All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Strange behaviour, abuse report gets rejected by mail server
Howdy,
While analyzing my log files from http://raymii.org I saw some very strange behaviour. Recently I put up a mobile version of the website. I had a page where you could make short URL's. The mobile version has the same pages, just different layout.
Now that mobile page (http://raymii.org/cms/m.php?title=surl) gets hammererd by chinese IP's. Look:
58 113.108.201.189
67 210.211.109.144
67 210.211.109.147
73 196.40.15.83
79 80.191.248.253
81 219.157.200.19
97 68.224.80.105
100 91.121.87.182
114 80.63.56.147
136 180.168.155.250
295 218.7.191.182
346 95.82.78.5
374 85.194.84.197
559 221.234.24.46
Via:
cat /var/log/lighttpd/access.log | grep "surl" | grep "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" | egrep -o '[[:digit:]]{1,3}.[[:digit:]]{1,3}.[[:digit:]]{1,3}.[[:digit:]]{1,3}' | tr [:space:] '\n' | grep -v "^\s*$" | sort | uniq -c | sort -bnr
This is from 1 day (yesterday), and while this grep only goes for this user agent (Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1) all the visitors with that user agent only visit that page. I do not get any PHP errors or anything.
Now I've reported to the abuse addresses from these IP's, but I all get these kinds of errors from gapps:
Delivery to the following recipient failed permanently:
[email protected]
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 domain [relst.nl] not allowed.
The IP's are blocked in lighttpd and IPtables, the user agent also. (just done that, hope it helps). My servers does not have a lot of extra load or so, I just don't like my bandwith going away.
What more can I do?
(Oh, btw, I'm on the night shift this week, so I'll be sleeping for a few hours in a minute, could take a while before I reply)
Comments
try fail2ban and or ban china entirely from visiting your site assuming the problem persists.
Probably domain of Chinese state hackers and they dont care to respond to your abuse requests. They probably have a football sized screen showing each of those abuse reports as a good laugh.
Actually 68.224.80.105 is a Cox IP: http://bgp.he.net/ip/68.224.80.105#_whois
Were people actually using your service?
lol
So can you please modify your PHP code to track Chinese visitors' behavior?
How would I ban the whole of china? is there an IP range?
Correct. Not all IP's are chinese, but all the user agents are the same.
It were three textboxes in which you would type an url, the page would send you to the api variant of hyv.es, is.gd or bit.ly. And yes, according to the logs it was used a lot (+30 times a month, for my website that is a lot, about 200-350 unique visitors/day total).
Only since I've enabled the mobile version this started to happen. And other than the user agent, most of them came via these referers:
8) 1827 http://www.kino-govno.com/comments/34810
9) 1650 http://www.kino-govno.com/comments/35236
10) 1502 http://www.kino-govno.com/comments/35097
11) 1304 http://kino-govno.com/comments/34810
12) 1209 http://kino-govno.com/comments/35236
13) 1139 http://www.kino-govno.com/comments/35020
14) 1123 http://www.kino-govno.com/comments/34665
15) 1090 http://www.kino-govno.com/comments/35196
16) 1036 http://www.kino-govno.com/comments/35170
@Aldryic you can read russian right? What kind of a site is that?
I see movie trailers there.
That's a Firefox useragent... of course there are going to be a lot of people with it, a lot of people use Firefox on Windows 64bit Vista/7....
@Raymii
That's a very popular website about movies. All I can suggest is that bots wrote comments on that pages and users clicked it, than moderators deleted that comments.
Well the strange traffic has stopped now that I've blocked the IP's and the UA's.
@DimeCadmium I know, but when 1 user agent (desktop ua) gives way to much hits on a mobile page, which it did not do before, bad luck for them. I've not yet heard any complaints...