Russian/Ukrainian Referer Spam Campaign IPs
It looks like there's a new referer spam campaign underway, with a fresh batch of hosts to block. This one is predominantly promoting Russian and Ukrainian websites. I first caught wind of it from Dave Horsfall, who in late January mentioned on an anti-spam mailing list that he'd seen pills24h.com in his web access logs. I found that domain in my logs too, made a note to look further, and today I got around to poking at it a little.
Since I don't run WordPress or any common blog software, I was surprised to see referer spam suddenly hitting this site in earnest. Most modern spambots are intelligent enough to only target sites vulnerable to their spam. The мудак behind this campaign isn't so discerning, although he's at least bright enough to use IPs that aren't listed in the Stop Forum Spam blacklist. The abuse originates in snowshoe fashion from space allocated to Ukrainian provider Kyivstar / Golden Telecom (AS15895).
Offending hosts
As of July 2018, I've fully blocked all of Kyivstar's prefixes due to persistent abuse, and will no longer be updating this post with individual offending IPs. Kyivstar's prefixes are:
5.248.0.0/16
37.115.0.0/16
37.229.0.0/16
46.118.0.0/15
46.185.0.0/17
46.211.0.0/16
81.23.16.0/20
94.153.0.0/16
109.162.0.0/17
134.249.0.0/16
176.8.0.0/16
178.137.0.0/16
188.163.0.0/17
193.41.60.0/22Here are the individual IPs involved in the spamming campaign between January 2018 and July 2018.
5.248.196.93
5.248.199.158
5.248.253.101
37.115.112.228
37.115.184.155
37.115.185.9
37.115.186.4
46.118.113.100
46.118.113.218
46.118.114.175
46.118.116.121
46.118.117.97
46.118.125.21
46.118.127.172
46.118.152.50
46.118.225.78
46.119.112.98
46.119.113.175
46.119.114.157
46.119.115.60
46.119.115.156
46.119.118.96
46.119.118.153
46.119.121.22
46.119.121.71
46.119.121.187
46.119.122.170
46.119.123.218
46.119.126.51
46.119.126.184
46.185.74.179
46.185.119.21
46.211.13.134
109.162.66.73
134.249.48.151
134.249.48.174
134.249.52.34
134.249.53.158
134.249.54.27
134.249.55.53
134.249.66.84
176.8.89.165
178.137.16.45
178.137.16.67
178.137.16.174
178.137.18.222
178.137.55.200
178.137.82.153
178.137.83.231
178.137.86.85
178.137.86.152
178.137.88.8
178.137.88.90
178.137.89.148
178.137.91.90
178.137.92.135
178.137.160.170
178.137.160.220
178.137.162.218
178.137.163.137
178.137.165.61
178.137.167.106
178.137.178.122
178.159.37.55
178.159.49.228
188.163.72.38
188.163.79.63Here are the domains each host has been pimping.
5.248.196.93
beachtoday.ru
5.248.199.158
avtovykup.kz
5.248.253.101
4inn.ru
37.115.112.228
komukc.com.ua
pills24h.com
studentguide.ru
37.115.184.155
balkanfarma.org
fishtauto.ru
gazel-72.ru
iptvuk.co.uk
krasivoe-hd.net
natprof.ru
petrushka-restoran.ru
pills24h.com
rocketchange.ru
37.115.185.9
filesclub.net
37.115.186.4
gandikapper.ru
jjbabskoe.ru
46.118.113.100
svetka.info
46.118.113.218
moinozhki.com
yhirurga.ru
46.118.114.175
bird1.ru
pills24h.com
t-rec.su
46.118.116.121
doxyporno.com
raschtextil.com.ua
46.118.117.97
ogorodnic.com
pills24h.com
46.118.125.21
gazel-72.ru
krasivoe-hd.net
46.118.127.172
online-sbank.ru
46.118.152.50
pornohd1080.online
46.118.225.78
no-rx.info
pills24h.com
46.119.112.98
flowertherapy.ru
skinali.photo-clip.ru
46.119.113.175
avtorskoe-vino.ru
cryptoswap.biz
electronic-component.org
doxyporno.com
kinoduh.ru
kollekcioner.ru
popugauka.ru
raschtextil.com.ua
supermama.top
superoboi.com.ua
truebeauty.cc
whoiswho.crimea.ua
46.119.114.157
sildenafil-tadalafil.info
46.119.115.60
drugs-no-rx.info
englishtopik.ru
46.119.115.156
hard-porn.mobi
jjbabskoe.ru
xn--d1abj0abs9d.in.ua (IDN: пептиды.in.ua)
46.119.118.96
komputers-best.ru
magnetic-bracelets.ru
