The Internet of Shit

Friday, 24 June, Year 8 d.Tr. | Author: Mircea Popescu

The access log for trilema.com in June (ie, 24 days so far) is 1.8 GB. Yeah, you read that right, larger than the entire corpus of classical literature. Daily. Here :

wc -l 'trilema.com-Jun-2016'
11860336 trilema.com-Jun-2016

What, pray tell, is in those almost twelve million lines ? Well...

cat 'trilema.com-Jun-2016' | grep -c "POST /xmlrpc.php"
7007245

7 out of 11 hits are attempts to POST on xmlrpc.php, which, if you've been following the story of Automattic deliberately poisoning the Internet will readily recognise as the entry point for blog spam, as well as Automattic-enabled DDoS attacksi. A tiny fraction (under 100) are legitimate pingbacks received (and published) by Trilema. The rest...

The rest are like so :

sort spam.txt |uniq -c | awk '{print $2": "$1}' | wc -l
1962

Talk about inequality, right ? Less than 2% of hosts generated 7 in 11 hits and are responsible for about 30 GBii of traffic this month. Except, here's the list of hosts that made more than 4 requests :

157.122.147.189iii: 5
198.204.247.202iv: 5
93.115.192.115v: 5
209.222.105.212vi: 6
212.56.214.129vii: 6
93.127.147.32viii: 6
107.150.74.65ix: 7
107.151.152.218x: 7
112.149.137.248xi: 7
45.45.157.224xii: 7
46.17.97.74xiii: 7
93.127.147.115xiv: 7
107.150.74.100xv: 8
183.91.33.42xvi: 8
103.231.101.57xvii: 9
104.247.7.50xviii: 9
89.36.65.48xix: 9

104.160.31.77xx: 10
183.91.33.44xxi: 10
223.72.251.254xxii: 10
37.59.232.134xxiii: 10
89.36.65.224xxiv: 11
178.162.211.212xxv: 12
183.91.33.76xxvi: 12
104.254.212.100xxvii: 14
113.176.7.136xxviii: 14
51.254.153.201xxix: 15
91.200.12.73xxx: 16
75.75.237.162xxxi: 18
37.97.183.36xxxii: 21
23.227.196.116xxxiii: 22
193.201.225.85xxxiv: 24
212.56.214.182xxxv: 33
185.109.144.236xxxvi: 42
112.90.150.136xxxvii: 49
191.96.249.20xxxviii: 158
91.193.74.8xxxix: 234
191.96.249.54xl: 1459
93.115.97.162xli): 1954
185.112.249.127xlii: 2984
23.227.199.105xliii: 4322
91.229.20.98xliv: 4654
63.141.227.243xlv: 4825
76.74.170.219xlvi: 4977
76.74.170.65xlvii: 7100
146.185.251.210xlviii: 7487
146.185.251.48xlix: 8828

195.154.250.118l: 20204
91.188.125.194li: 38345
188.120.41.9lii: 88705

185.142.236.197liii: 149555
91.134.169.81liv: 160016
185.142.236.219lv: 162624
5.135.17.28lvi: 195002

151.80.82.32lvii: 256270
151.80.82.34lviii: 254606

185.130.6.52lix: 1325408
185.103.109.139lx: 1391617
185.103.109.246lxi: 1473624
185.103.109.248lxii: 1439165

That's right : 60 out of the total 1`962 spammers sent out 99.9% of all the (attempted, unsuccessful) spam.

To be perfectly clear : no-one on this list is innocent. Not a single one. It's just a matter of "spambots that spam and check" vs "spambots that just spam", and for that matter, the vast majority of the 1`962 aren't innocent either - there weren't that many Wordpress blogs linking to Trilema articles so far in June, not by an order of magnitude if not two.

What must be going through one's head to buy a server and a C block (like 185.103.109.x) and then send 4.3 mn requests, that's over two per second for three weekslxiii straight ? If you ever wondered how "normal people" / Ethereum "investors" are created, I submit that this is the exact blueprint : "they just wanted to" and "maybe it works".

This is the Internet of Shit. It costs ~nothing to send a billion pointless requests, to write a billion pieces of pointless nonsense, to create yet another toxic "property", and so they're sent, and written, and created. In extremis it costs nothing to produce another billion of these shitheads - "the government" will provide for them, jobs and healthcare and food and mates and social media + television. God help us.

If I notify the hostslxiv, I help build this idiocy. If I don't, then what do I do ? You tell me, how to go about it, so that we can have nice things without idiots involved in them - and if you say anything like "inclusive" or "democracy" or "human rights" or anything whatsoever along those lines - you lose.

You lose, like you've lost already, every single time you tried. The key to a livable society is repression, the key to well educated, well behaved youth is rape - merciless, painful, inescapable, violent and continuous rape. The key to happiness of the worthy is the subjection of the others, of the unworthy, of the lesser, of the insufficient, of the ambitious, of the subhuman. It's what it is, like it or not.

Frankly - I don't care what you'd prefer, or what you'd rather think you'd prefer. I'm sick and tired of living in the world of shit. Time for the world of rape.

Update. One daylxv after notifying the hosts, the situation has changed significantlylxvi :

103.231.101.57, 104.160.31.77, 104.247.7.50, 104.254.212.100, 107.150.74.100, 107.150.74.65, 107.151.152.218, 112.149.137.248, 112.90.150.136, 113.176.7.136, 146.185.251.210lxvii, 146.185.251.48, 151.80.82.32, 151.80.82.34, 157.122.147.189, 178.162.211.212, 183.91.33.42, 183.91.33.44, 183.91.33.76, 185.103.109.139, 185.103.109.246, 185.103.109.248, 185.109.144.236, 185.112.249.127, 185.130.6.52lxviii, 185.142.236.197lxix, 185.142.236.219, 188.120.41.9, 191.96.249.20, 191.96.249.54, 193.201.225.85, 195.154.250.118, 198.204.247.202, 209.222.105.212, 212.56.214.129, 212.56.214.182, 223.72.251.254, 23.227.196.116, 23.227.199.105, 37.59.232.134, 37.97.183.36, 45.45.157.224, 46.17.97.74, 51.254.153.201, 5.135.17.28, 63.141.227.243, 75.75.237.162, 76.74.170.219, 76.74.170.65, 89.36.65.224, 89.36.65.48, 91.134.169.81, 91.188.125.194lxx, 91.193.74.8, 91.200.12.73, 91.229.20.98, 93.115.192.115, 93.115.97.162, 93.127.147.115, 93.127.147.32.

