6

I am attempting to fend off a spam attack against a web api I run and would like to obtain a list of IP addresses of public web hosting providers from which spammers are launching their attacks. I'm talking about sites like bluehost, rackspace, hostgator, godaddy, Amazon AWS, etc etc. My customers are never accessing me from IP addys at these services, and instead access me via things like DSL, cable, and mobile phone networks.

I looked at Spamhaus but from what I could ascertain that was about email.

Thanks!

esilver
  • 325
  • 1
  • 5
  • 11
  • This will break if your customers ever start using scripts (to hit your site) that run from IPs in that space. If any of your customers starts using AWS or the RackSpace cloud provider, for example, you'll be blocking them. – mfinni Mar 12 '13 at 03:08

3 Answers3

4

At some level, every IP block is announced with a source BGP AS number. You can download full tables from http://www.ripe.net/data-tools/stats/ris/ris-raw-data.

AS Names are available from http://bgp.potaroo.net/cidr/autnums.html.

Match the IP to the most recent source number (keep those raw data tables updated somewhat regularly) and match the source number to the names table.

Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85
  • That is a great idea -- what I really need then is a third file that says which of those AS names are web hosts. I would absolutely pay money for such a list...any ideas where I can get that? – esilver Mar 12 '13 at 01:20
  • I don't know about a list of hosting AS systems, but I'd start with some regular expressions (/hosting/ seems to cut out a lot) and adding in some regular ones yourself. Just call a isSpamAS(number) script and add any systems you never want to see as you go. – Jeff Ferland Mar 12 '13 at 01:25
1

Blocking all hosting providers is both slow and pointless. Instead you should do two things:

  • Devise a way to identify spammers that hit your app. Say via captcha or hashcash.
  • Log those attempts to syslog.
  • Use fail2ban on your server to parse the log file and block those spam bots.

For example there is a guide on how to stop bots from brute forcing WordPress logins:

http://abdussamad.com/archives/616-Stop-Brute-Force-WordPress-Login-Attempts-with-Fail2Ban.html

Abdussamad
  • 199
  • 3
0

For providers who use IP space they've registered themselves, you can mostly find this via the regional registry (ARIN for North America) - though a lot of the records are a bit of a mess, with the IP ranges split into a number of different organization records. Search for one IP address belonging to the provider, click on the organization that owns the range (hopefully the actual company, not an ISP they use), then click on "related networks"; this will give you all the ranges they've registered under that organization.

(As an addendum to Jeff's answer, you can also look up BGP AS number owners via ARIN's search; search for AS123 for the owner of AS 123.)

They might also publish the full list, like Amazon, where they've actually made the registrations under several different regional registrars and under several different organizations within some of the registrars.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248