Russian/Ukrainian Referer Spam Campaign IPs

Posted February 08, 2018 by shaun

[permalink]

It looks like there's a new referer spam campaign underway, with a fresh batch of hosts to block. This one is predominantly promoting Russian and Ukrainian websites. I first caught wind of it from Dave Horsfall, who in late January mentioned on an anti-spam mailing list that he'd seen pills24h.com in his web access logs. I found that domain in my logs too, made a note to look further, and today I got around to poking at it a little.

Since I don't run WordPress or any common blog software, I was surprised to see referer spam suddenly hitting this site in earnest. Most modern spambots are intelligent enough to only target sites vulnerable to their spam. The мудак behind this campaign isn't so discerning, although he's at least bright enough to use IPs that aren't listed in the Stop Forum Spam blacklist. The abuse originates in snowshoe fashion from space allocated to Ukrainian provider Kyivstar / Golden Telecom (AS15895).

Offending hosts

For your blocking pleasure, here are the IPs involved in the spamming campaign:

5.248.253.101
37.115.112.228
37.115.184.155
46.118.113.100
46.118.116.121
46.118.125.21
46.118.127.172
46.118.152.50
46.118.225.78
46.119.113.175
46.119.114.157
46.119.115.60
46.119.121.22
46.119.121.71
46.119.122.170
46.119.123.218
46.119.126.51
46.211.13.134
134.249.48.151
134.249.53.158
134.249.55.53
134.249.66.84
178.137.16.45
178.137.16.174
178.137.18.222
178.137.55.200
178.137.82.153
178.137.86.152
178.137.91.90
178.137.162.218
178.137.167.106
178.137.178.122
178.159.37.55
178.159.49.228
188.163.72.38
188.163.79.63

Here are the domains each host has been pimping.

5.248.253.101

4inn.ru

37.115.112.228

komukc.com.ua
pills24h.com
studentguide.ru

37.115.184.155

balkanfarma.org
fishtauto.ru
gazel-72.ru
iptvuk.co.uk
krasivoe-hd.net
natprof.ru
petrushka-restoran.ru
pills24h.com
rocketchange.ru

46.118.113.100

svetka.info

46.118.116.121

doxyporno.com
raschtextil.com.ua

46.118.125.21

gazel-72.ru
krasivoe-hd.net

46.118.127.172

online-sbank.ru

46.118.152.50

pornohd1080.online

46.118.225.78

no-rx.info
pills24h.com

46.119.113.175

avtorskoe-vino.ru
cryptoswap.biz
electronic-component.org
doxyporno.com
kinoduh.ru
kollekcioner.ru
popugauka.ru
raschtextil.com.ua
supermama.top
superoboi.com.ua
truebeauty.cc
whoiswho.crimea.ua

46.119.114.157

sildenafil-tadalafil.info

46.119.115.60

drugs-no-rx.info
englishtopik.ru

46.119.121.22

www.xn--80aaajkrncdlqdh6ane8t.xn--p1ai (IDN: www.мягкиеокнасаранск.рф)

46.119.121.71

5elementov.ru
buynorxx.com
en.home-task.com
pillscheap24h.com
spy-app.info

46.119.122.170

www.inet-shop.su
www.sundrugstore.com

46.119.123.218

perl.dp.ua

46.119.126.51

pills24h.com

46.211.13.134

polyana-skazok.org.ua
strady.org.ua
suzuki-metropolis.kiev.ua
td-l-market.ru

134.249.48.151

kozhakoshek.com
meriton.ru
metallo-konstruktsii.ru

134.249.53.158

bonkers.name
skinali.photo-clip.ru
zelena-mriya.com.ua

134.249.55.53

gazel-72.ru
profnastil-moscow.ru

134.249.66.84

rql.kiev.ua

178.137.55.200

all-news.kz

178.137.16.45

chatroulette.life
drugs-no-rx.info
headpharmacy.com
online-sbank.ru

178.137.16.174

buynorxx.com
komp-pomosch.ru

178.137.18.222

avtorskoe-vino.ru
truebeauty.cc

178.137.82.153

buypuppies.ca
bonkers.name
chatroulette.life
hentai-manga.porn
perl.dp.ua
pospektr.ru

178.137.86.152

vzube.com

178.137.91.90

picturesmania.com
rieltor.crimea.ua

178.137.162.218

gezlev.com.ua

178.137.167.106

vkonche.com

178.137.178.122

pills24h.com

178.159.37.55

studentguide.ru
www.feminist.org.ua

178.159.49.228

www.atraining.ru

188.163.72.38

aanapa.ru
vzube.com
www.etotupo.ru

188.163.79.63

aanapa.ru
adobereader-free.ru
fanoboi.com
healgastro.com
kipu.crimea.ua
kozhakoshek.com
meriton.ru
pornosmola.info
sovetogorod.ru
tam-gde-more.ru
vzube.com
www.etotupo.ru
xtremeeagles.net

I'll update this post as I see new IPs joining the party.

Feb 11: Added 46.119.123.218, 178.137.162.218
Feb 12: Added 46.118.116.121, 188.163.72.38
Feb 16: Added 134.249.48.151, 178.137.16.45, 178.137.178.122
Feb 20: Added 134.249.66.84
Feb 21: Added 37.115.112.228
Feb 25: Added 178.159.37.55
Feb 27: Added 46.118.125.21, 46.119.114.157
Mar 06: Added 46.119.126.51
Mar 07: Added 178.137.16.174, 178.137.18.222
Mar 12: Added 134.249.53.158    
Mar 16: Added 46.118.152.50
Mar 17: Added 46.119.121.22, 178.137.91.90
Mar 18: Added 46.119.122.170, 178.137.86.152
Mar 23: Added 46.118.113.100
Mar 24: Added 134.249.55.53
Mar 29: Added 46.118.127.172
Mar 30: Added 5.248.253.101
Apr 14: Added 178.159.49.228

spam

Recent articles

📰 Unusual HTTP POST traffic from 75.108.75.42

📰 1.1.1.1: Fast, but not so accurate (yet)

📰 autodiscover.xml as an Indicator of Attack

📰 Blocking Facebook's Tracking and Surveillance: A Comprehensive Approach

📰 Let's Encrypt Readies for Certificate Transparency with Embedded SCTs

📰 Evaluating DNSBL Effectiveness with Postfix Logs

📰 Russian/Ukrainian Referer Spam Campaign IPs

📰 Resolving subversion error E145001: Node has unexpectedly changed kind

📰 Installing PHP 7.2 with pthreads on CentOS 6

📰 LocalStorage kills another site, or: Working around Zap2it's new interface

📰 A new DNS geolocation service from PowerDNS

📰 Firefox's privacy.resistFingerprinting option reports a very old User-Agent (50.0)