There's only one addition, 91.188.125.195, revving to catch up with 91.188.125.194. It is perhaps also worth pointing out that perhaps contrary to expectation, exactly none of these are Windows chump desktops, but all reside in datacenters, and the response to abuse complaints is swift. Do consider doing the same I describe doing if you run in the same problem I describe running into. It certainly works, spurious requests are down all the way to 11`376 in the interval considered, from ~2.3mn which'd be a linear projection based on the historical account. That's a 99.5% drop.

———
  1. By the way - they've still not fixed the hole ; in spite of the code being published, and the change minimal. It's been two years.

    "Responsible" disclosure ? Not even once. Rape the USG tools. []

  2. AWS charges 10 cents each plus ~3 cents per GB in Load Balancers. So this whole pile of nonsense would have cost about two quarters, had I been using the (very expensive) AWS. []
  3. Typical behaviour :

    157.122.147.189 - - [02/Jun/2016:12:58:00 -0400] "GET /2012/voluntary-contracts-after-a-while/ HTTP/1.1" 200 88186 "http://trilema.com/" "Mozilla/5.0 (iPad; CPU OS 8_1_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B440 Safari/600.1.4"
    157.122.147.189 - - [02/Jun/2016:12:58:03 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54 "http://trilema.com/" "PHP/5.2.91"
    157.122.147.189 - - [02/Jun/2016:12:58:06 -0400] "GET /2012/voluntary-contracts-after-a-while/ HTTP/1.1" 200 88285 "-" "PHP/5.2.91"

    This is a run of the mill spambot, as discussed in more detail back in April. We'll call it type A because it does check after spamming. []

  4. Typical behaviour :

    198.204.247.202 - - [06/Jun/2016:02:54:15 -0400] "POST /xmlrpc.php HTTP/1.1" 200 124423 "-" "-"
    198.204.247.202 - - [07/Jun/2016:08:53:01 -0400] "POST /xmlrpc.php HTTP/1.1" 200 124423 "-" "-"
    198.204.247.202 - - [11/Jun/2016:03:10:40 -0400] "POST /xmlrpc.php HTTP/1.1" 200 124423 "-" "-"

    Just another dumb spammer, call it type DS. []

  5. Typical behaviour :

    93.115.192.115 - - [16/Jun/2016:02:07:16 -0400] "GET /2010/continut-platit/ HTTP/1.0" 200 277994 "http://trilema.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5"
    93.115.192.115 - - [16/Jun/2016:02:07:17 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54 "http://trilema.com/" "PHP/5.2.93"

    Also run of the mill spambot. We'll call it type B because it doesn't check after spamming.
    []

  6. Typical behaviour :

    209.222.105.212 - - [14/Jun/2016:19:22:12 -0400] "GET /2013/the-sanity-dogma/ HTTP/1.0" 200 68035 "http://trilema.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5"
    209.222.105.212 - - [14/Jun/2016:19:23:15 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54 "http://trilema.com/" "PHP/5.2.90"
    209.222.105.212 - - [14/Jun/2016:19:23:32 -0400] "GET /2013/the-sanity-dogma/ HTTP/1.0" 200 68192 "-" "PHP/5.2.90"

    We'll call this one type A.1 because it spams after waiting a minute. []

  7. Typical behaviour :

    212.56.214.129 - - [21/Jun/2016:17:53:46 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    212.56.214.129 - - [21/Jun/2016:17:53:53 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"

    We'll call this type of dumb spammer DS.G because of its agent string. []

  8. Typical behaviour :

    93.127.147.32 - - [01/Jun/2016:02:06:55 -0400] "GET /2011/o-vaca-cu-cabina/ HTTP
    /1.0" 200 42972 "http://trilema.com/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34
    .0) Gecko/20100101 Firefox/34.0"
    93.127.147.32 - - [01/Jun/2016:02:06:56 -0400] "POST /xmlrpc.php HTTP/1.1" 200 5
    4 "http://trilema.com/" "PHP/5.3.12"
    93.127.147.32 - - [01/Jun/2016:02:06:57 -0400] "GET /2011/o-vaca-cu-cabina/ HTTP
    /1.0" 200 42976 "-" "PHP/5.3.12"
    93.127.147.32 - - [01/Jun/2016:02:09:29 -0400] "GET /2011/o-vaca-cu-cabina/ HTTP
    /1.0" 200 43104 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101
    Firefox/34.0"

    We'll call it type A.A because it checks, then changes agent and checks again. []

  9. Typical behaviour :

    107.150.74.65 - - [17/Jun/2016:04:44:20 -0400] "GET /2010/afacerile-externe-ca-s
    tiinta-exacta/ HTTP/1.0" 200 39257 "http://trilema.com/" "Mozilla/5.0 (Windows N
    T 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"
    107.150.74.65 - - [17/Jun/2016:04:44:24 -0400] "POST /xmlrpc.php HTTP/1.1" 200 5
    4 "http://trilema.com/" "PHP/5.3.46"
    107.150.74.65 - - [17/Jun/2016:04:44:38 -0400] "GET /2010/afacerile-externe-ca-s
    tiinta-exacta/ HTTP/1.0" 200 39385 "-" "PHP/5.3.46"
    107.150.74.65 - - [17/Jun/2016:04:54:52 -0400] "GET /2010/afacerile-externe-ca-s
    tiinta-exacta/ HTTP/1.0" 200 39232 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit
    /537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"

    Type A.A []

  10. Typical behaviour :

    107.151.152.218 - - [03/Jun/2016:19:32:23 -0400] "POST /2014/the-sins-of-the-gro
    up-of-posers-behind-the-so-called-bitcoin-foundation/trackback/ HTTP/1.0" 200 11
    3 "http://trilema.com/2014/the-sins-of-the-group-of-posers-behind-the-so-called-
    bitcoin-foundation/" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Ge
    cko"
    107.151.152.218 - - [05/Jun/2016:05:10:30 -0400] "POST /2014/the-scum/trackback/
    HTTP/1.0" 200 113 "http://trilema.com/2014/the-scum/" "Mozilla/5.0 (Windows NT
    6.1; Trident/7.0; rv:11.0) like Gecko"
    107.151.152.218 - - [05/Jun/2016:16:33:00 -0400] "GET / HTTP/1.0" 200 32036 "htt
    p://trilema.com" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, lik
    e Gecko) Chrome/39.0.2171.99 Safari/537.36"
    107.151.152.218 - - [05/Jun/2016:16:33:01 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    473 "http://trilema.com" "PHP/5.2.20"
    107.151.152.218 - - [05/Jun/2016:17:14:14 -0400] "GET / HTTP/1.0" 200 58305 "htt
    p://trilema.com" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, lik
    e Gecko) Chrome/39.0.2171.99 Safari/537.36"
    107.151.152.218 - - [05/Jun/2016:17:14:19 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    473 "http://trilema.com" "PHP/5.3.04"
    107.151.152.218 - - [06/Jun/2016:02:17:38 -0400] "POST /2014/hair-the-musical/tr
    ackback/ HTTP/1.0" 200 113 "http://trilema.com/2014/hair-the-musical/" "Mozilla/
    5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
    107.151.152.218 - - [06/Jun/2016:04:59:47 -0400] "POST /2014/on-essences/trackba
    ck/ HTTP/1.0" 200 113 "http://trilema.com/2014/on-essences/" "Mozilla/5.0 (Windo
    ws NT 6.1; Trident/7.0; rv:11.0) like Gecko"

