I have written several times in the past about the tedious crud which hits my blog spam filters. Of late I have seen an increase in spam which looks, at first sight, plausible comment, but on closer inspection turns out to have the usual links to sites flogging cheap copies of western luxury goods. A recent analysis showed that around 60-70% of all that crud was coming from IP addresses in the ranges 220.127.116.11/24 and 18.104.22.168/22. These blocks are both owned by a company called IPTelligent, based (apparently) in Miami, Florida. In fact IPTelligent seems to own the larger blocks 22.214.171.124/19 and 126.96.36.199/20 (or over 12,000 IP addresses).
The logical first step in investigating the company was to check the website for the domain listed in the whois record (iptelligent.com) but oddly, there is nothing there that looks at all professional – just a directory listing showing a cgi-bin and an images sub-directory. There is also fairly extensive on-line discussion about failed attempts to contact the “abuse@” email address for the domain. Most commentators seemed to end up blocking the entire netblocks. Of course the spam went away.
However, blocking all traffic from over 12,000 IP addresses simply to stop spam from some of them strikes me as possibly somewhat over zealous, particularly when a fairly well known and high volume tor exit node uses an IP address in the range in question. Further analysis of my logs showed that all of the spam from the addresses I had seen used a common user agent “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52) Gecko/20090824 Firefox/3.5.3 GTB5”. That agent looks perfectly plausible, if perhaps a little old and it could conceivably be in use by a whole bunch of people using, say, an old installation of FF on XP.
But I struck lucky. The spammers are stupid. Not only is that user agent clearly identified by a number of discussion sites as being used by prolific spammers, it turned out from further analysis of my logs that it was only used by the same spamming IP addresses I had noted earlier, and by no-one else.
If you really want to hide in a crowd, don’t use a unique identifier.