News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • List of Spambot IPs

    Posted on E Pericoloso Sporgersi Comment on the AskWoody Lounge

    Home Forums Tools List of Spambot IPs

    Tagged: 

    Viewing 2 reply threads
    • Author
      Posts
      • #1949275 Reply
        E Pericoloso Sporgersi
        AskWoody Plus

        About 3 – 4 weeks ago a new spambot must have gone on sale, because since then the forum where I’m assistent moderator, is experiencing an onslaught of registration attempts by spambots.

        I’ve been banning those pesky spambots and compiling a list of their IP addresses (IPv4).
        I include IPs so marked by https://www.stopforumspam.com/search and by http://botscout.com/

        I then wanted to sort the IPv4 addresses in ascending order, to detect possible IP-ranges. To that end, I imported the list in a spreadsheet with the first byte in column A, the second byte in column B, and so on.

        If anybody is interested in that sorted list, you can download the file from: https://app.box.com/shared/static/xmnp1jnagtm6p27hpvo2g8ax4g15i4xi.xls .

        Of course this list will continue to grow. I expect a significant weekly increase. I can refresh that downloadable spreadsheet file every week if desired, but you’ll have to send me a PM to request it each time you want a new file.

        But now there are two questions nagging me:
        1. Is this list actually useful? 

        2. Or do spambots use a proxy and/or a VPN? In which case my list is a waste of time. 

      • #1949432 Reply
        mn–
        AskWoody Lounger

        But now there are two questions nagging me:
        1. Is this list actually useful? 

        2. Or do spambots use a proxy and/or a VPN? In which case my list is a waste of time.

        1. Yes… somewhat. Not conclusive unless you can also classify IPs by type. Also spambots don’t typically use one address very long.

        2. Yes, and some of those addresses seem to be VPN endpoints. Others would seem to be residential subscribers… easy targets for hijack victims. (Hijack as a proxy and they may never even notice.)

        What you really “should” do is take the addresses, then pass them through a whois lookup, then report the spambot to the contact listed there.

        Banning an address for a week and seeing if they keep trying from it before complaining should reduce the list significantly, but then you’re still left with the VPN endpoints, and dynamic IP ranges.

        Such as, taking one address (212.224.112.243) from your list:

        $ whois 212.224.112.243
        % This is the RIPE Database query service.
        % The objects are in RPSL format.
        %
        % The RIPE Database is subject to Terms and Conditions.
        % See http://www.ripe.net/db/support/db-terms-conditions.pdf
        
        % Note: this output has been filtered.
        %       To receive output for a database update, use the “-B” flag.
        
        % Information related to ‘212.224.112.0 – 212.224.112.255’
        
        % Abuse contact for ‘212.224.112.0 – 212.224.112.255’ is ‘abuse@first-colo.net’
        
        inetnum:        212.224.112.0 – 212.224.112.255
        netname:        DE-FORNEX
        descr:          http://www.fornex.com, Fornex Hosting S.L
        country:        DE
        admin-c:        COLO-RIPE
        tech-c:         COLO-RIPE
        remarks:        ——————————————————-
        remarks:        — please report spam/abuse to abuse@first-colo.net —
        remarks:        —- reports to other addresses won’t be processed —-
        remarks:        ——————————————————-
        status:         ASSIGNED PA
        mnt-by:         MNT-FIRSTCOLO
        created:        2011-10-07T09:12:14Z
        last-modified:  2013-07-23T10:07:53Z
        source:         RIPE
        
        role:           First Colo Ripe Coordination
        address:        First Colo GmbH
        address:        Hanauer Landstr. 291b
        address:        D-60314 Frankfurt am Main
        address:        Germany
        phone:          +49-(0)69-120069-0
        fax-no:         +49-(0)69-120069-55
        abuse-mailbox:  abuse@first-colo.net
        remarks:
        remarks:        * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
        remarks:        * Complaints about internet abuse like spam, hack attacks, scans, etc. *
        remarks:        * please mail to: –> abuse [@] first-colo [.] net <– *
        remarks:        * Requests from law enforcement (only!), send fax to: +49 (0) 69 1200 69 55 *
        remarks:        * Inquiries can only be processed, if sent to the correct address. *
        remarks:        * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
        remarks:
        admin-c:        LEKR-RIPE
        tech-c:         LEKR-RIPE
        tech-c:         LEKR-RIPE
        nic-hdl:        COLO-RIPE
        mnt-by:         MNT-FIRSTCOLO
        created:        2007-09-28T19:01:39Z
        last-modified:  2018-09-28T08:47:18Z
        source:         RIPE # Filtered
        
        % Information related to ‘212.224.112.0/20AS44066’
        
        route:          212.224.112.0/20
        descr:          First Colo via AS44066
        origin:         AS44066
        mnt-by:         MNT-FIRSTCOLO
        created:        2011-03-29T22:46:30Z
        last-modified:  2011-03-29T22:46:30Z
        source:         RIPE
        
        % This query was served by the RIPE Database Query Service version 1.94.1 (ANGUS)
        1 user thanked author for this post.
      • #1949436 Reply
        PKCano
        Da Boss

        I have found CleanTalk to be another good source of information.

        2 users thanked author for this post.
    Viewing 2 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: List of Spambot IPs

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.