    We'll call this M, because it's a mixed type trying to leave both spam comments and spam trackbacks. []

  11. Typical behaviour :

    112.149.137.248 - - [04/Jun/2016:07:00:40 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    74872 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Geck
    o) Chrome/43.0.2357.130 Safari/537.36"
    112.149.137.248 - - [04/Jun/2016:07:00:44 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    74872 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Geck
    o) Chrome/43.0.2357.130 Safari/537.36"
    112.149.137.248 - - [04/Jun/2016:07:00:48 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    74872 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Geck
    o) Chrome/43.0.2357.130 Safari/537.36"

    Type DS. []

  12. Typical behaviour :

    45.45.157.224 - - [31/May/2016:21:43:50 -0400] "GET /2010/ce-bea-blogerul/ HTTP/
    1.0" 200 43755 "http://trilema.com/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.
    0) Gecko/20100101 Firefox/34.0"
    45.45.157.224 - - [31/May/2016:21:43:53 -0400] "POST /xmlrpc.php HTTP/1.1" 200 5
    4 "http://trilema.com/" "PHP/5.3.31"
    45.45.157.224 - - [31/May/2016:21:43:55 -0400] "GET /2010/ce-bea-blogerul/ HTTP/
    1.0" 200 43924 "-" "PHP/5.3.31"
    45.45.157.224 - - [31/May/2016:21:46:58 -0400] "GET /2010/ce-bea-blogerul/ HTTP/
    1.0" 200 44074 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101
    Firefox/34.0"

    Type A.A []

  13. Typical behaviour :

    46.17.97.74 - - [01/Jun/2016:02:12:03 -0400] "POST /xmlrpc.php HTTP/1.1" 200 224
    272 "-" "wp-iphone"
    46.17.97.74 - - [01/Jun/2016:02:26:38 -0400] "POST /xmlrpc.php HTTP/1.1" 200 224
    272 "-" "Windows Live Writer"
    46.17.97.74 - - [01/Jun/2016:02:38:35 -0400] "POST /xmlrpc.php HTTP/1.1" 200 224
    272 "-" "wp-windowsphone"

    Run of the mill DS.
    []

  14. Typical behaviour :

    93.127.147.115 - - [12/Jun/2016:19:35:23 -0400] "GET /2013/the-sanity-dogma/ HTT
    P/1.1" 200 67742 "http://trilema.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 1
    0_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
    "
    93.127.147.115 - - [12/Jun/2016:19:35:24 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    54 "http://trilema.com/" "PHP/5.2.84"
    93.127.147.115 - - [12/Jun/2016:19:35:25 -0400] "GET /2013/the-sanity-dogma/ HTT
    P/1.1" 200 67811 "-" "PHP/5.2.84"
    93.127.147.115 - - [12/Jun/2016:19:36:29 -0400] "GET /2013/the-sanity-dogma/ HTT
    P/1.1" 200 67819 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKi
    t/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"

    Type A.A []

  15. Typical behaviour :

    107.150.74.100 - - [16/Jun/2016:01:35:40 -0400] "GET /2013/the-sanity-dogma/ HTT
    P/1.0" 200 68042 "http://trilema.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 1
    0_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"
    107.150.74.100 - - [16/Jun/2016:01:35:41 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    54 "http://trilema.com/" "PHP/5.2.82"
    107.150.74.100 - - [16/Jun/2016:01:35:46 -0400] "GET /2013/the-sanity-dogma/ HTT
    P/1.0" 200 68384 "-" "PHP/5.2.82"
    107.150.74.100 - - [16/Jun/2016:16:10:29 -0400] "GET /2013/the-sanity-dogma/ HTT
    P/1.0" 200 68048 "http://trilema.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 1
    0_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"

    Type A.A, clearly same botnet as 93.127.147.115.
    []

  16. Typical behaviour :

    183.91.33.42 - - [08/Jun/2016:02:50:34 -0400] "GET /2012/o-hai-i-was-justing-doi
    ng-a-penetration-test-of-your-site/ HTTP/1.1" 200 48678 "-" "Mozilla/5.0 (X11; U
    buntu; Linux i686; rv:34.0) Gecko/20100101 Firefox/34.0"
    183.91.33.42 - - [08/Jun/2016:18:37:36 -0400] "GET /2012/o-hai-i-was-justing-doi
    ng-a-penetration-test-of-your-site/ HTTP/1.1" 200 48514 "http://trilema.com/" "O
    pera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.17"
    183.91.33.42 - - [08/Jun/2016:18:40:47 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "http://trilema.com/" "PHP/5.3.12"
    183.91.33.42 - - [08/Jun/2016:18:45:57 -0400] "-" 408 - "-" "-"
    183.91.33.42 - - [10/Jun/2016:01:59:26 -0400] "GET /2012/o-hai-i-was-justing-doi
    ng-a-penetration-test-of-your-site/ HTTP/1.1" 200 48344 "http://trilema.com/" "M
    ozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.
    0"
    183.91.33.42 - - [10/Jun/2016:07:52:47 -0400] "GET /2012/o-hai-i-was-justing-doi
    ng-a-penetration-test-of-your-site/ HTTP/1.1" 200 48367 "http://trilema.com/" "M
    ozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:34.0) Gecko/20100101 Firefox/34.0
    "
    183.91.33.42 - - [10/Jun/2016:07:52:49 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "http://trilema.com/" "PHP/5.2.86"
    183.91.33.42 - - [10/Jun/2016:07:52:51 -0400] "GET /2012/o-hai-i-was-justing-doi
    ng-a-penetration-test-of-your-site/ HTTP/1.1" 200 48497 "-" "PHP/5.2.86"

