Latest Blacklist Entries

Updated August 4, 2024 • 24 comments

Recently cleared several megabytes of log files, detecting patterns, recording anomalies, and blacklisting gross offenders. Gonna break it down into three sections:

User Agents

User-agents come and go, and are easily spoofed, but it’s worth a few lines of htaccess to block the more persistent bots that repeatedly scan your site with malicious requests.

# Nov 2010 User Agents
SetEnvIfNoCase User-Agent "MaMa " keep_out
SetEnvIfNoCase User-Agent "choppy" keep_out
SetEnvIfNoCase User-Agent "heritrix" keep_out
SetEnvIfNoCase User-Agent "Purebot" keep_out
SetEnvIfNoCase User-Agent "PostRank" keep_out
SetEnvIfNoCase User-Agent "archive.org_bot" keep_out
SetEnvIfNoCase User-Agent "msnbot.htm)._" keep_out

<Limit GET POST PUT>
 Order Allow,Deny
 Allow from all
 Deny from env=keep_out
</Limit>

The first line blocks any user-agent containing “MaMa ”. If that scares you, then replace that line with these two:

SetEnvIfNoCase User-Agent "MaMa CyBer" keep_out
SetEnvIfNoCase User-Agent "MaMa Xirio" keep_out

The other lines block the latest batch of “loser-agents,” which may completely disappear overnight. My current strategy is to block for a few months and then start fresh. Stuff like heritrix, Purebot, and PostRank have made the list numerous times.

Character Strings

There must be some exciting new vulnerability, because suddenly I’m seeing TONS of requests for the following resources in just about every virtual directory imaginable:

fpw.php
xmlpc.php
pingserver.php
test00.comze.com

What’s the best way to deal with endless requests for non-existent resources? I prefer to respond with 403 Forbidden and call it done:

# Nov 2010 Char Strings
<IfModule mod_alias.c>
 RedirectMatch 403 fpw.php
 RedirectMatch 403 xmlpc.php
 RedirectMatch 403 pingserver.php
 RedirectMatch 403 test00.comze.com
</IfModule>

Of course, make sure you aren’t actually using any of these files anywhere on your site before using this code.

IP Addresses

Last but not least, here’s the latest batch of nefarious IP addresses. There’s no reason to block random botnet IPs, so only the most rogue static addresses make the list:

# Nov 2010 IPs
<Limit GET POST PUT>
 Order Allow,Deny
 Allow from all
 Deny from 65.55.3.211
 Deny from 72.229.57.27
 Deny from 77.93.2.81
 Deny from 77.221.130.18 
 Deny from 91.205.96.13
 Deny from 94.75.229.132
 Deny from 95.108.157.252
 Deny from 99.22.93.95
 Deny from 173.193.219.168
 Deny from 174.133.177.66
 Deny from 178.234.154.230
 Deny from 178.33.3.23
 Deny from 190.174.198.86
 Deny from 203.89.212.187
 Deny from 207.241.228.166
 Deny from 213.55.76.224
 Deny from 216.171.98.77
</Limit>

As with the user-agents, I like to block IPs for a month or so at a time. Implement (or not) as you see fit.

Bonus IPs! – Looking for more bad IPs to block? Check out Vladimir’s post in the comments.

Just one fix..

Don’t take my word for it. Check your own logs and see what shouldn’t be there. “Know thy enemy,” as they say ;)

For more help on blocking stuff with .htaccess, check out Eight Ways to Redirect with Apache’s mod_rewrite.

blacklist ip websites

About the Author

Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.

