I have been writing programs to analyze my web server logs. My hosting company penalizes me for PHP executions and charges more if I have too much traffic. I had to start blocking IP address. Next, I started adding ranges of IP addresses, and today I’ve started adding countries.
My analysis shows that 100% of all traffic from Russia and China has been comment spam, password guessing robots, exploit testers, or crawlers looking for something on my web pages. I received no legitimate hits on my websites that I could find from Russia or China.
I now have about 25% of the original traffic on my sites, but my analysis has shown no loss in real people – the people who click links and buy stuff from my websites. At least 75% of the hits on my sites were from spam an other malicious robots.
Now, whenever I see more than 100 hits from a website, I look up the IP at lacnic.net and ban the whole subnet. Here is an example from my .htaccess file.
# EVERHOST Internet Service Provider ro
deny from 188.240.128.0/20
This is hosting company in Romania. They deserve to be banned. There is no way a program running on a hosting company should be accessing my site.
Here is another:
# China Mobile Communications Corporation
deny from 117.168.0.0/14
This is a huge block coming from China Mobile. I can’t believe that a cell phone is running a robot, so they must offer hosting or a way to use broadband so an infected PC his hitting my site. I have never had a legitimate hit on one of my websites from this block as far as I know.
I don’t feel bad about blocking a quarter of a million IP numbers from accessing my site. I have tried reporting IP address using the abuse email from their network pages, but either the email bounces or they do nothing about it. Some network admins do something, but most just open a ticket and the hits keep coming. My plugin to report spam to networks was a total waste of time.
Today I banned the entire country of Bulgaria., and I think I will also ban Ukraine. I get lots of repeat offenders from these countries.
My spam software automatically adds anything detected by Akismet or Stop Spammers. I get lots of hits which result in things like this in my .htaccess file:
deny from 87.229.177.122
This is an ISP in Russia:
111250 Russia SOVINTEL/EDN et SovamTelePort
p2p and static IP pool for (xEthr, xDSL, Wi-Fi .. )
If I report to their abuse, I get an email telling me that my request must be in Russian. I need to add:
deny from 87.229.176.0/21
to my .htaccess file. This would kill access by a whole bunch of Russians.
There comes a time when I sort the .htaccess file and notice dozens of bad hits on IPs starting with 87.229. That’s when I need to ban large blocks, and now sometimes whole countries.