    Seems to be same A.A with a twist. Different botnet running same codebase with slight modifications. []

  17. Typical behaviour :

    103.231.101.57 - - [15/Jun/2016:09:51:35 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    146584 "-" "Mozilla/5.0 (Windows 10; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
    "
    103.231.101.57 - - [15/Jun/2016:09:51:43 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    146584 "-" "Mozilla/5.0 (Windows 10; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
    "
    103.231.101.57 - - [15/Jun/2016:09:51:49 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    146584 "-" "Mozilla/5.0 (Windows 10; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
    "

    Type DS. []

  18. Typical behaviour :

    104.247.7.50 - - [31/May/2016:20:12:46 -0400] "GET /2009/bucatarie-interna/ HTTP
    /1.0" 200 37690 "http://trilema.com/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34
    .0) Gecko/20100101 Firefox/34.0"
    104.247.7.50 - - [31/May/2016:20:12:47 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "http://trilema.com/" "PHP/5.3.55"
    104.247.7.50 - - [31/May/2016:20:12:50 -0400] "GET /2009/bucatarie-interna/ HTTP
    /1.0" 200 37684 "-" "PHP/5.3.55"
    104.247.7.50 - - [31/May/2016:20:15:03 -0400] "GET /2009/bucatarie-interna/ HTTP
    /1.0" 200 37689 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101
    Firefox/34.0"

    Type A.A []

  19. Typical behaviour :

    89.36.65.48 - - [01/Jun/2016:02:38:22 -0400] "GET /2009/bucatarie-interna/ HTTP/
    1.0" 200 37613 "http://trilema.com/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.
    0) Gecko/20100101 Firefox/34.0"
    89.36.65.48 - - [01/Jun/2016:02:38:23 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "http://trilema.com/" "PHP/5.2.20"
    89.36.65.48 - - [01/Jun/2016:02:38:25 -0400] "GET /2009/bucatarie-interna/ HTTP/
    1.0" 200 37890 "-" "PHP/5.2.20"
    89.36.65.48 - - [01/Jun/2016:02:38:33 -0400] "GET /2011/o-vaca-cu-cabina/ HTTP/1
    .0" 200 42946 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 F
    irefox/34.0"

    Type A.A []

  20. Typical behaviour :

    104.160.31.77 - - [13/Jun/2016:11:18:40 -0400] "GET /2013/the-sanity-dogma/ HTTP
    /1.0" 200 67680 "http://trilema.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10
    _10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"
    104.160.31.77 - - [13/Jun/2016:11:18:41 -0400] "POST /xmlrpc.php HTTP/1.1" 200 5
    4 "http://trilema.com/" "PHP/5.2.02"
    104.160.31.77 - - [13/Jun/2016:11:18:43 -0400] "GET /2013/the-sanity-dogma/ HTTP
    /1.0" 200 67832 "-" "PHP/5.2.02"
    104.160.31.77 - - [13/Jun/2016:11:21:23 -0400] "GET /2013/the-sanity-dogma/ HTTP
    /1.0" 200 67818 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit
    /537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"

    Type A.A []

  21. Typical behaviour :

    183.91.33.44 - - [10/Jun/2016:12:06:45 -0400] "GET /2012/o-hai-i-was-justing-doi
    ng-a-penetration-test-of-your-site/ HTTP/1.1" 200 48462 "http://trilema.com/" "M
    ozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:34.0) Gecko/20100101 Firefox/34.0
    "
    183.91.33.44 - - [10/Jun/2016:12:06:47 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "http://trilema.com/" "PHP/5.2.50"
    183.91.33.44 - - [10/Jun/2016:12:06:51 -0400] "GET /2012/o-hai-i-was-justing-doi
    ng-a-penetration-test-of-your-site/ HTTP/1.1" 200 48508 "-" "PHP/5.2.50"
    183.91.33.44 - - [10/Jun/2016:12:07:25 -0400] "GET /2012/o-hai-i-was-justing-doi
    ng-a-penetration-test-of-your-site/ HTTP/1.1" 200 48536 "-" "Mozilla/5.0 (Macint
    osh; Intel Mac OS X 10.7; rv:34.0) Gecko/20100101 Firefox/34.0"

    Type A.A []

  22. Typical behaviour :

    223.72.251.254 - - [01/Jun/2016:01:27:56 -0400] "GET /2011/mai-exista-windows-3x
    x/ HTTP/1.1" 200 59540 "http://trilema.com/" "Mozilla/5.0 (Android; Mobile; rv:3
    4.0) Gecko/34.0 Firefox/34.0"
    223.72.251.254 - - [01/Jun/2016:01:27:58 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    54 "http://trilema.com/" "PHP/5.3.12"
    223.72.251.254 - - [01/Jun/2016:01:28:00 -0400] "GET /2011/mai-exista-windows-3x
    x/ HTTP/1.1" 200 59623 "-" "PHP/5.3.12"
    223.72.251.254 - - [01/Jun/2016:01:52:50 -0400] "GET /2012/voluntary-contracts-a
    fter-a-while/ HTTP/1.1" 200 87915 "-" "Mozilla/5.0 (Android; Mobile; rv:34.0) Ge
    cko/34.0 Firefox/34.0"

    Type A.A []

  23. Typical behaviour :

    37.59.232.134 - - [01/Jun/2016:14:42:45 -0400] "GET /2010/continut-platit/ HTTP/
    1.1" 200 277926 "http://trilema.com/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34
    .0) Gecko/20100101 Firefox/34.0"
    37.59.232.134 - - [01/Jun/2016:14:42:49 -0400] "POST /xmlrpc.php HTTP/1.1" 200 5
    4 "http://trilema.com/" "PHP/5.3.44"
    37.59.232.134 - - [01/Jun/2016:14:42:53 -0400] "GET /2010/continut-platit/ HTTP/
    1.1" 200 278152 "-" "PHP/5.3.44"
    37.59.232.134 - - [01/Jun/2016:14:43:59 -0400] "GET /2010/continut-platit/ HTTP/
    1.1" 200 277996 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101
    Firefox/34.0"

    Type A.A []

