More Spam

On 21 Jul 2008, "Brian Cryer" <not.here@localhost> wrote:

Quote:

I've recently started filtering my formmail, and 193.53.87.109,111 &
113 are three of the 20 ip addresses I'm currently blocking (I'm
also filtering on content, but that it experimental for now.) So
clearly those spammers are/were an irritation to quite a number of
us.

Very, very interesting. I don't have 20 yet, but 194.8.74.158,
194.8.75.204,
and 78.157.143.233 are in my reportoire as well. 2 of the bunch have
the same spam but one is an ip from India and the other from Latvia.

I've not looked up where mine are from. I do have 194.8.74.158 in my
list but not your other two (yet).

My fill list at the moment (although I know I have others yet to add)
is: 118.98.184.43, 121.100.50.7, 125.244.11.194, 147.91.206.12,
148.244.244.228, 189.31.180.20, 189.31.180.202, 193.53.87.109,
193.53.87.111, 193.53.87.113, 194.8.74.158, 195.54.209.166,
200.136.219.147, 200.150.29.72, 200.164.137.102,200.252.57.135,
201.114.194.163, 201.34.32.45, 202.141.29.110, 203.177.74.139,
203.158.221.227, 212.116.219.108, 212.116.219.211, 216.255.187.158,
217.17.160.116, 219.77.67.226, 219.93.175.67, 219.93.178.162,
220.225.217.90, 59.93.244.134, 61.19.54.164, 68.202.114.83,
69.64.64.68, 69.88.196.106, 71.61.96.204, 84.205.244.135,
85.185.36.133, 85.25.134.150, 88.86.111.212, 91.121.207.27,
91.90.153.9

I'm not logging frequency so some of these will be worse offenders
than others. When I have time this is one of the things I will log.

Does anyone know of a central list of spammer ips? I know of
spamhaus for ips of e-mail spammers, but haven't got as far as
investigating whether they or anyone else manages a list of
form-mail spammer ips.

I know of nothing, but later I will Google for something like "form
mail spam" and see what comes up.

I do know of other approaches - capitcha is common and making use of
cookies is another good approach. Still haven't found a public list of
form-spammer ips.

Wow, you do have quite a list. Are these all form-spammers because
that is
what I'm harping about; regular email spam I let gmail handle, and they
seem to do a very good job. Regardless though, I believe publicizing
the IP address of the spammer (any type) is a weapon in the war against
spam and a good one.

These are all form spammers. (Like you for regular email spam I have
filters, but nothing third party for form spam.) I'm sure this list will
grow.

Holy mackeral; that's a lot! I didn't expect there to be so many in that
sub-category because it's actually pretty easy to block general unwanted
outgoing missives with a form.

Quote:

...And no, I haven't found a f/s list yet, either.

I did try one or two of these ip addresses on spamhaus, but didn't get a
match. I suppose most blacklists concentrate on email spam. Maybe if I
move this to a dedicated server I could open up my growing list to
public query. That might be interesting. I'll add it to my ever growing
list of things that I'd like to do but may never have time for ...

Yeah, I tried a few places, too, without getting any matches. It's rather
surprising, at least to me. One interesting thing, though: my latest spam,
193.200.241.136, was a single, and the next day I reported it to the
associated "abuse hotline". I _didn't_ block the alert, however, but have
since (-4 days) received no more from there even though I received a
somewhat casual "need more info" reply from the hotline. This suggests
that some, if not most, addresses are used only temporarily and blocking
them permanently is in essence futile. Like you implied, adroit
"filtering" is probably the way to go.

--
Neredbojias
http://www.neredbojias.net/
Great sights and sounds

"Neredbojias" <me@http://www.neredbojias.net/_eml/fliam.php> wrote in
message news:Xns9AE290BC178AAneredbojiasnano (AT) 194 (DOT) 177.96.78...

Quote:

On 21 Jul 2008, "Brian Cryer" <not.here@localhost> wrote:

I've recently started filtering my formmail, and 193.53.87.109,111 &
113 are three of the 20 ip addresses I'm currently blocking (I'm
also filtering on content, but that it experimental for now.) So
clearly those spammers are/were an irritation to quite a number of
us.
snip
I did try one or two of these ip addresses on spamhaus, but didn't get a
match. I suppose most blacklists concentrate on email spam. Maybe if I
move this to a dedicated server I could open up my growing list to
public query. That might be interesting. I'll add it to my ever growing
list of things that I'd like to do but may never have time for ...

Yeah, I tried a few places, too, without getting any matches. It's rather
surprising, at least to me. One interesting thing, though: my latest
spam,
193.200.241.136, was a single, and the next day I reported it to the
associated "abuse hotline". I _didn't_ block the alert, however, but have
since (-4 days) received no more from there even though I received a
somewhat casual "need more info" reply from the hotline. This suggests
that some, if not most, addresses are used only temporarily and blocking
them permanently is in essence futile. Like you implied, adroit
"filtering" is probably the way to go.

At the moment I'm using a permanent block, but its my intention to block for
a period of time and renew the block if the ip posts during that time.
That's my next enhancement when I next return to this bit of work.

I agree that it seems like a number of ip addresses areonly used on a
temporary basis. I suspect a very small bot army may be in use - because
I've often seen an identical post come in from different ip addresses.
--
Brian Cryer
www.cryer.co.uk/brian

On 22 Jul 2008, "Brian Cryer" <not.here@localhost> wrote:

Quote:

"Neredbojias" <me@http://www.neredbojias.net/_eml/fliam.php> wrote in
message news:Xns9AE290BC178AAneredbojiasnano (AT) 194 (DOT) 177.96.78...
On 21 Jul 2008, "Brian Cryer" <not.here@localhost> wrote:

I've recently started filtering my formmail, and 193.53.87.109,111
& 113 are three of the 20 ip addresses I'm currently blocking (I'm
also filtering on content, but that it experimental for now.) So
clearly those spammers are/were an irritation to quite a number of
us.
snip
I did try one or two of these ip addresses on spamhaus, but didn't get
a match. I suppose most blacklists concentrate on email spam. Maybe if
I move this to a dedicated server I could open up my growing list to
public query. That might be interesting. I'll add it to my ever
growing list of things that I'd like to do but may never have time for
...

Yeah, I tried a few places, too, without getting any matches. It's
rather surprising, at least to me. One interesting thing, though: my
latest spam,
193.200.241.136, was a single, and the next day I reported it to the
associated "abuse hotline". I _didn't_ block the alert, however, but
have since (-4 days) received no more from there even though I received
a somewhat casual "need more info" reply from the hotline. This
suggests that some, if not most, addresses are used only temporarily
and blocking them permanently is in essence futile. Like you implied,
adroit "filtering" is probably the way to go.

At the moment I'm using a permanent block, but its my intention to block
for a period of time and renew the block if the ip posts during that
time. That's my next enhancement when I next return to this bit of work.

Ditto here but I'm not happy at the prospect of needing a db (or flatfile)
for a _fully_ automatic script. I may just compromise somewhat on that.

Quote:

I agree that it seems like a number of ip addresses areonly used on a
temporary basis. I suspect a very small bot army may be in use - because
I've often seen an identical post come in from different ip addresses.

I believe you're quite right. Your form seems to have been hit harder than
mine (-perhaps because of more exposure), but the "flac" I've been getting
is (so far) easily handled via the methods I already have in place. (Still
intend to automate it more, though.)

--
Neredbojias
http://www.neredbojias.net/
Great sights and sounds