: Identical spam coming from many different (but similar) IP addresses A forum I run has been the victim of spam user accounts recently - several accounts that have been registered and the profile

@Angela700

No matter what you try, various devices with various IP's will always try to do malicious things to websites. The term effective here is "script kiddies".

Your best bet is to first check your logs on the server the forum is on. If the website software is apache then look for access_log and error_log files.

In those log files, you'll likely notice several dozen entries involving the exact same IP address trying to connect to a set of URLs.

There are a couple of ways to mostly evade your problem you're having.


Either move the files representing the forum and/or rename them and update the scripts and configuration files accordingly. For example, in a wordpress setup, rename wp-admin.php to worda.php and change all wp-admin.php in all files that are part of wordpress to worda.php. That way, the script kiddie would likely not try to access your script because you used a name thats unusual and probably never documented.


OR.


Configure the forum so that users have to enter a security code to register or even make a post as a guest.


I am against blocking these attacking IP's because they could be IP's of a mix of good (and possibly wanted users) and bad users For example, the IP is connected to a router and to a bunch of computers and one computer is used to do malicious internet acts.

Vote Up Vote Down

@Alves908

Using my database:

Both of these IP address ranges are subscriber lines. If you can afford to lose these users, you can block them easily.

122.169.0.0 is:

Bharti Airtel Ltd.

IP Address Range:

122.168.141.0 - 122.169.119.255


NetMask:

Block: 122.168.141.0/0
Base Address: 122.168.141.0
Broadcast Address: 255.255.255.255
Net Mask: 0.0.0.0
Host Mask: 255.255.255.255
Bits: 0
Size: 4294967296
2nd Element: 122.168.141.2
Block by IP Address Block


Apache .htaccess

RewriteCond %{REMOTE_ADDR} ^122.(1*6*[8-9]*).(1*[45678901]*[1-9]*).([0-2]*[0-5]*[0-5]*)$ [NC]
RewriteRule .* - [F,L]


Cisco

access-list [your acl name] deny ip 122.168.141.0 255.255.255.255 any
permit ip any any


Nginx

Edit nginx.conf and insert include blockips.conf; if it does not exist. Edit blockips.conf and add the following:

deny 122.168.141.0/0;


IIS

<rule name="abort ip address 122.169.0.0" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="^122.168.141..*$" />
</conditions>
<action type="AbortRequest" />
</rule>


122.179.0.0 is:

Bharti Airtel Ltd.

IP Address Range:

122.176.0.0 - 122.179.156.255


NetMask:

Block: 122.176.0.0/0
Base Address: 122.176.0.0
Broadcast Address: 255.255.255.255
Net Mask: 0.0.0.0
Host Mask: 255.255.255.255
Bits: 0
Size: 4294967296
2nd Element: 122.176.0.2
Block by IP Address Block


Apache .htaccess

RewriteCond %{REMOTE_ADDR} ^122.(1*7*[6-9]*).([0-1]*[0-5]*[0-6]*).([0-2]*[0-5]*[0-5]*)$ [NC]
RewriteRule .* - [F,L]


Cisco

access-list [your acl name] deny ip 122.176.0.0 255.255.255.255 any
permit ip any any


Nginx

Edit nginx.conf and insert include blockips.conf; if it does not exist. Edit blockips.conf and add the following:

deny 122.176.0.0/0;


IIS

<rule name="abort ip address 122.179.0.0" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="^122.176..*$" />
</conditions>
<action type="AbortRequest" />
</rule>

Vote Up Vote Down

@Cugini213

The Stop Forum Spam site is a resource to help block forum spammers. Its database can be queried manually or by API by IP address, username, or email address. For Simple Machines Forum (SMF) sites I use a module that queries its database as a means of blocking forum spamers. Modules are also available for many other forum software packages to automatically query its database; you can find a list of other forum software for which modules are available at the Mods & Plugins page on the Stop Forum Spam site.

A search on 122.169 and 122.179 on the Stop Forum Spam search page shows other forums are seeing spammers using IP addresses in those ranges currently.

Vote Up Vote Down

@Carla537

My suggestion since I recently dealt with a similar problem on a forum of mine is to change registration so that a user must be accepted by an admin before they become a member of the forum.

Vote Up Vote Down

@Holmes151

1.

They seem to be coming from a DSL connection so after they post the message, if they disconnect from the internet and reconnect again, they will get a different IP

2.

Yes, there's a limit so block only the class you're sure you have spam coming from in order to limit 'false positives'.

Using APNIC's Whois we can see that class 122.179 is broken into:

122.179.0.0 - 122.179.127.255
122.179.128.0 - 122.179.191.255
122.179.192.0 - 122.179.255.255


and class 122.169 is widespread into:

122.169.0.0 - 122.169.7.255
122.169.8.0 - 122.169.11.255
122.169.12.0 - 122.169.13.255
122.169.14.0 - 122.169.14.255
122.169.15.0 - 122.169.15.255
...
122.169.112.0 - 122.169.127.255
122.169.128.0 - 122.169.191.255
122.169.192.0 - 122.169.192.255
...


3.

Since your audience isn't India and the company they are spamming about is in the US, they were probably hired or outsourced for advertising and they took it too far.
You could research all the IP Blocks their providers have and ban each one of them (eg. 'BHARTI TELENET LTD.MUMBAI', 'ABTS AP').

Good luck!

Vote Up Vote Down