  24. Typical behaviour :

    89.36.65.224 - - [31/May/2016:19:29:25 -0400] "GET /2009/bucatarie-interna/ HTTP
    /1.0" 200 37559 "http://trilema.com/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34
    .0) Gecko/20100101 Firefox/34.0"
    89.36.65.224 - - [31/May/2016:19:29:26 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "http://trilema.com/" "PHP/5.2.42"
    89.36.65.224 - - [31/May/2016:19:29:27 -0400] "GET /2009/bucatarie-interna/ HTTP
    /1.0" 200 37818 "-" "PHP/5.2.42"
    89.36.65.224 - - [31/May/2016:19:30:48 -0400] "GET /2009/bucatarie-interna/ HTTP
    /1.0" 200 37907 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101
    Firefox/34.0"

    Type A.A []

  25. Typical behaviour :

    178.162.211.212 - - [02/Jun/2016:16:40:54 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    62422 "-" "Mozilla/5.0 (Windows 10; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
    "
    178.162.211.212 - - [02/Jun/2016:16:40:55 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    62422 "-" "Mozilla/5.0 (Windows 10; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
    "
    178.162.211.212 - - [02/Jun/2016:16:40:56 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    62422 "-" "Mozilla/5.0 (Windows 10; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
    "
    178.162.211.212 - - [02/Jun/2016:16:40:56 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    62422 "-" "Mozilla/5.0 (Windows 10; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
    "

    Type DS. []

  26. Typical behaviour :

    183.91.33.76 - - [08/Jun/2016:01:59:48 -0400] "GET /2012/o-hai-i-was-justing-doi
    ng-a-penetration-test-of-your-site/ HTTP/1.1" 200 48514 "http://trilema.com/" "M
    ozilla/5.0 (X11; Ubuntu; Linux i686; rv:34.0) Gecko/20100101 Firefox/34.0"
    183.91.33.76 - - [08/Jun/2016:01:59:51 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "http://trilema.com/" "PHP/5.3.77"
    183.91.33.76 - - [08/Jun/2016:01:59:53 -0400] "GET /2012/o-hai-i-was-justing-doi
    ng-a-penetration-test-of-your-site/ HTTP/1.1" 200 48675 "-" "PHP/5.3.77"
    183.91.33.76 - - [08/Jun/2016:02:03:55 -0400] "GET /2012/o-hai-i-was-justing-doi
    ng-a-penetration-test-of-your-site/ HTTP/1.1" 200 48748 "-" "Mozilla/5.0 (X11; U
    buntu; Linux i686; rv:34.0) Gecko/20100101 Firefox/34.0"

    Type A.A []

  27. Typical behaviour :

    104.254.212.100 - - [03/Jun/2016:18:48:40 -0400] "GET /2009/flaubert-suntem-noi/
    HTTP/1.1" 200 127125 "http://trilema.com/" "Mozilla/5.0 (Windows NT 6.3; WOW64;
    Trident/7.0; rv:11.0) like Gecko"
    104.254.212.100 - - [03/Jun/2016:18:48:42 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    54 "http://trilema.com/" "PHP/5.3.13"
    104.254.212.100 - - [03/Jun/2016:18:48:43 -0400] "GET /2009/flaubert-suntem-noi/
    HTTP/1.1" 200 127241 "-" "PHP/5.3.13"
    104.254.212.100 - - [03/Jun/2016:18:54:07 -0400] "GET /2009/flaubert-suntem-noi/
    HTTP/1.1" 200 127294 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:1
    1.0) like Gecko"

    Type A.A []

  28. Typical behaviour :

    113.176.7.136 - - [01/Jun/2016:01:23:52 -0400] "GET /2010/continut-platit/ HTTP/
    1.1" 200 277928 "http://trilema.com/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34
    .0) Gecko/20100101 Firefox/34.0"
    113.176.7.136 - - [01/Jun/2016:01:24:00 -0400] "POST /xmlrpc.php HTTP/1.1" 200 5
    4 "http://trilema.com/" "PHP/5.3.52"
    113.176.7.136 - - [01/Jun/2016:01:24:09 -0400] "GET /2010/continut-platit/ HTTP/
    1.1" 200 278042 "-" "PHP/5.3.52"
    113.176.7.136 - - [01/Jun/2016:01:25:14 -0400] "GET /2010/continut-platit/ HTTP/
    1.1" 200 278019 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101
    Firefox/34.0"

    Type A.A []

  29. Typical behaviour :

    51.254.153.201 - - [02/Jun/2016:12:33:28 -0400] "GET /2010/continut-platit/ HTTP
    /1.1" 200 278423 "http://trilema.com/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:3
    5.0) Gecko/20100101 Firefox/35.0"
    51.254.153.201 - - [02/Jun/2016:12:33:34 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    54 "http://trilema.com/" "PHP/5.2.23"
    51.254.153.201 - - [02/Jun/2016:12:33:36 -0400] "GET /2010/continut-platit/ HTTP
    /1.1" 200 278386 "-" "PHP/5.2.23"
    51.254.153.201 - - [02/Jun/2016:12:33:44 -0400] "GET /2010/continut-platit/ HTTP
    /1.1" 200 278434 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/2010010
    1 Firefox/35.0"

    Type A.A []

  30. Typical behaviour :

    91.200.12.73 - - [04/Jun/2016:08:16:23 -0400] "GET /2013/ripple-the-definitive-d
    iscussion/ HTTP/1.1" 200 72172 "http://trilema.com/" "Mozilla/5.0 (Windows NT 6.
    1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"
    91.200.12.73 - - [04/Jun/2016:08:16:23 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "http://trilema.com/" "PHP/5.2.79"
    91.200.12.73 - - [04/Jun/2016:08:16:25 -0400] "GET /2013/ripple-the-definitive-d
    iscussion/ HTTP/1.1" 200 72433 "-" "PHP/5.2.79"
    91.200.12.73 - - [04/Jun/2016:08:20:41 -0400] "GET /2013/ripple-the-definitive-d
    iscussion/ HTTP/1.1" 200 72339 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0)
    Gecko/20100101 Firefox/34.0"

    Type A.A []

  31. Typical behaviour :

    75.75.237.162 - - [01/Jun/2016:05:57:30 -0400] "GET /2012/lets-have-fun-with-pau
    l-graham/ HTTP/1.1" 200 56820 "http://trilema.com/" "Mozilla/5.0 (Windows NT 6.3
    ; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"
    75.75.237.162 - - [01/Jun/2016:05:57:34 -0400] "POST /xmlrpc.php HTTP/1.1" 200 5
    4 "http://trilema.com/" "PHP/5.3.54"
    75.75.237.162 - - [01/Jun/2016:05:57:39 -0400] "GET /2012/lets-have-fun-with-pau
    l-graham/ HTTP/1.1" 200 56950 "-" "PHP/5.3.54"
    75.75.237.162 - - [01/Jun/2016:05:58:43 -0400] "GET /2012/lets-have-fun-with-pau
    l-graham/ HTTP/1.1" 200 56936 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0)
    Gecko/20100101 Firefox/34.0"

