Banning a Range of Named Addresses? Please? I hope?

Hello again!

For the past several weeks, I have had five to fifteen different users of Amazon's Elastic Computing Cloud servers connected to my forum. Not doing anything, just "staring at" the index. A quick web search revealed many website and web forum operators complaining of spam coming from these addresses. They're obviously spambots. I have been banning five to ten of these IP addresses every day, and it is tiresome. Is there any way to ban a range of NAMED addresses using the wildcard character? I really hope there is, because I want these turkeys gone.

Look at this list. And all in the last two to three weeks!

23.20.209.*
23.20.213.*
23.20.253.*

23.22.67.*
23.22.96.*
23.22.105.*
23.22.129.*
23.22.163.*

23.23.4.*
23.23.21.*

50.16.2.*
50.16.133.*

50.17.6.*
50.17.22.*

50.18.97.*

50.19.157.*

54.205.208.*
54.205.221.*

54.211.*
54.211.8.*
54.211.38.*
54.211.118.*
54.211.196.*
54.211.224.*
54.211.250.*

54.221.80.*

54.224.25.*
54.224.44.*
54.224.53.*
54.224.224.*
54.224.54.*
54.224.125.*
54.224.143.*

54.226.7.*
54.226.14.*
54.226.56.*
54.226.152.*
54.226.222.*
54.226.245.*

54.227.41.*

54.234.23.*
54.234.172.*

54.235.60.*

54.237.81.*

54.242.63.*

72.44.59.*

107.20.11.*
107.20.29.*
107.20.30.*
107.20.80.*
107.20.116.*

174.129.60.*
174.129.93.*

184.72.153.*
184.73.37.*
184.73.145.*

If I could just ban ec2-*.amazonaws.com my problem would be solved, but no named address, and no wildcards in the middle of an IP address, will "take" on the User Control/Banlist page. Is there any way to accomplish it?

Thanks,
Theo

Wow. Right before I posted this topic, I banned about ten of them. While I was typing that post, four more connected:

54.224.3.*
54.226.57.*
54.237.104.*
107.22.75.*

See what I mean? Persistent little buggers, aren't they?

You actually don't need to ban them unless they join your forum and spam. You could be banning potential new members IP's and now won't be able to join. The IP's of those bots you're banning could span a wide range of innocent people that now cannot join your forum.

Like RunawayHorses has said, really only IP ban people who have either actually spammed or committed some kind of large offence. If you start banning IPs left, right and centre then you run the risk of banning potential members and other innocent people.

Thanks, but I don't think the two of you read my initial post very carefully. These are NOT potential members, they are most definitely bots, and I banned them with the most specific-yet-somewhat-useful hostmask available to me to my knowledge. Banning any more specifically -- that is, by single, specific address -- will do absolutely nothing against a cloud-based botnet. This way, I am at least slowing them down a bit.

I do NOT want these bots crawling my site. I should think Forumotion would not want them crawling my site, either, as they consume bandwidth for no positive purpose.

If these bots aren't signing up and actually spamming then I wouldn't worry.

Theo Neandonly wrote:Thanks, but I don't think the two of you read my initial post very carefully. These are NOT potential members, they are most definitely bots, and I banned them with the most specific-yet-somewhat-useful hostmask available to me to my knowledge. Banning any more specifically -- that is, by single, specific address -- will do absolutely nothing against a cloud-based botnet. This way, I am at least slowing them down a bit.

I do NOT want these bots crawling my site. I should think Forumotion would not want them crawling my site, either, as they consume bandwidth for no positive purpose.

This is a first, I've never heard of someone banning bots..lol

I don't think you understand what I meant. Banning a single IP address can result in thousands of people being banned depending how populated that area is, because they all share parts of the same address, you can't get around that fact. You cannot single one person out and ban there IP without it affecting other people, because you are banning an "Area" not a single person. You may think you can but you don't have enough information to single one individual out, or "bot". When you ban those bot addresses you are in effect banning people in a particular area.

Hi,

It's not possible from our end to ban anything other then IP Addresses.

However,

Because forumotion has a policy of no "Bad" bots, if somehow you can obtain Buttercup's attention, she can pass the hostname aka 'amazonaws.com' to the devs, who can then simply update the robots page ie help.forumotion.com/robots.txt to disallow them.


Hope this is helpful.