24 responses to “Latest Blacklist Entries”

Vladimir 2010/11/09 8:58 am

Hi Jeff,

I would like to contribute some more IP addresses (they are taken mainly from virbl.dnsbl.com) if you don’t mind:

182.208.57.207
112.151.70.2
190.20.205.72
70.62.191.33
60.249.252.214
61.47.226.229
186.113.137.236
124.199.48.53
67.77.210.16
112.146.178.48
60.240.2.154
190.143.51.225
217.115.203.154
60.191.89.186
193.23.143.117
180.193.18.206
115.161.108.145
121.212.231.55
201.212.57.248
183.9.73.77
83.218.173.191
80.127.213.243
218.209.63.19
89.184.188.83
213.206.88.42
111.172.114.125
199.203.84.67
123.18.196.241
58.185.107.18
64.234.80.113
212.83.70.180
121.237.153.123
24.112.67.92
91.75.179.18
77.248.175.127
81.136.243.94
213.189.4.102
86.174.38.2
220.87.72.250
110.136.39.90
61.8.226.95
208.43.146.84
88.208.236.71
78.40.142.69

Jeff Starr 2010/11/09 9:11 am • Post Author

Thanks, Vladimir – I updated the post with a link to your comment.

Cheers :)

Zoran 2010/11/09 9:26 am

Thanks Jeff for this effort you put, i never had an idea about some stuff here, so your posts were an eye opener for me.

Skye 2010/11/09 9:40 am

Good post Jeff. I like the user agent block.

Daniel 2010/11/09 1:28 pm

I’m looking for a website keeping an updated list we could download and paste into .htaccess

Here I see this post with a few entries but is there a static link that point to a list that is updated from time to time?

Thanks

Ben Gun 2010/11/09 2:38 pm

Hello Jeff,

This is my first message on your website.

Just few words from France to tell you how grateful I am. I’m really pleased you share so many useful and valuable information.

I’m more into Joomla than WordPress but many articles are suitable for any CMS. Not to say any website…

I also (and most of all) appreciate the awesome quality of your work. Everything falls into place and is extremely well designed. I like the way you take care about every details.

You’re a great source of inspiration to me, even if I’m far from having the same skills.

As you say in USA : “keep up the ggod work”.

Yours,

Ben

Connie 2010/11/09 10:49 pm

I am always doubtful whether it is a good idea to block IP-adresses, as many of these adresses are shared IPs and so other websites are blocked

this happened to me with a german shared IP Adress very often on US websites

please consider this

Michael Clark 2010/11/10 6:20 am

Why are you blocking the Archive.org bot? They follow robots.txt.

The only character string I’ve had hits for is pingserver.php.

Most of the IP addresses you list haven’t hit my server, although a few of them have hundreds of hits in brief amounts of time.

I guess this really does show you really need to know what is happening on your server, as attacks are coming from so many different places and in so many different methods. And you really need to understand what these type of blacklist rules will do.

aleSub 2010/11/10 7:59 am

Amazing!! Thanks for sharing the result of many hours of work!

Jeff Starr 2010/11/10 11:13 am • Post Author

@Daniel: Here is a current IP Blacklist: https://perishablepress.com/blacklists/blacklist_ip.txt

@Ben Gun: Thank you for the kind words – they are greatly appreciated.

@Connie: Good point, and I would suggest that if you don’t feel comfortable blocking malicious IPs, then you shouldn’t do it. As for me, I have found that temporary blocking some of the worst IPs is an effective security measure.

@Michael Clark: The archive.org bot is one of the WORST, according to my data. They consume miles of bandwidth and never return any traffic. Plus, 90% of the requests I get from that terrible bot are malicious scans for non-existent resources. For my sites, it’s just not worth it.

Julian 2010/11/11 6:00 am

thanks for the list Jeff…

looking forward the UA BlackList :-)

Adam 2010/11/17 5:22 am

HI i am, using your 2010 user agent blacklist at the moment and i wanted to know if i can paste the directive from this site under yours. i am not asking whether their code works or not just whether htaccess will allow it and function okay.

http://www.spanishseo.org/block-spam-bots-scrapers

Comments are closed for this post. Something to add? Let me know.