    Type A.A []

  32. Typical behaviour :

    37.97.183.36 - - [12/Jun/2016:08:55:10 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
    37.97.183.36 - - [12/Jun/2016:08:55:11 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
    37.97.183.36 - - [12/Jun/2016:08:55:11 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
    37.97.183.36 - - [12/Jun/2016:08:55:12 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

    Type DS.G []

  33. Typical behaviour :

    23.227.196.116 - - [09/Jun/2016:04:26:05 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "
    23.227.196.116 - - [09/Jun/2016:04:26:06 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "
    23.227.196.116 - - [09/Jun/2016:04:26:08 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "

    Type DS.G []

  34. Typical behaviour :

    193.201.225.85 - - [15/Jun/2016:11:58:18 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    35596 "http://trilema.com/xmlrpc.php" "Mozilla/5.0 (Windows; U; WinNT4.0; en-US;
    rv:1.2b) Gecko/20021016 K-Meleon 0.7"
    193.201.225.85 - - [16/Jun/2016:03:33:51 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    71020 "http://trilema.com/xmlrpc.php" "Mozilla/5.0 (X11; U; Linux i686; en; rv:1
    .8.1.11) Gecko/20071216 Firefox/2.0.0.11"
    193.201.225.85 - - [16/Jun/2016:10:56:59 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    69544 "http://trilema.com/xmlrpc.php" "iCCrawler (http://www.iccenter.net/bot.ht
    m)"
    193.201.225.85 - - [16/Jun/2016:18:19:55 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    67330 "http://trilema.com/xmlrpc.php" "Mozilla/5.0 (X11; U; Linux i686; nb-NO; r
    v:1.9.1.16) Gecko/20110420 SeaMonkey/2.0.14"
    193.201.225.85 - - [17/Jun/2016:01:43:12 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    71758 "http://trilema.com/xmlrpc.php" "Mozilla/5.0 (X11; U; Linux x86_64; en-US;
    rv:1.9.2.6) Gecko/20100628 Ubuntu/10.04 (lucid) Firefox/3.6.6"
    193.201.225.85 - - [17/Jun/2016:09:04:49 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    71758 "http://trilema.com/xmlrpc.php" "Mozilla/5.0 (compatible; Konqueror/3.5; L
    inux; X11) KHTML/3.5.3 (like Gecko) Kubuntu 6.06 Dapper"

    We'll call this type DS.MA because of the multiple agent strings.
    []

  35. Typical behaviour :

    212.56.214.182 - - [23/Jun/2016:09:05:45 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "
    212.56.214.182 - - [23/Jun/2016:09:05:46 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "
    212.56.214.182 - - [23/Jun/2016:09:05:47 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "
    212.56.214.182 - - [23/Jun/2016:09:05:49 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "

    Basic DS type. []

  36. Typical behaviour :

    185.109.144.236 - - [02/Jun/2016:05:24:38 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    24772 "http://trilema.com/xmlrpc.php" "Java/1.4.1_01"
    185.109.144.236 - - [02/Jun/2016:14:27:06 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    24772 "http://trilema.com/xmlrpc.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1;
    en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.211.7 Safari/532.0"
    185.109.144.236 - - [02/Jun/2016:23:36:11 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    24772 "http://trilema.com/xmlrpc.php" "Mozilla/5.0 (X11; U; Linux x86_64; sv-SE
    ; rv:1.9.0.7) Gecko/2009030423 Ubuntu/8.10 (intrepid) Firefox/3.0.7"
    185.109.144.236 - - [03/Jun/2016:08:27:56 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    24772 "http://trilema.com/xmlrpc.php" "Mozilla/5.0 (X11; U; Linux i686 (x86_64)
    ; en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16 Flock/2.5.6"
    185.109.144.236 - - [03/Jun/2016:17:02:44 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    24772 "http://trilema.com/xmlrpc.php" "Mozilla/4.0 (compatible; MSIE 5.01; Wind
    ows NT; .NET CLR 1.0.3705)"
    185.109.144.236 - - [04/Jun/2016:01:36:33 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    24772 "http://trilema.com/xmlrpc.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windo
    ws NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath
    .2; .NET CLR 3.5.30729; .NET CLR 3.0.30618; Lunascape 5.1.3.4)"
    185.109.144.236 - - [04/Jun/2016:10:11:01 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    24772 "http://trilema.com/xmlrpc.php" "iCab/2.9.1 (Macintosh; U; PPC)"

    Another DS.MS type. []

  37. Typical behaviour :

    112.90.150.136 - - [06/Jun/2016:07:26:35 -0400] "GET /2012/extraordinarul-act-de
    -supunere-estivala-al-elvirei/ HTTP/1.1" 200 43840 "http://trilema.com/" "Mozill
    a/5.0 (iPhone; CPU iPhone OS 8_1_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, li
    ke Gecko) Version/8.0 Mobile/12B440 Safari/600.1.4"
    112.90.150.136 - - [06/Jun/2016:07:27:18 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    54 "http://trilema.com/" "PHP/5.3.42"
    112.90.150.136 - - [06/Jun/2016:07:27:28 -0400] "GET /2012/extraordinarul-act-de
    -supunere-estivala-al-elvirei/ HTTP/1.1" 200 43962 "-" "PHP/5.3.42"
    112.90.150.136 - - [06/Jun/2016:07:52:34 -0400] "GET /2012/extraordinarul-act-de
    -supunere-estivala-al-elvirei/ HTTP/1.1" 200 44154 "-" "Mozilla/5.0 (iPhone; CPU
    iPhone OS 8_1_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/
    8.0 Mobile/12B440 Safari/600.1.4"

    Run of the mill A.A type. []

  38. Typical behaviour :

    191.96.249.20 - - [02/Jun/2016:23:22:42 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    191.96.249.20 - - [02/Jun/2016:23:22:42 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    191.96.249.20 - - [02/Jun/2016:23:24:15 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    191.96.249.20 - - [02/Jun/2016:23:24:26 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

    DS type. []

  39. Typical behaviour :

    91.193.74.8 - - [11/Jun/2016:15:00:09 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    91.193.74.8 - - [11/Jun/2016:15:05:39 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    91.193.74.8 - - [11/Jun/2016:15:24:28 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    91.193.74.8 - - [11/Jun/2016:15:30:07 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

