(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Me, elsewhere

GitHub
parseword
Miscellaneous public code

Twitter
@parseword
I don't tweet much

XMPP chat
xmpp@shaunc.com
(Pidgin, Miranda, Swift, etc.)

Russian/Ukrainian Referer Spam Campaign IPs

Posted February 08, 2018 by shaun

It looks like there's a new referer spam campaign underway, with a fresh batch of hosts to block. This one is predominantly promoting Russian and Ukrainian websites. I first caught wind of it from Dave Horsfall, who in late January mentioned on an anti-spam mailing list that he'd seen pills24h.com in his web access logs. I found that domain in my logs too, made a note to look further, and today I got around to poking at it a little.

Since I don't run WordPress or any common blog software, I was surprised to see referer spam suddenly hitting this site in earnest. Most modern spambots are intelligent enough to only target sites vulnerable to their spam. The мудак behind this campaign isn't so discerning, although he's at least bright enough to use IPs that aren't listed in the Stop Forum Spam blacklist. The abuse originates in snowshoe fashion from space allocated to Ukrainian provider Kyivstar / Golden Telecom (AS15895).

Offending hosts

As of July 2018, I've fully blocked all of Kyivstar's prefixes due to persistent abuse, and will no longer be updating this post with individual offending IPs. Kyivstar's prefixes are:

5.248.0.0/16
37.115.0.0/16
37.229.0.0/16
46.118.0.0/15
46.185.0.0/17
46.211.0.0/16
81.23.16.0/20
94.153.0.0/16
109.162.0.0/17
134.249.0.0/16
176.8.0.0/16
178.137.0.0/16
188.163.0.0/17
193.41.60.0/22

Here are the individual IPs involved in the spamming campaign between January 2018 and July 2018.

5.248.196.93
5.248.199.158
5.248.253.101
37.115.112.228
37.115.184.155
37.115.185.9
37.115.186.4
46.118.113.100
46.118.113.218
46.118.114.175
46.118.116.121
46.118.117.97
46.118.125.21
46.118.127.172
46.118.152.50
46.118.225.78
46.119.112.98
46.119.113.175
46.119.114.157
46.119.115.60
46.119.115.156
46.119.118.96
46.119.118.153
46.119.121.22
46.119.121.71
46.119.121.187
46.119.122.170
46.119.123.218
46.119.126.51
46.119.126.184
46.185.74.179
46.185.119.21
46.211.13.134
109.162.66.73
134.249.48.151
134.249.48.174
134.249.52.34
134.249.53.158
134.249.54.27
134.249.55.53
134.249.66.84
176.8.89.165
178.137.16.45
178.137.16.67
178.137.16.174
178.137.18.222
178.137.55.200
178.137.82.153
178.137.83.231
178.137.86.85
178.137.86.152
178.137.88.8
178.137.88.90
178.137.89.148
178.137.91.90
178.137.92.135
178.137.160.170
178.137.160.220
178.137.162.218
178.137.163.137
178.137.165.61
178.137.167.106
178.137.178.122
178.159.37.55
178.159.49.228
188.163.72.38
188.163.79.63

Here are the domains each host has been pimping.

5.248.196.93

beachtoday.ru

5.248.199.158

avtovykup.kz

5.248.253.101

4inn.ru

37.115.112.228

komukc.com.ua
pills24h.com
studentguide.ru

37.115.184.155

balkanfarma.org
fishtauto.ru
gazel-72.ru
iptvuk.co.uk
krasivoe-hd.net
natprof.ru
petrushka-restoran.ru
pills24h.com
rocketchange.ru

37.115.185.9

filesclub.net

37.115.186.4

gandikapper.ru
jjbabskoe.ru

46.118.113.100

svetka.info

46.118.113.218

moinozhki.com
yhirurga.ru

46.118.114.175

bird1.ru
pills24h.com
t-rec.su

46.118.116.121

doxyporno.com
raschtextil.com.ua

46.118.117.97

ogorodnic.com
pills24h.com

46.118.125.21

gazel-72.ru
krasivoe-hd.net

46.118.127.172

online-sbank.ru

46.118.152.50

pornohd1080.online

46.118.225.78

no-rx.info
pills24h.com

46.119.112.98

flowertherapy.ru
skinali.photo-clip.ru

46.119.113.175

avtorskoe-vino.ru
cryptoswap.biz
electronic-component.org
doxyporno.com
kinoduh.ru
kollekcioner.ru
popugauka.ru
raschtextil.com.ua
supermama.top
superoboi.com.ua
truebeauty.cc
whoiswho.crimea.ua

46.119.114.157

sildenafil-tadalafil.info

46.119.115.60

drugs-no-rx.info
englishtopik.ru

46.119.115.156

hard-porn.mobi
jjbabskoe.ru
xn--d1abj0abs9d.in.ua (IDN: пептиды.in.ua)

46.119.118.96

komputers-best.ru
magnetic-bracelets.ru
scat.porn

46.119.118.153

elementspluss.ru

46.119.121.22

www.xn--80aaajkrncdlqdh6ane8t.xn--p1ai (IDN: www.мягкиеокнасаранск.рф)

46.119.121.71

5elementov.ru
buynorxx.com
en.home-task.com
pillscheap24h.com
spy-app.info

46.119.121.187

sladkoevideo.com

46.119.122.170

www.inet-shop.su
www.sundrugstore.com

46.119.123.218

perl.dp.ua

46.119.126.51

pills24h.com

46.119.126.184

luckybull.io

46.185.74.179

flowertherapy.ru

46.185.119.21

sinhronperevod.ru

46.211.13.134

polyana-skazok.org.ua
strady.org.ua
suzuki-metropolis.kiev.ua
td-l-market.ru

109.162.66.73

eduserver.net
filesdatabase.net
officedocuments.net

134.249.48.151

kozhakoshek.com
meriton.ru
metallo-konstruktsii.ru

134.249.48.174

kino2018.cc

134.249.52.34

www.stavimdveri.ru

134.249.53.158

bonkers.name
skinali.photo-clip.ru
zelena-mriya.com.ua

134.249.54.27

kinosed.net
shops-ru.ru
xn----7sbabn5abjehfwi8bj.xn--p1ai (IDN: каталог-скинали.рф)

