[94221] in North American Network Operators' Group
Re: Comment spammers chewing blogger bandwidth like crazy
daemon@ATHENA.MIT.EDU (Alexander Harrowell)
Sat Jan 13 13:36:19 2007
Date: Sat, 13 Jan 2007 18:33:02 +0000
From: "Alexander Harrowell" <a.harrowell@gmail.com>
To: "Thomas Leavitt" <thomas@thomasleavitt.org>
Cc: nanog <nanog@merit.edu>
In-Reply-To: <45A9112F.2040904@thomasleavitt.org>
Errors-To: owner-nanog@merit.edu
------=_Part_52384_22424944.1168713182733
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Yes. Fistfulofeuros.net has seen dramatically higher levels of comments spam
since last autumn. Not as much as below, but we were offline due to supposed
overuse (I say supposed because our host claimed a script we don't have was
responsible) over Christmas.
On 1/13/07, Thomas Leavitt <thomas@thomasleavitt.org> wrote:
>
>
> A friend of mine operates a blog at seeingtheforest.com, and he pays for
> traffic over a (fairly minimal) cap. He posted this comment recently:
>
> http://www.seeingtheforest.com/archives/2007/01/eating_bandwidt.htm
>
>
> Eating Bandwidth
>
> Last month something ate up a tremendous amount of bandwidth at Seeing
> the Forest, costing me a lot of money. So now I regularly check
> bandwidth use.
>
> Why has 209.160.72.10, HopOne in DC, been eating a HUGE amount of
> bandwidth? Gigabytes! What are they doing? (I banned them.)
>
> Why has 220.226.63.254, an IP in India, been eating a tremendous amount
> of bandwidth? What are they doing?
>
> Why has 195.225.177.46, an IP in Ukraine, been eating a tremendous
> amount of bandwidth? What are they doing?
>
> Why has 62.194.1.235 AND 83.170.82.35 AND 89.136.115.220 AND
> 62.163.39.183 AND 212.241.204.145, all from the /same company/ in
> Amsterdam, been eating a TREMENDOUS amount of bandwidth? What are they
> doing?
>
> Why is 206.225.90.30 and 69.64.74.56 and Abacus America Inc.eating a
> TREMENDOUS amount of my bandwidth,
>
> ***
>
> One of the comments said:
>
> Yeah, I've seen a huge bump in my blog's traffic, I haven't figured out
> what they're doing, but it ate like 4Gb of bandwidth last month. Now
> that you mention it, I checked last month's stats and yep, there's
> 209.160.72.10 producing 62% of my blog traffic. I did a little checking
> around the web and they're an obvious spam host. Banned.
>
> ***
>
> They also chew up a lot of CPU (comment filter code). At few times,
> myself, I've had to simply take code offline that was getting hit too
> heavily... seems like the IPs (and their ilk) listed above are good
> prospects for a "bad behavior" blacklist, at a level below that of
> "collaborative spam filter" (which doesn't prevent traffic or CPU cycles
> from being consumed). Given the volume of traffic mentioned, this must
> be a real problem for some hosts and networks... although, on the other
> hand, if their marginal use rates are high enough, they might actually
> be making money off this.
>
> Regards,
> Thomas Leavitt
>
> --
> Thomas Leavitt - thomas@thomasleavitt.org - 831-295-3917 (cell)
>
> *** Independent Systems and Network Consultant, Santa Cruz, CA ***
>
>
------=_Part_52384_22424944.1168713182733
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Yes. <a href="http://Fistfulofeuros.net">Fistfulofeuros.net</a> has seen dramatically higher levels of comments spam since last autumn. Not as much as below, but we were offline due to supposed overuse (I say supposed because our host claimed a script we don't have was responsible) over Christmas.
<br><br><div><span class="gmail_quote">On 1/13/07, <b class="gmail_sendername">Thomas Leavitt</b> <<a href="mailto:thomas@thomasleavitt.org">thomas@thomasleavitt.org</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>A friend of mine operates a blog at <a href="http://seeingtheforest.com">seeingtheforest.com</a>, and he pays for<br>traffic over a (fairly minimal) cap. He posted this comment recently:<br><br><a href="http://www.seeingtheforest.com/archives/2007/01/eating_bandwidt.htm">
http://www.seeingtheforest.com/archives/2007/01/eating_bandwidt.htm</a><br><br><br> Eating Bandwidth<br><br>Last month something ate up a tremendous amount of bandwidth at Seeing<br>the Forest, costing me a lot of money. So now I regularly check
<br>bandwidth use.<br><br>Why has <a href="http://209.160.72.10">209.160.72.10</a>, HopOne in DC, been eating a HUGE amount of<br>bandwidth? Gigabytes! What are they doing? (I banned them.)<br><br>Why has <a href="http://220.226.63.254">
220.226.63.254</a>, an IP in India, been eating a tremendous amount<br>of bandwidth? What are they doing?<br><br>Why has <a href="http://195.225.177.46">195.225.177.46</a>, an IP in Ukraine, been eating a tremendous<br>amount of bandwidth? What are they doing?
<br><br>Why has <a href="http://62.194.1.235">62.194.1.235</a> AND <a href="http://83.170.82.35">83.170.82.35</a> AND <a href="http://89.136.115.220">89.136.115.220</a> AND<br><a href="http://62.163.39.183">62.163.39.183</a>
AND <a href="http://212.241.204.145">212.241.204.145</a>, all from the /same company/ in<br>Amsterdam, been eating a TREMENDOUS amount of bandwidth? What are they<br>doing?<br><br>Why is <a href="http://206.225.90.30">206.225.90.30
</a> and <a href="http://69.64.74.56">69.64.74.56</a> and Abacus America Inc.eating a<br>TREMENDOUS amount of my bandwidth,<br><br>***<br><br>One of the comments said:<br><br>Yeah, I've seen a huge bump in my blog's traffic, I haven't figured out
<br>what they're doing, but it ate like 4Gb of bandwidth last month. Now<br>that you mention it, I checked last month's stats and yep, there's<br><a href="http://209.160.72.10">209.160.72.10</a> producing 62% of my blog traffic. I did a little checking
<br>around the web and they're an obvious spam host. Banned.<br><br>***<br><br>They also chew up a lot of CPU (comment filter code). At few times,<br>myself, I've had to simply take code offline that was getting hit too
<br>heavily... seems like the IPs (and their ilk) listed above are good<br>prospects for a "bad behavior" blacklist, at a level below that of<br>"collaborative spam filter" (which doesn't prevent traffic or CPU cycles
<br>from being consumed). Given the volume of traffic mentioned, this must<br>be a real problem for some hosts and networks... although, on the other<br>hand, if their marginal use rates are high enough, they might actually
<br>be making money off this.<br><br>Regards,<br>Thomas Leavitt<br><br>--<br>Thomas Leavitt - <a href="mailto:thomas@thomasleavitt.org">thomas@thomasleavitt.org</a> - 831-295-3917 (cell)<br><br>*** Independent Systems and Network Consultant, Santa Cruz, CA ***
<br><br></blockquote></div><br>
------=_Part_52384_22424944.1168713182733--