Also, please do take note of my collegues, banning IP Ranges does prevent several thousand potential users.

I hear what you're saying, Darkhorses. It *is* difficult to single out an individual these days because so few IP addresses are static... and that's partly due to the somewhat unexpected growth of the Internet and the limitations of the IPv4 addressing scheme. You understand all that, right? I mean, it's what you seem to be saying.

But I'm not trying to ban an individual, or even a number of individuals here. It's Amazon's Elastic CLOUD Computing service. Which, obviously, means that Amazon has a range (or ranges) of addresses reserved for it. And I want to ban the whole range. If I can ban by named address with wildcards, problem solved. I'd have already banned *.compute-1.amazonaws.com.

You're surprised that I want to ban bots? Derri doesn't seem to understand, either. It's simple: I can foresee a possible harm and want to avert any chance of it.

Thank you, Radiohead.

AmazonAWS is well-known for hosting malicious bots.

Bluetack Internet Security Solutions' forum has a sticky thread titled "AmazonAWS Hacker Botnet List" at the top of their "Hackers, Attackers, Bad Bots & Forum Spammers IPs" forum.

WebmasterWorld.com has a thread entitled "amazonaws.com plays host to wide variety of bad bots" in their "Search Engine Spider and User Agent Identification" forum.

ForumPostersUnion.com has a thread entitled "Dedicated spam server bot running on amazonaws range, IP 23.22.18.215" on their "Dedicated spam server blacklist". (note that five of the bots I've banned are also in the 23.22.*.* range)

Here's an entry from the ZBBlock list, used by MotionMods:
#: 8 @: Wed, 15 Feb 2012 23:15:58 -0600 Running: 0.4.9_Final
Host: ec2-184-72-46-160.us-west-1.compute.amazonaws.com
IP: 184.72.46.160
Score: 1
Violation count: 1
Why blocked: Amazon Web Services. Not an ISP. Used by hackers, Keyword spamming SEO bots, and other unsavories. Checked for bypass -
Query:
Referer:
User Agent: RockMeltEmbedService
Reconstructed URL: http:// WildfireTUBE.Com /

I think it's pretty clear that I'm faaaaar from the first person to have this problem, and that Amazon doesn't give a tin sh*t who uses its "Elastic Cloud Computing Service" or what they use it for. Spammers love it because the extremely dynamic, constantly-shifting IP sharing scheme affords them a nice margin of anonymity from which to do their dirty work.

So, no bad bots, eh? Now how do I contact Buttercup...?

You need to understand that the devs are a very minute team, by that, I mean less then 10, and handles alot of work, so they don't catch everything, but once notified, they rectify it asap, or put it in the 'to do list', assorted by numbers.

You can leave the info here, as you have, and Buttercup will swing by tomorrow when she's in the office at 9am (She works mon-fri, devs can access this forum on sat/sun in case of emergency), or you can send her a PM, keep in mind she does get a few hundred messages over the weekend, so she might need time to reply.
=> https://help.forumotion.com/u6001

By the detail report (or is it a summery?) in the post above, the devs should have enough info to do such a block, however, being a could, if they have additional names, they will need the same details.

Good luck

Yes, they seem very dedicated, and I have a lot of respect for them. Thanks again for the help, Radiohead!

Theo Neandonly wrote:Hello again!

For the past several weeks, I have had five to fifteen different users of Amazon's Elastic Computing Cloud servers connected to my forum. Not doing anything, just "staring at" the index. A quick web search revealed many website and web forum operators complaining of spam coming from these addresses. They're obviously spambots. I have been banning five to ten of these IP addresses every day, and it is tiresome. Is there any way to ban a range of NAMED addresses using the wildcard character? I really hope there is, because I want these turkeys gone.

Look at this list. And all in the last two to three weeks!

If I could just ban ec2-*.amazonaws.com my problem would be solved, but no named address, and no wildcards in the middle of an IP address, will "take" on the User Control/Banlist page. Is there any way to accomplish it?

Thanks,
Theo

Hello Theo,

Fisrt, you should know that on the web it is absolutly normal that open sections be scrolled by bots (like Googlebot for example). There is no danger.
Banning IP will  not change it.
If you don't want to have bots scrolling your forum, you should close you forum to visitors and make it available only to users and members. Like that robots will not able to enter it. Howerver, it is ashame for the traffic of your forum.

Hope it is clearer

Regards

Buttercup