Bad Neighborhood IP List

I am always looking for alternate ways to block spam. Spam is taking up about 70% of the bandwidth on my websites and causing problems for me. Web hosting companies charge me more because of the number of executions and bandwidth generated by spammers.

I wound up having to pay for the bandwidth from spammers. If I “deny” an IP or range of IP numbers I am not charged for those hits. It never hits a PHP file and does not generate any CPU time.

I have a program which adds to the htaccess file every time Akismet, Stop Spammers or my plugin kill-agents discovers an abusive user.

The plugin just adds an IP address, but then I noticed that spammers tend to come from the same neighborhood or 24 bit subnet. This makes sense. A host, like China Mobile, that does nothing to stop a spam farm will harbor multiple spam farms on the same network. You make a normal IP address into a 24 bit subnet by dropping the stuff after the last period in the IP or using a /24 at the end. I do this manually right now, and only when I see lots of spam coming from the same subnet.

The upside of this is that the deny list is short. The downside is that you ban 256 IP addresses for each line of the file. It may be that one of those 256 is legit. This, however, is not likely. Most spammers need a host machine that they can use for installing complex software. The hosts that tolerate this behavior own blocks of IP addresses. Any traffic coming from that block is not human, it has to be a program. Humans come from Internet Service Providers who give different blocks out to the humans using the service to surf the web. Sometimes the PCs owned by humans can have malware that can send out spam, but often that is not comment spam or login dictionary attacks, it is simple email spam. It is generally safe to block a network neighborhood because of a spammer. Where there is one, there will soon be others.

Here is my current .htaccess file. I am testing it with blogseye.com. Since I have started using it my spam hits are about 10% of what they used to be.

Download the following list and add it to the top of your .htaccess file for your website. It is updated automatically whenever Akismet or Stop Spammers detects a spammer.

This list is not free!

If you intend to use this list you must go to the donate page and leave a donation through PayPal or bitcoins as soon as possible.

You can get the list from https://www.blogseye.com/htaccess.txt.

If your business model involves users from China, you may have to remove the lines for China Mobile and ChinaNet. I gave up blocking individual IP address and started blacklisting at the ISP level. My reports of abuse were ignored. Yandex and a few other robots are blocked. Yandex at one time was 95% of the traffic on one of my sites and would cause spikes when it spidered sites with large numbers of pages. My hosting company knocked me off line and I had to pay nearly twice as much to keep the websites, all because of Yandex. Unless your websites need a few dozen Russian users (even in Russia they use Google), don’t unblock Yandex.

The list is automated and updated with spammers as they are discovered. Right now it is just BlogsEye.com, but in the future I will relocate the software to a higher volume site with a higher Google page-rank. This will attract more spammers. That site will send the file here hourly.

This is working much better than I thought it would.

Use FTP to update the htaccess file in case you accidentally lock yourself out of http. Make a backup of the working htaccess file before you do an update. When you change the htaccess file on your site check the website in a browser to make sure that you are not locked out. If you find that you are, back off the changes by restoring the backed up htaccess. Don’t attempt to modify your htaccess file unless you are confident that you can fix any problems.

Cloudflare may give you problems, and blocking will not work because everyone comes through the cloudflare IP. I would avoid CloudFlare because they let spammers access your site using their IP addresses.

Google Chrome proxy might be blocked. Until Google can release a proxy white list, spammers will use use this Google back door and the Google IPs will be marked as spam sources.

How it works

Akismet has a do_action when it discovers spam. I added another do_action to the Stop Spammers plugin. This allows you to make new plugins that act whenever one of these plugins discovers spam. I made one that records the spammer’s IP. I save this in a list and have a program to format this so I can add it to my .htaccess file.

I have now automated the production of the file. I should never see a spammer more than once. I have not had a spammer in over an hour and I used to get about 50 an hour. I get about 20 spammers a day and each day I get fewer.

Leave a Reply