    DS type. []

  40. Typical behaviour :

    191.96.249.54 - - [06/Jun/2016:10:57:49 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    191.96.249.54 - - [06/Jun/2016:10:57:50 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    191.96.249.54 - - [06/Jun/2016:10:57:50 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    191.96.249.54 - - [06/Jun/2016:10:57:50 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

    Another run of the mill DS type. []

  41. Typical behaviour :

    93.115.97.162 - - [01/Jun/2016:16:38:21 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    93.115.97.162 - - [01/Jun/2016:18:25:37 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    93.115.97.162 - - [01/Jun/2016:18:25:39 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    93.115.97.162 - - [01/Jun/2016:18:25:40 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

    Yet another run of the mill DS type. []

  42. Typical behaviour :

    185.112.249.127 - - [20/Jun/2016:20:32:14 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"
    185.112.249.127 - - [20/Jun/2016:20:32:15 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"
    185.112.249.127 - - [20/Jun/2016:20:32:16 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"
    185.112.249.127 - - [20/Jun/2016:20:32:17 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"

    DS.G type. []

  43. Typical behaviour :

    23.227.199.105 - - [09/Jun/2016:04:26:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "
    23.227.199.105 - - [09/Jun/2016:04:26:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "
    23.227.199.105 - - [09/Jun/2016:04:26:05 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "
    23.227.199.105 - - [09/Jun/2016:04:26:16 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "

    Another DS.G type. []

  44. Typical behaviour :

    91.229.20.98 - - [01/Jun/2016:12:12:15 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    91.229.20.98 - - [01/Jun/2016:12:12:15 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    91.229.20.98 - - [01/Jun/2016:12:12:16 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    91.229.20.98 - - [01/Jun/2016:12:12:17 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

    DS type. []

  45. Typical behaviour :

    63.141.227.243 - - [03/Jun/2016:18:41:16 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    63.141.227.243 - - [03/Jun/2016:18:41:19 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    63.141.227.243 - - [03/Jun/2016:18:41:22 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    63.141.227.243 - - [03/Jun/2016:18:41:25 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

    Another DS type. []

  46. Typical behaviour :

    76.74.170.219 - - [09/Jun/2016:12:54:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    76.74.170.219 - - [09/Jun/2016:12:54:14 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    76.74.170.219 - - [09/Jun/2016:12:54:15 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    76.74.170.219 - - [09/Jun/2016:12:54:16 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"

    Another DS.G type. []

  47. Typical behaviour :

    76.74.170.65 - - [09/Jun/2016:09:57:40 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    76.74.170.65 - - [09/Jun/2016:09:57:41 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    76.74.170.65 - - [09/Jun/2016:09:57:43 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    76.74.170.65 - - [09/Jun/2016:09:57:44 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"

    Yet another DS.G type. []

  48. Typical behaviour :

    146.185.251.210 - - [12/Jun/2016:17:05:40 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    146.185.251.210 - - [12/Jun/2016:17:06:24 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    146.185.251.210 - - [12/Jun/2016:17:08:26 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    146.185.251.210 - - [12/Jun/2016:17:08:42 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

    Another DS type. []

  49. Typical behaviour :

    146.185.251.48 - - [11/Jun/2016:16:00:15 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    146.185.251.48 - - [11/Jun/2016:16:00:45 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    146.185.251.48 - - [11/Jun/2016:16:01:30 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
    146.185.251.48 - - [11/Jun/2016:16:02:23 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

    Yet another DS type. []

  50. Typical behaviour :

    195.154.250.118 - - [10/Jun/2016:04:13:56 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    421 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
    195.154.250.118 - - [10/Jun/2016:04:13:56 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    421 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
    195.154.250.118 - - [10/Jun/2016:04:13:56 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    421 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
    195.154.250.118 - - [10/Jun/2016:04:13:57 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    421 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"

    Also DS type. []

  51. Typical behaviour :

    91.188.125.194 - - [23/Jun/2016:22:18:25 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "
    91.188.125.194 - - [23/Jun/2016:22:18:26 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "
    91.188.125.194 - - [23/Jun/2016:22:18:26 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "
    91.188.125.194 - - [23/Jun/2016:22:18:27 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
    "

    More of the DS.G type. []

  52. Typical behaviour :

    188.120.41.9 - - [31/May/2016:08:13:04 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
    188.120.41.9 - - [31/May/2016:08:13:18 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
    188.120.41.9 - - [31/May/2016:08:13:18 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
    188.120.41.9 - - [31/May/2016:08:20:27 -0400] "POST /xmlrpc.php HTTP/1.1" 200 54
    "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

    Another DS.G type. []

  53. Typical behaviour :

    185.142.236.197 - - [12/Jun/2016:12:53:52 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"
    185.142.236.197 - - [12/Jun/2016:12:53:52 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"
    185.142.236.197 - - [12/Jun/2016:12:53:53 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"
    185.142.236.197 - - [12/Jun/2016:12:53:53 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"

    Yet another DS.G type. []

  54. Typical behaviour :

    91.134.169.81 - - [02/Jun/2016:19:34:19 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    91.134.169.81 - - [02/Jun/2016:19:34:34 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    91.134.169.81 - - [02/Jun/2016:19:34:55 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    91.134.169.81 - - [02/Jun/2016:19:35:24 -0400] "POST /xmlrpc.php HTTP/1.0" 200 5
    4 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"

    Another DS.G type. []

  55. Typical behaviour :

    185.142.236.219 - - [11/Jun/2016:03:56:28 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"
    185.142.236.219 - - [11/Jun/2016:03:56:28 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"
    185.142.236.219 - - [11/Jun/2016:03:56:29 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"
    185.142.236.219 - - [11/Jun/2016:03:56:29 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"

    Yet another DS.G type. []

  56. Typical behaviour :

    5.135.17.28 - - [02/Jun/2016:19:31:56 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    5.135.17.28 - - [02/Jun/2016:19:32:00 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    5.135.17.28 - - [02/Jun/2016:19:32:03 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    5.135.17.28 - - [02/Jun/2016:19:32:07 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"

    Yet another DS.G type. []

  57. Typical behaviour :

    151.80.82.32 - - [02/Jun/2016:19:36:07 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    151.80.82.32 - - [02/Jun/2016:19:36:38 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    151.80.82.32 - - [02/Jun/2016:19:37:09 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    151.80.82.32 - - [02/Jun/2016:19:37:40 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"

    There's no end to these, is there. DS.G again. []

