Getting Spammed Like Crazy Today
November 12, 2008 by Mrs. Mecomber
Filed under blogging
Very odd. All my blogs are getting spammed, very very heavily. And it’s all coming from one IP address.
This is the data from Traceroute:
94.102.60.152 is from Netherlands(NL) in region Western Europe
TraceRoute to 94.102.60.152
Hop (ms) (ms) (ms) IP Address Host name
1 162 215 205 72.249.0.65 -
2 7 8 11 209.249.122.73 209.249.122.73.available.above.net
3 14 11 9 64.125.26.213 ge-2-0-0.mpr2.dfw2.us.above.net
4 18 22 24 64.125.26.134 so-1-1-0.mpr4.iah1.us.above.net
5 48 40 40 64.125.28.49 so-1-1-0.mpr2.dca2.us.above.net
6 126 128 127 64.125.27.166 so-0-1-0.mpr1.lhr3.uk.above.net
7 113 114 118 64.125.28.38 so-1-0-0.mpr1.lhr2.uk.above.net
8 129 136 126 195.66.224.231 ge-5-3-0.bb1.lon1.uk.gbxs.net
9 130 136 130 83.143.241.33 ge-6-0-0-0.bb1.ams3.nl.gbxs.net
10 133 129 136 77.243.180.14 ecatel-limited.ae0-213.bb1.ams3.nl.gbxs.net
11 139 142 139 94.102.60.152 -
And this is the information from WhoIs:
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NLReferralServer: whois://whois.ripe.net:43
NetRange: 94.0.0.0 – 94.255.255.255
CIDR: 94.0.0.0/8
NetName: 94-RIPE
NetHandle: NET-94-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
This jerk from the Netherlands has, so far, sent about 100 spam emails for the last 24 hours across all my blogs. And here are two very other strange things:
1). He’s also spammed a post I wrote at a blog I used to share with someone else. I have since ended my blogging there (like, last year). But he’s spamming me there. So I suspect it’s related to me personally, like a harrassment and not the usual anonymous spam crap that I see all the time.
2). He’s been spamming someone else, and this blogger blogged about it, too.
There are some other spams coming from related IPs, from the same jerk, like this IP: 94.102.60.151.
How abut you? Are getting a ton of comment spam from the IP 94.102.60.152 recently?
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
matt on Wed, 12th Nov 2008 8:50 pm
I am getting spam from that IP address to, I banned that IP with my service provider
J on Wed, 12th Nov 2008 9:03 pm
You’re not the only one – he’s hitting me hard too. I just google’d “94.102.60.151″ and the first return was this entry, so thanks for the confirmation that I’m not alone!
Taylor on Wed, 12th Nov 2008 9:07 pm
I’m not a regular reader but I found you in a google search for this IP. I’ve gotten at least 15 spam comments, filled with gibberish from this IP and variants (94.10x.xxx.xxx).
I’m blocking the whole IP range (the above) and hopefully it’ll fix the problem, but talk about annoying! Its spam without any purpose.
Su on Wed, 12th Nov 2008 9:21 pm
Yes! I found your blog by searching the IP and I’ve been getting a bunch of spam from that IP today and my spam blocker hasn’t been catching it.
blueyes on Wed, 12th Nov 2008 9:36 pm
No spams on my end but might I suggest going into your cpanel and blocking that IP or the entire range for that matter because all those RIPE addresses are spammers. That way they are blocked from any of your sites if you have them all going through one host. And/or you can get the ban plugin for wordpress and start adding them in there which is what I do because I like looking to see how many times they try to access the site after I ban them. Call it satisfaction lol
olga lednichenko on Wed, 12th Nov 2008 9:37 pm
Yes.. i am getting tons of spam. from him..her – it – whatever
regards
olga lednichenko
Link Building Blog on Wed, 12th Nov 2008 10:49 pm
I noticed this too and blogged about linking to your post. I’ve been tracking it and it looks like the script will be coming back later with all the vulnerable blogs on its target list.
Jennie on Wed, 12th Nov 2008 11:10 pm
Oh my gosh! Me too! The hubby and I are getting tons of spam comments across our wordpress blogs from the same IP you mentioned. Here is the most recent I marked as spam:
Wallace Davidson | jarrb@bdol.com | IP: 94.102.60.152
bxw9xdbra5u8q1eo
Jill on Wed, 12th Nov 2008 11:39 pm
Yup, I’m blogging about it as well:
http://aldebaranwebdesign.com/blog/wordpress-comment-spam-from-amsterdam/
And the WordPress forum as well:
http://wordpress.org/support/topic/217088?replies=5
I’ve added the IP addresses to my Comment Blacklist. Revenge!
David Eilers on Wed, 12th Nov 2008 11:40 pm
I’ve noticed the same problem today on my blog. In addition, I got a couple full sentence comments, rather than gibberish, from two different russian sites that I think are spam. 124.107.84.84 & 61.116.180.164(http://www.olympic-beijing.ru/ )
harry on Thu, 13th Nov 2008 12:19 am
I have been getting these spams from 94.102.60.152 for the last two days….dunno what to do. I have notices that all these spams are from one IP address only. Can this IP address be blocked? If yes, how?
