$this = (new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Russian/Ukrainian Referer Spam Campaign IPs

Posted February 08, 2018 by shaun

It looks like there's a new referer spam campaign underway, with a fresh batch of hosts to block. This one is predominantly promoting Russian and Ukrainian websites. I first caught wind of it from Dave Horsfall, who in late January mentioned on an anti-spam mailing list that he'd seen pills24h.com in his web access logs. I found that domain in my logs too, made a note to look further, and today I got around to poking at it a little.

Since I don't run WordPress or any common blog software, I was surprised to see referer spam suddenly hitting this site in earnest. Most modern spambots are intelligent enough to only target sites vulnerable to their spam. The cretin behind this campaign isn't so discerning, although he's at least bright enough to use IPs that aren't listed in the Stop Forum Spam blacklist.

Offending hosts

For your blocking pleasure, here are the IPs involved in the spamming campaign:

37.115.184.155
46.118.116.121
46.118.225.78
46.119.113.175
46.119.115.60
46.119.121.71
46.119.123.218
46.211.13.134
134.249.48.151
134.249.66.84
178.137.16.45
178.137.55.200
178.137.82.153
178.137.162.218
178.137.167.106
178.137.178.122
188.163.72.38
188.163.79.63

Here are the domains each host has been pimping.

37.115.184.155

balkanfarma.org
fishtauto.ru
gazel-72.ru
iptvuk.co.uk
krasivoe-hd.net
natprof.ru
petrushka-restoran.ru
pills24h.com
rocketchange.ru

46.118.116.121

doxyporno.com
raschtextil.com.ua

46.118.225.78

no-rx.info
pills24h.com

46.119.113.175

avtorskoe-vino.ru
cryptoswap.biz
electronic-component.org
doxyporno.com
kinoduh.ru
kollekcioner.ru
popugauka.ru
raschtextil.com.ua
supermama.top
superoboi.com.ua
truebeauty.cc
whoiswho.crimea.ua

46.119.115.60

drugs-no-rx.info
englishtopik.ru

46.119.121.71

5elementov.ru
buynorxx.com
en.home-task.com
pillscheap24h.com
spy-app.info

46.119.123.218

perl.dp.ua

46.211.13.134

polyana-skazok.org.ua
strady.org.ua
suzuki-metropolis.kiev.ua
td-l-market.ru

134.249.48.151

kozhakoshek.com
meriton.ru
metallo-konstruktsii.ru

134.249.66.84

rql.kiev.ua

178.137.55.200

all-news.kz

178.137.16.45

chatroulette.life
drugs-no-rx.info
headpharmacy.com
online-sbank.ru

178.137.82.153

buypuppies.ca
bonkers.name
chatroulette.life
hentai-manga.porn
perl.dp.ua
pospektr.ru

178.137.162.218

gezlev.com.ua

178.137.167.106

vkonche.com

178.137.178.122

pills24h.com

188.163.72.38

aanapa.ru
vzube.com
www.etotupo.ru

188.163.79.63

aanapa.ru
adobereader-free.ru
fanoboi.com
healgastro.com
kipu.crimea.ua
kozhakoshek.com
meriton.ru
pornosmola.info
sovetogorod.ru
tam-gde-more.ru
vzube.com
www.etotupo.ru
xtremeeagles.net

I'll update this post if I see new IPs joining the party.


Updated February 11: Added 46.119.123.218 and 178.137.162.218

Updated February 12: Added 46.118.116.121 and 188.163.72.38

Updated February 16: Added 134.249.48.151, 178.137.16.45, and 178.137.178.122

Updated February 20: Added 134.249.66.84



Recent articles

📰 Evaluating DNSBL Effectiveness with Postfix Logs

📰 Russian/Ukrainian Referer Spam Campaign IPs

📰 Resolving subversion error E145001: Node has unexpectedly changed kind

📰 Installing PHP 7.2 with pthreads on CentOS 6

📰 LocalStorage kills another site, or: Working around Zap2it's new interface

📰 A new DNS geolocation service from PowerDNS

📰 Firefox's privacy.resistFingerprinting option reports a very old User-Agent (50.0)

📰 Undefined symbol "Py_InitModule4_64" while upgrading harfbuzz

📰 ipid.shat.net is back online for now

📰 Implementing a report-uri endpoint for Expect-CT (and other headers)

📰 A curious UDAP packet from DirecTV hardware

📰 Secure PHP file inclusion based on query string parameters

▲ Back to top | Permalink to this page