François Nonnenmacher (EN) | FR

Crawling through my server logs, I've banned the following IPs:

• 220.181.33.225 - rude bot from China, stupid enough to pump the same .WAV files, like, everyday, sucking more than 2GB of bandwidth in just a couple hundred hits (for two files that never changed!)
• 60.28.252.77 - same as above
• 69.31.1.154 aka fuse4.mailanyone.net - don't know what it is nor who is behind it (they use DomainsByProxy to hide their whois info, but it's generating a hell of errors : 13,209 for 82,307 hits in just 48 visits, I don't like that
• 213.251.180.34 aka seri.lmsa.biz because 1) no info (lmsa.biz redirect you to www.google.fr), 2) it's rude, spawning requests every second, 3) requesting the same URL like 10 times in one second! sucking about 10 times more bandwidth than normal search engines bots

I've also noticed a pattern of errors with malformed GET requests, all containing the following string: "gping="/GLinkPing.aspx". I'm not banning it because it's infrequent, but I don't like it and cannot find any useful information about it (except one pointer to Gravee).

If you run one of the mentionned bots and feel that I'm over-reacting, please drop me a note with explanations.

If you're interested on how I ban various offenders from my site, here are the rules I have placed in my .htaccess file, leaving Apache doing the work (also my host runs mod_security in front of it):

RewriteEngine On
RewriteBase /
# User-Agents with no privileges (mostly spambots/spybots/offline downloaders that ignore robots.txt)
# see http://diveintomark.org/archives/2003/02/26/how_to_block_spambots_ban_spybots_and_tell_unwanted_robots_to_go_to_hell
RewriteCond %{REMOTE_ADDR} ^220\.181\.33\.225 [OR] #rude bot
RewriteCond %{REMOTE_ADDR} ^60\.28\.252\.77 [OR] #rude bot
RewriteCond %{REMOTE_ADDR} ^69\.31\.1\.154 [OR] #rude bot
RewriteCond %{REMOTE_ADDR} ^24\.86\.103\.176 [OR] #spammer
RewriteCond %{REMOTE_ADDR} ^81\.95\.146\.162 [OR] #spammer
RewriteCond %{REMOTE_ADDR} ^193\.252\.177\.186 [OR] #spammer
RewriteCond %{REMOTE_ADDR} "^63\.148\.99\.2(2[4-9]|[3-4][0-9]|5[0-5])$" [OR] # Cyveillance spybot
RewriteCond %{REMOTE_ADDR} ^12\.148\.196\.(12[8-9]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])$ [OR] # NameProtect spybot
RewriteCond %{REMOTE_ADDR} ^12\.148\.209\.(19[2-9]|2[0-4][0-9]|25[0-5])$ [OR] # NameProtect spybot
RewriteCond %{REMOTE_ADDR} ^64\.140\.49\.6([6-9])$ [OR] # Turnitin spybot
RewriteCond %{HTTP_REFERER} iaea\.org [OR] # spambot
RewriteCond %{HTTP_REFERER} neopets\.com [OR] # referrer spam
RewriteCond %{HTTP_REFERER} spampoison\.com [OR] # looks exactly like a spambot
RewriteCond %{HTTP_REFERER} riaa\.com [OR] # some bot
RewriteCond %{HTTP_REFERER} cxa\.de [OR] # porn site
RewriteCond %{HTTP_REFERER} filthserver\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} wastedpartygirls\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} amateurxpass\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} mature--young\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} bloglisting\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} nudecelebblogs\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} sexrabbit\.de [OR] # porn site
RewriteCond %{HTTP_REFERER} busty2\.com [OR] # porn site
RewriteCond %{HTTP_REFERER} adult-models\.biz [OR] # porn site
RewriteCond %{HTTP_REFERER} freenudecelebrity\.net [OR] # porn site
RewriteCond %{HTTP_REFERER} limolimo\.net [OR] # dont know
RewriteCond %{HTTP_REFERER} shatteredreality\.net [OR] # spammer site
RewriteCond %{HTTP_USER_AGENT} ^[A-Z]+$ [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} anarchie [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} cherry.?picker [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "compatible ; MSIE 6.0" [OR] # spambot (note extra space before semicolon)
RewriteCond %{HTTP_USER_AGENT} crescent [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "^DA \d\.\d+" [OR] # OD
RewriteCond %{HTTP_USER_AGENT} "DTS Agent" [OR] # OD
RewriteCond %{HTTP_USER_AGENT} "^Download" [OR] # OD
RewriteCond %{HTTP_USER_AGENT} EasyDL/\d\.\d+ [OR] # OD
RewriteCond %{HTTP_USER_AGENT} e?mail.?(collector|magnet|reaper|siphon|sweeper|harvest|collect|wolf) [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} express [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} extractor [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "Fetch API Request" [OR] # OD
RewriteCond %{HTTP_USER_AGENT} flashget [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} FlickBot [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} FrontPage [OR] # stupid user trying to edit my site
RewriteCond %{HTTP_USER_AGENT} getright [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} go.?zilla [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "efp@gmx\.net" [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} grabber [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} imagefetch [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} httrack [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} "Indy Library" [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "^Internet Explore" [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} ^IE\ \d\.\d\ Compatible.*Browser$ [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "LINKS ARoMATIZED" [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} "Microsoft URL Control" [OR] # spambot
RewriteCond %{HTTP_USER_AGENT} "mister pix" [NC,OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} "^Mozilla/4.0$" [OR] # dumb bot
RewriteCond %{HTTP_USER_AGENT} "^Mozilla/\?\?$" [OR] # formmail attacker
RewriteCond %{HTTP_USER_AGENT} MSIECrawler [OR] # IE's "make available offline" mode
RewriteCond %{HTTP_USER_AGENT} ^NG [OR] # unknown bot
RewriteCond %{HTTP_USER_AGENT} offline [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} net.?(ants|mechanic|spider|vampire|zip) [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} nicerspro [NC,OR] # spambot
RewriteCond %{HTTP_USER_AGENT} ninja [NC,OR] # Download Ninja OD
RewriteCond %{HTTP_USER_AGENT} NPBot [OR] # NameProtect spybot
RewriteCond %{HTTP_USER_AGENT} PersonaPilot [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} snagger [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} Sqworm [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} SurveyBot [OR] # rude bot
RewriteCond %{HTTP_USER_AGENT} tele(port|soft) [NC,OR] # OD
RewriteCond %{HTTP_USER_AGENT} TurnitinBot [OR] # Turnitin spybot
RewriteCond %{HTTP_USER_AGENT} web.?(auto|bandit|collector|copier|devil|downloader|fetch|hook|mole|miner|mirror|reaper|sauger|sucker|site|snake|stripper|weasel|zip) [NC,OR] # ODs
RewriteCond %{HTTP_USER_AGENT} vayala [OR] # dumb bot, doesn't know how to follow links, generates lots of 404s
RewriteCond %{HTTP_USER_AGENT} zeus [NC,OR]
# Below are filtered requests (mostly virus and other security holes sniffers)
RewriteCond %{REQUEST_URI} formmail [NC,OR]
RewriteCond %{REQUEST_URI} _vti_bin [NC,OR]
RewriteCond %{REQUEST_URI} MSOffice [OR]
RewriteCond %{REQUEST_URI} mail.?(pl|cgi) [NC]
RewriteRule .* - [F,L]