  58. Typical behaviour :

    151.80.82.34 - - [02/Jun/2016:19:36:08 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    151.80.82.34 - - [02/Jun/2016:19:36:39 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    151.80.82.34 - - [02/Jun/2016:19:37:10 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    151.80.82.34 - - [02/Jun/2016:19:37:41 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"

    DS.G type again. []

  59. Typical behaviour :

    185.130.6.52 - - [12/Jun/2016:12:53:51 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    185.130.6.52 - - [12/Jun/2016:12:53:52 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    185.130.6.52 - - [12/Jun/2016:12:53:52 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
    185.130.6.52 - - [12/Jun/2016:12:53:53 -0400] "POST /xmlrpc.php HTTP/1.0" 200 54
    "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"

    Yes, your intuition is correct : DS.G type! []

  60. Typical behaviour :

    185.103.109.139 - - [31/May/2016:08:08:32 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    54 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
    185.103.109.139 - - [31/May/2016:08:08:32 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    54 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
    185.103.109.139 - - [31/May/2016:08:08:32 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    54 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
    185.103.109.139 - - [31/May/2016:08:08:32 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    54 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

    Another DS.G spambot. []

  61. Typical behaviour :

    185.103.109.246 - - [07/Jun/2016:00:30:51 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"
    185.103.109.246 - - [07/Jun/2016:00:30:52 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"
    185.103.109.246 - - [07/Jun/2016:00:30:52 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"
    185.103.109.246 - - [07/Jun/2016:00:30:53 -0400] "POST /xmlrpc.php HTTP/1.0" 200
    54 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html
    )"

    Yet another DS.G type spambot. I'm curious : have you seen an increase in indexing activity from Google in the past months ? []

  62. Typical behaviour :

    185.103.109.139 - - [31/May/2016:08:08:32 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    54 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
    185.103.109.139 - - [31/May/2016:08:08:32 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    54 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
    185.103.109.139 - - [31/May/2016:08:08:32 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    54 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
    185.103.109.139 - - [31/May/2016:08:08:32 -0400] "POST /xmlrpc.php HTTP/1.1" 200
    54 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

    And another DS.G spambot. []

  63. Last month is no different, for the record, it's not like this started on the 1st of June by any means. Nor was April. Or April of last year. []
  64. Here's what I learned trying :

    • Takes a while to find 107.150.74.65 belongs to zenlayer, because it's not properly listed. Once you do, zenlayer simply rejects email to abuse@zenlayer.com. Because why not amirite ? Yes, I reported them to ARIN, and I'm ever-so-sure they'll lose the block.
    • abuse@ipffm.de (IPFFM Internet Provider Frankfurt GmbH) simply drops emails. Had to notify Accelerated, their provider.
    • Apparently "nobody" owns 104.160.31.77. Yet it routes fine, through cyber-wurx-llc.10gigabitethernet1-1-2.switch1.atl2.he.net (216.66.41.118) ; 69.61.24.218 (69.61.24.218) ; 104.160.31.77.dynamic.nationinternet.net (104.160.31.77). Wonder of wonders, this. Reported to CachedNet LLC, the upstream provider (and a major provider for the entire list).
    • hostmaster@chinamobile.com rejects abuse email (not that it has a proper abuse inbox anyway). Reported to APNIC, for all the good that'll do.
    • The VietNam Post and Telecom Corporation does not feel the need to list an abuse contact email. Or an email whatsoever, actually. Not via whois, not on website, not anywhere! abuse@vnnic.net.vn also fails, and all this is perfectly fine, apparently.
    • abuse@hostslim.nl (a front for abuse@rakar.nl) simply drops emails. Reported to RIPE.
    • abuse@cogentco.com drops emails. Reported to ARIN.
    • info@detchile.com (the only abuse contact for "Digital Energy Technologies Chile SpA" drops emails. Reported to LACNIC.
    • Swiftway (abuse@swiftway.co.uk) sent me mails claiming neither 23.227.199.105 nor 23.227.196.116 is their customer, which is amusing considering the whois doesn't lie.

    []

  65. Less, really. About 16 hours. []
  66. Data based of the first 8 hours of June 25th. []
  67. spservers.org, aka

    role: Super Professional Servers Network Operation Centre
    address: ************************************************************
    address: 1st Magistralny blind alley, 30,
    address: BC "The Yard",
    admin-c: KL2587-RIPE
    tech-c: KL2587-RIPE
    address: Moskow
    address: Russian Federation
    remarks: 24/7 NOC&SUPPORT: support@spservers.org
    remarks: Abuse issues: abuse@spservers.org will be handled ASAP
    remarks: Network&peering Issues: support@spservers.org
    phone: +74957082672
    address: ************************************************************

    []

  68. "Sindicate group" using AS200039 as HYDRA-MNT. Notified sindicategrourp@gmail.com - yeah, that's what they list, misspelled like that - and noc@zare.co.uk ; no answer and honestly the arrangement looks rather dubious. []
  69. Blackhost Ltd. Notified me that they've opened tickets 200096 and 772569. []
  70. Notified abuse@sitel.net.pl ; received no response. They're running AS59491 mnt-by sitelnetpl-mnt. Judging by the fact that they not only failed to block the listed IP but even allowed the spammer a new one, the whole thing seems altogether dubious. []
Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

8 Responses

  1. Mircea Popescu`s avatar
    1
    Mircea Popescu 
    Friday, 24 June 2016

    Updated, mostly for footnote 64.

  2. lothrop.s`s avatar
    2
    lothrop.s 
    Friday, 24 June 2016

    see
    https://www.webiron.com/bot_feed/d80d40b13ccf07a2c523e3c6625d101d
    [185.109.144.236]

  3. Mircea Popescu`s avatar
    3
    Mircea Popescu 
    Friday, 24 June 2016

    Interesting!

    How is the "bot ID" derived ?

  4. tldr

  5. Mircea Popescu`s avatar
    5
    Mircea Popescu 
    Wednesday, 6 July 2016

    Nuca nu e de fete.

  6. Howdy! I'm at work surfing around your blog from my new iphone 3gs!
    Just wanted to say I love reading your blog and look forward to all
    your posts! Carry on the outstanding work!

  7. Mircea Popescu`s avatar
    7
    Mircea Popescu 
    Tuesday, 28 March 2017

    Aok.

  1. [...] Mircea Popescu Intro mircea_popescu Hey asciilifeform check out the update to The Internet of Shit . Most of them got shut down within 16 hours or somesuch. asciilifeform Srsly? Then again sp4mz0rz [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.