Ari Herzog on Thu, 13th Nov 2008 12:21 am
It’s times like these when bloggers who know how to seek out information can band together and share tips. I’ve since shared this info on Twitter. I also got hit by five spammers today, all from 94.102.60.153
The oddity is my Google Analytics indicates 20 Netherlands hits in past month, yet 4 in past 48 hours. I don’t believe in coincidences, so will be blacklisting.
Chris on Thu, 13th Nov 2008 12:40 am
LOL, I noticed that in all my sites, I suppose this is a person testing a new spam tool, check out the whole internet using the IP as the keyword, ppl are discussing it a lot.
Ted on Thu, 13th Nov 2008 2:27 am
I’m seeing this clown as well – I’ve blacklisted 94.102.60.* from my server.
I too landed here via google – my question is what’s the purpose of it? Vulnerability testing? “Hey if this gets through, I can post my porn links”? I don’t get it…
Mar on Thu, 13th Nov 2008 4:25 am
Not yet. Now that I visited here, he probably will hit me too.
Help!!
Natural on Thu, 13th Nov 2008 6:42 am
I’m getting a lot of spam too, more than ever. Wondering how its getting through askimet. weird.
john b on Thu, 13th Nov 2008 7:57 am
I am getting spammed from that IP as well.
Kathy on Thu, 13th Nov 2008 9:17 am
Well…I’m glad to hear I’m not alone…I guess! This awful! All 5 of my blogs (some of which have been perfectly insulated from all spam) have been being hit bad.
Not liking this…
Matt Keegan on Thu, 13th Nov 2008 9:43 am
The last two days have been brutal. I’ve been receiving spam across my network of eight blogs and have had to go ban this I.P. and the shorter route derivative from leaving messages. That has helped as all messages now fill up my spam cache not my comments waiting folder.
Bas - Istanbul Expat on Thu, 13th Nov 2008 11:54 am
I have a similar problem. Some person is posting on my name with some random English names (always first name last name) then adds his email address like ifnau@soimsf.com and just types a message like “adn9fnausunau”
I’ve been receiving about 5-10 of these messages per day now. Really annoying.
Jon on Thu, 13th Nov 2008 4:20 pm
Glad I am not alone, same IP address, all blogs. That must be hell of a spambot someone has created. Not had anything other than gibberish yet.
Chris on Sun, 16th Nov 2008 7:40 am
The Whois information posted above is slightly misleading… the IP is actually registered to a company called Ecatel Limited, not RIPE.
ARIN maintain North American IP addresses, RIPE maintain the ones in Europe. LACNIC, AfriNic and APNIC handle the rest of the world.
So if you do a Whois query on ARIN for a European IP address, you’ll get referred to RIPE’s database and also get something like the comment “These addresses have been further assigned to users in the RIPE NCC region. Contact information can be found in the RIPE database at http://www.ripe.net/whois“.
The real whois looks more like this…
organisation: ORG-EL38-RIPE
org-name: Ecatel LTD
org-type: LIR
address: Ecatel LTD
Reinier van Eeden
P.O.Box 19533
2521 CA The Hague
NETHERLANDS
phone: +31702204015
fax-no: +31702204015
e-mail: r.eeden@ecatel.net
admin-c: RvE16-RIPE
mnt-ref: ECATEL-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
person: Reinier van Eeden
address: Archangelkade 1-3
address: 1013 BE Amsterdam
mnt-by: IQARUS-MNT
e-mail: r.eeden@nl.iqarus.com
phone: +31 64 607 11 12
nic-hdl: RvE16-RIPE
source: RIPE # Filtered
Ty on Mon, 17th Nov 2008 6:46 am
I to have been wearing spam from the same system, its odd i myself cannot see the point to posting lists of url’s that dont point anywhere.
I first thought it was to test if your blog was “spammable” but it just makes no scene to do it like that..
My other thought is there maybe a wordpress bug they have caught on to? i have been watching my systems tightly and cannot see any evidence of anything other then comment spam.
this has been confusing me for days now!
Jon Buhagiar on Mon, 17th Nov 2008 2:08 pm
I have had the same on my sites. Gibberish spam I recommend that you check your logs and use a .htaccess file to deny this block of IPs. It is the same senseless spam we see on email side, all it is doing is filling the spam database with useless junk. Anyway that is my take on this.
Jon B.
Gunderson Stratford on Mon, 17th Nov 2008 5:21 pm
Me too. It started about a week or two ago. I’m really glad I have one more thing I have to take care of every day now.
Charles Wetherall on Mon, 17th Nov 2008 5:53 pm
Several sites I manage are getting hit hard. I’ve blocked all of the junk, but this slippery bastard is elusive. Now he’s using various forums to pass along spam. I’ve alerted several (videogamers.com, Wikispaces and DirtRagMag.com. All were very cordial and immediately pulled the perpatrators membership.
But, the scumbag will just move on to another forum and continue sending. At least I’ll slow him up.