134.249.55.53

gazel-72.ru
profnastil-moscow.ru

134.249.66.84

rql.kiev.ua

176.8.89.165

porno-chaman.info
xn----8sblgmbj1a1bk8l.xn----161-4vemb6cjl7anbaea3afninj.xn--p1ai (IDN: жк-династия.новостройки-ростова-161.рф)

178.137.16.45

chatroulette.life
drugs-no-rx.info
headpharmacy.com
online-sbank.ru

178.137.16.67

skinali.photo-clip.ru

178.137.16.174

buynorxx.com
komp-pomosch.ru

178.137.18.222

avtorskoe-vino.ru
truebeauty.cc

178.137.55.200

all-news.kz

178.137.82.153

buypuppies.ca
bonkers.name
chatroulette.life
hentai-manga.porn
perl.dp.ua
pospektr.ru

178.137.83.231

metallo-konstruktsii.ru

178.137.86.85

tattoo-stickers.ru

178.137.86.152

vzube.com

178.137.88.8

www.regionshop.biz

178.137.88.90

officedocuments.net

178.137.89.148

www.rospromtest.ru

178.137.91.90

picturesmania.com
rieltor.crimea.ua

178.137.92.135

slomm.ru

178.137.160.170

www.atyks.ru

178.137.160.220

xn----ctbigni3aj4h.xn--p1ai (IDN: первый-жк.рф)

178.137.162.218

gezlev.com.ua

178.137.163.137

pills24h.com

178.137.165.61

ofermerah.com

178.137.167.106

vkonche.com

178.137.178.122

pills24h.com

178.159.37.55

studentguide.ru
www.feminist.org.ua

178.159.49.228

www.atraining.ru

188.163.72.38

aanapa.ru
vzube.com
www.etotupo.ru

188.163.79.63

aanapa.ru
adobereader-free.ru
fanoboi.com
healgastro.com
kipu.crimea.ua
kozhakoshek.com
meriton.ru
pornosmola.info
sovetogorod.ru
tam-gde-more.ru
vzube.com
www.etotupo.ru
xtremeeagles.net


Update history:

Feb 11: Added 46.119.123.218, 178.137.162.218
Feb 12: Added 46.118.116.121, 188.163.72.38
Feb 16: Added 134.249.48.151, 178.137.16.45, 178.137.178.122
Feb 20: Added 134.249.66.84
Feb 21: Added 37.115.112.228
Feb 25: Added 178.159.37.55
Feb 27: Added 46.118.125.21, 46.119.114.157
Mar 06: Added 46.119.126.51
Mar 07: Added 178.137.16.174, 178.137.18.222
Mar 12: Added 134.249.53.158    
Mar 16: Added 46.118.152.50
Mar 17: Added 46.119.121.22, 178.137.91.90
Mar 18: Added 46.119.122.170, 178.137.86.152
Mar 23: Added 46.118.113.100
Mar 24: Added 134.249.55.53
Mar 29: Added 46.118.127.172
Mar 30: Added 5.248.253.101
Apr 14: Added 178.159.49.228
Apr 20: Added 5.248.196.93
May 03: Added 37.115.185.9, 178.137.165.61
May 04: Added 46.118.114.175, 46.119.118.96
May 15: Added 178.137.86.85, 178.137.88.90, 178.137.92.135
May 16: Added 178.137.88.8
May 17: Added 5.248.199.158
May 29: Added 46.185.74.179
Jun 01: Added 109.162.66.73, 134.249.52.34, 134.249.54.27, 178.137.163.137
Jun 03: Added 46.119.112.98
Jun 15: Added 37.115.186.4, 134.249.48.174, 178.137.160.170
Jun 16: Added 178.137.83.231
Jun 20: Added 46.118.117.97, 46.119.118.153, 46.119.126.184, 46.185.119.21
Jun 21: Added 46.118.113.218
Jul 02: Added 46.119.115.156, 46.119.121.187, 176.8.89.165
Jul 07: Added 178.137.16.67, 178.137.89.148, 178.137.160.220
Jul 10: Completely firewalled all Kyivstar prefixes


Recent articles

📰 Generating vanity DNSSEC key tags

📰 DDoS involving forged packets from 23.225.141.70

📰 Website integrity monitoring through version control

📰 SpamAssassin 3.4.2 fixes security problems, adds HashBL and phishing plugins

📰 Bug or turf war? ICQ via Pidgin now fails with "startOSCARSession: Request Timeout"

📰 🎂

📰 SFSQuery, a PHP class to query the StopForumSpam API and DNSBL

📰 Resolving portmaster error "pkg-static: automake-1.16.1 conflicts with automake-wrapper-20131203"

📰 Resolving LibreNMS error "RuntimeException: The only supported ciphers are AES-128-CBC and AES-256-CBC with the correct key lengths"

📰 1.1.1.1: Fast, but not so accurate (yet)

📰 autodiscover.xml as an Indicator of Attack

📰 Blocking Facebook's Tracking and Surveillance: A Comprehensive Approach

📰 Let's Encrypt Readies for Certificate Transparency with Embedded SCTs

📰 Evaluating DNSBL Effectiveness with Postfix Logs

📰 Resolving subversion error E145001: Node has unexpectedly changed kind

▲ Back to top | Permalink to this page