|
Posted by Michael on 12/06/07 02:09
Chilly8 wrote:
> "Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
> news:Ze6dnUvZ38qZgMvanZ2dnUVZ_uninZ2d@comcast.com...
>> Chilly8 wrote:
>>> "Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
>>> news:0v2dnWmDBPFamsvanZ2dnUVZ_j-dnZ2d@comcast.com...
>>>
>>>
>>>>> It appears that by simply blocking incoming traffic from the networks
>>>>> of three data centers around the world has stopped it. I have only see
>>>>> one "phony" registration all day, coming from China. Blocking all
>>>>> traffic from inHoster in Ukraine, Keymachine in Germany, and
>>>>> FDC servers in Chicago has pretty much stopped the porn bots.
>>>>>
>>>>>
>>>>>
>>>>>
>>>> For now. But how many legitimate users might you be blocking, also?
>>>>
>>>> Blocking an entire range of addresses is almost never the right answer.
>>>> Just the expedient one.
>>>
>>> I doubt I would be blocking any legitimate users, as those sites I
>>> mentioned
>>> are all server colocation facilities. It appears that somoene has
>>> compromised
>>> all the machines at least two of those server farms. It might be possible
>>> that
>>> some users, trying to use a proxy from work to acoid detection by the
>>> boss, might be affected by blocking FDC servers, since a couple of
>>> popular anonymity services use FDC for their server needs, but
>>> beyond that, I don't think many legitimate users will be affected, but
>>> there really is no other answer to the problem.
>>>
>>>
>>>
>> There are lots of other answers to the problem. Some have been listed
>> right here. And none of them involve blocking a whole range of IP
>> addresses.
>
> Well, these are all just server farms, where people place web servers, so
> the only humans using the machines, other than people browsing the web
> sites, would be the individual web site admins, so other than maybe
> somoene trying to use a Web proxy from work to hide what they are
> doing from the boss, I don't think I would be impacting that many users.
>
> Like I said, blocking all traffic from those three data centers has cut
> the problem of people posting porn links down to almost nothing. I
> get maybe a handful a day, but not the dozens a day I was getting.
> I don't think I will see anymore from folks like SuperXXXPorn
> or BestinWeb. I got them stopped dead in their tracks.
>
> If you are running any servers hosted at the datacenters of Inhoster,
> Keymachine, or FDC servers, you better check and see that
> your servers have not been compromised by these people that
> are doing this. 99.9 percent of the traffic that was posting porn
> links were coming from compromised machines at these data
> centers. And there is no POSSIBLE way I could have
> discovered this without using a main page translated to HTML
> and having all the traffic logged with StatCounter.
>
>
>
Apache logs much?
There are plenty of good utilities to view these logs: analog, awstats
and webalizer just to name a few.
There is hundreds of other ways you could have determined where 'this
bad traffic' is coming from. As they say, knowledge is dangerous, and so
is ignorance.
Like I said in another post:
"This is where your spam is coming from RIGHT NOW, it wont be in a few
weeks time. But thats okay, you will just block those IPs as well! When
you have thousands of blocked IP ranges, are you going to periodically
check them, to see if they have been re-allocated to some poor ISP?"
- Michael
Navigation:
[Reply to this message]
|