Vladimir 2010/11/09 8:58 am

Hi Jeff,

I would like to contribute some more IP addresses (they are taken mainly from virbl.dnsbl.com) if you don’t mind:

182.208.57.207
112.151.70.2
190.20.205.72
70.62.191.33
60.249.252.214
61.47.226.229
186.113.137.236
124.199.48.53
67.77.210.16
112.146.178.48
60.240.2.154
190.143.51.225
217.115.203.154
60.191.89.186
193.23.143.117
180.193.18.206
115.161.108.145
121.212.231.55
201.212.57.248
183.9.73.77
83.218.173.191
80.127.213.243
218.209.63.19
89.184.188.83
213.206.88.42
111.172.114.125
199.203.84.67
123.18.196.241
58.185.107.18
64.234.80.113
212.83.70.180
121.237.153.123
24.112.67.92
91.75.179.18
77.248.175.127
81.136.243.94
213.189.4.102
86.174.38.2
220.87.72.250
110.136.39.90
61.8.226.95
208.43.146.84
88.208.236.71
78.40.142.69
Jeff Starr 2010/11/09 9:11 am • Post Author

Thanks, Vladimir – I updated the post with a link to your comment.

Cheers :)
Zoran 2010/11/09 9:26 am

Thanks Jeff for this effort you put, i never had an idea about some stuff here, so your posts were an eye opener for me.
Skye 2010/11/09 9:40 am

Good post Jeff. I like the user agent block.
Daniel 2010/11/09 1:28 pm

I’m looking for a website keeping an updated list we could download and paste into .htaccess

Here I see this post with a few entries but is there a static link that point to a list that is updated from time to time?

Thanks
Ben Gun 2010/11/09 2:38 pm

Hello Jeff,

This is my first message on your website.

Just few words from France to tell you how grateful I am. I’m really pleased you share so many useful and valuable information.

I’m more into Joomla than WordPress but many articles are suitable for any CMS. Not to say any website…

I also (and most of all) appreciate the awesome quality of your work. Everything falls into place and is extremely well designed. I like the way you take care about every details.

You’re a great source of inspiration to me, even if I’m far from having the same skills.

As you say in USA : “keep up the ggod work”.

Yours,

Ben
Connie 2010/11/09 10:49 pm

I am always doubtful whether it is a good idea to block IP-adresses, as many of these adresses are shared IPs and so other websites are blocked

this happened to me with a german shared IP Adress very often on US websites

please consider this
Michael Clark 2010/11/10 6:20 am

Why are you blocking the Archive.org bot? They follow robots.txt.

The only character string I’ve had hits for is pingserver.php.

Most of the IP addresses you list haven’t hit my server, although a few of them have hundreds of hits in brief amounts of time.

I guess this really does show you really need to know what is happening on your server, as attacks are coming from so many different places and in so many different methods. And you really need to understand what these type of blacklist rules will do.
aleSub 2010/11/10 7:59 am

Amazing!! Thanks for sharing the result of many hours of work!
Jeff Starr 2010/11/10 11:13 am • Post Author

@Daniel: Here is a current IP Blacklist: https://perishablepress.com/blacklists/blacklist_ip.txt

@Ben Gun: Thank you for the kind words – they are greatly appreciated.

@Connie: Good point, and I would suggest that if you don’t feel comfortable blocking malicious IPs, then you shouldn’t do it. As for me, I have found that temporary blocking some of the worst IPs is an effective security measure.

@Michael Clark: The archive.org bot is one of the WORST, according to my data. They consume miles of bandwidth and never return any traffic. Plus, 90% of the requests I get from that terrible bot are malicious scans for non-existent resources. For my sites, it’s just not worth it.
Julian 2010/11/11 6:00 am

thanks for the list Jeff…

looking forward the UA BlackList :-)
Adam 2010/11/17 5:22 am

HI i am, using your 2010 user agent blacklist at the moment and i wanted to know if i can paste the directive from this site under yours. i am not asking whether their code works or not just whether htaccess will allow it and function okay.

http://www.spanishseo.org/block-spam-bots-scrapers

12 • Newer Comments »