scat.porn
46.119.118.153
elementspluss.ru
46.119.121.22
www.xn--80aaajkrncdlqdh6ane8t.xn--p1ai (IDN: www.мягкиеокнасаранск.рф)
46.119.121.71
5elementov.ru
buynorxx.com
en.home-task.com
pillscheap24h.com
spy-app.info
46.119.121.187
sladkoevideo.com
46.119.122.170
www.inet-shop.su
www.sundrugstore.com
46.119.123.218
perl.dp.ua
46.119.126.51
pills24h.com
46.119.126.184
luckybull.io
46.185.74.179
flowertherapy.ru
46.185.119.21
sinhronperevod.ru
46.211.13.134
polyana-skazok.org.ua
strady.org.ua
suzuki-metropolis.kiev.ua
td-l-market.ru
109.162.66.73
eduserver.net
filesdatabase.net
officedocuments.net
134.249.48.151
kozhakoshek.com
meriton.ru
metallo-konstruktsii.ru
134.249.48.174
kino2018.cc
134.249.52.34
www.stavimdveri.ru
134.249.53.158
bonkers.name
skinali.photo-clip.ru
zelena-mriya.com.ua
134.249.54.27
kinosed.net
shops-ru.ru
xn----7sbabn5abjehfwi8bj.xn--p1ai (IDN: каталог-скинали.рф)
134.249.55.53
gazel-72.ru
profnastil-moscow.ru
134.249.66.84
rql.kiev.ua
176.8.89.165
porno-chaman.info
xn----8sblgmbj1a1bk8l.xn----161-4vemb6cjl7anbaea3afninj.xn--p1ai (IDN: жк-династия.новостройки-ростова-161.рф)
178.137.16.45
chatroulette.life
drugs-no-rx.info
headpharmacy.com
online-sbank.ru
178.137.16.67
skinali.photo-clip.ru
178.137.16.174
buynorxx.com
komp-pomosch.ru
178.137.18.222
avtorskoe-vino.ru
truebeauty.cc
178.137.55.200
all-news.kz
178.137.82.153
buypuppies.ca
bonkers.name
chatroulette.life
hentai-manga.porn
perl.dp.ua
pospektr.ru
178.137.83.231
metallo-konstruktsii.ru
178.137.86.85
tattoo-stickers.ru
178.137.86.152
vzube.com
178.137.88.8
www.regionshop.biz
178.137.88.90
officedocuments.net
178.137.89.148
www.rospromtest.ru
178.137.91.90
picturesmania.com
rieltor.crimea.ua
178.137.92.135
slomm.ru
178.137.160.170
www.atyks.ru
178.137.160.220
xn----ctbigni3aj4h.xn--p1ai (IDN: первый-жк.рф)
178.137.162.218
gezlev.com.ua
178.137.163.137
pills24h.com
178.137.165.61
ofermerah.com
178.137.167.106
vkonche.com
178.137.178.122
pills24h.com
178.159.37.55
studentguide.ru
www.feminist.org.ua
178.159.49.228
www.atraining.ru
188.163.72.38
aanapa.ru
vzube.com
www.etotupo.ru
188.163.79.63
aanapa.ru
adobereader-free.ru
fanoboi.com
healgastro.com
kipu.crimea.ua
kozhakoshek.com
meriton.ru
pornosmola.info
sovetogorod.ru
tam-gde-more.ru
vzube.com
www.etotupo.ru
xtremeeagles.net
Update history:
Feb 11: Added 46.119.123.218, 178.137.162.218
Feb 12: Added 46.118.116.121, 188.163.72.38
Feb 16: Added 134.249.48.151, 178.137.16.45, 178.137.178.122
Feb 20: Added 134.249.66.84
Feb 21: Added 37.115.112.228
Feb 25: Added 178.159.37.55
Feb 27: Added 46.118.125.21, 46.119.114.157
Mar 06: Added 46.119.126.51
Mar 07: Added 178.137.16.174, 178.137.18.222
Mar 12: Added 134.249.53.158
Mar 16: Added 46.118.152.50
Mar 17: Added 46.119.121.22, 178.137.91.90
Mar 18: Added 46.119.122.170, 178.137.86.152
Mar 23: Added 46.118.113.100
Mar 24: Added 134.249.55.53
Mar 29: Added 46.118.127.172
Mar 30: Added 5.248.253.101
Apr 14: Added 178.159.49.228
Apr 20: Added 5.248.196.93
May 03: Added 37.115.185.9, 178.137.165.61
May 04: Added 46.118.114.175, 46.119.118.96
May 15: Added 178.137.86.85, 178.137.88.90, 178.137.92.135
May 16: Added 178.137.88.8
May 17: Added 5.248.199.158
May 29: Added 46.185.74.179
Jun 01: Added 109.162.66.73, 134.249.52.34, 134.249.54.27, 178.137.163.137
Jun 03: Added 46.119.112.98
Jun 15: Added 37.115.186.4, 134.249.48.174, 178.137.160.170
Jun 16: Added 178.137.83.231
Jun 20: Added 46.118.117.97, 46.119.118.153, 46.119.126.184, 46.185.119.21
Jun 21: Added 46.118.113.218
Jul 02: Added 46.119.115.156, 46.119.121.187, 176.8.89.165
Jul 07: Added 178.137.16.67, 178.137.89.148, 178.137.160.220
Jul 10: Completely firewalled all Kyivstar prefixes