; U) [en]"
And YET another that didn't hit as often
85.255.117.253 "Mozilla/4.0 (compatible; MSIE 4.0; MSN 2.6; Windows 95; Gateway2000)"
85.255.117.253 "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.7) Gecko/20011221"
85.255.117.253 "Opera/6.04 (Windows 2000; U) [en]"
For the grand finale, a D-block of Firefox Linux spammers:
85.255.118.82 "Mozilla/5.0 (X11; U; Linux i686; ru; rv:1.8.0.3) Gecko/20060425 SUSE/1.5.0.3-7 Firefox/1.5.0.3"
85.255.118.83 "Mozilla/5.0 (X11; U; Linux i686; ru; rv:1.8.0.3) Gecko/20060425 SUSE/1.5.0.3-7 Firefox/1.5.0.3"
85.255.118.84 "Mozilla/5.0 (X11; U; Linux i686; ru; rv:1.8.0.3) Gecko/20060425 SUSE/1.5.0.3-7 Firefox/1.5.0.3"
85.255.118.85 "Mozilla/5.0 (X11; U; Linux i686; ru; rv:1.8.0.3) Gecko/20060425 SUSE/1.5.0.3-7 Firefox/1.5.0.3"
85.255.118.86 "Mozilla/5.0 (X11; U; Linux i686; ru; rv:1.8.0.3) Gecko/20060425 SUSE/1.5.0.3-7 Firefox/1.5.0.3"
85.255.118.130 "Mozilla/5.0 (X11; U; Linux i686; ru; rv:1.8.0.3) Gecko/20060425 SUSE/1.5.0.3-7 Firefox/1.5.0.3"
85.255.118.132 "Mozilla/5.0 (X11; U; Linux i686; ru; rv:1.8.0.3) Gecko/20060425 SUSE/1.5.0.3-7 Firefox/1.5.0.3"
85.255.118.133 "Mozilla/5.0 (X11; U; Linux i686; ru; rv:1.8.0.3) Gecko/20060425 SUSE/1.5.0.3-7 Firefox/1.5.0.3"
85.255.118.134 "Mozilla/5.0 (X11; U; Linux i686; ru; rv:1.8.0.3) Gecko/20060425 SUSE/1.5.0.3-7 Firefox/1.5.0.3"
Block block block block...

Here's the range of troublemaker IPs to block
netname: INHOSTER
inetnum: 85.255.112.0 - 85.255.127.255
They also have this range but I don't have any activity that has been tracked from here:
netname: INHOSTER
netnum: 195.95.218.0 - 195.95.219.255
Enjoy the silence with the fucking spammers gone.

1 comment:

olliver said...

Bill,
you can't go wrong with blocking their entire ranges as they only seem to host crap sites ranging from spamvertised Malware to pure doorway gibberish sites which attempt to run IE specific exploits.

Inhoster is particularily interesting as when you visit their site, you'll notice that it will say they don't accept any customers (although new sites or spambots do pop up regularily). However you won't see any representatives in forums. That's because the company behind this operation is actually Esthost:

Spamhaus listing Atrivo
Spamhaus listing Esthost

One of the reasons most people have their entire ranges banned on the router level or in their hosts file to prevent from being overrun by malware. and estdomains is their registration service, you probably noticed already, that this service isn't used for legitimate sites and often contains not quite realistic registration infos ;-)