By gybanez on

I updgraded to 4.7.2 and not sure if there is a setting I missed. The last 3 nights, I get a lot of comment replies where this person does not write anything on the subject and body. He does this like2-4 times in the same minute. So in a few minutes I see about 10 or more of these annoying emtpy comments.

I'm not sure if there is a way to block this specific IP. I noticed it's from the same IP. I allow anonymous users to post comments on my site so I cannot change that. I'm thinking is this is a bot from this site that goes and does this? If it is a bot what is it trying to do by with these annoying comments? Or is it trying to hack my site?

I have his IP and it is 195.225.177.6

It also comes up like this when I do a whois

NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 1996-03-25
Updated: 2005-08-03

RTechHandle: RIPE-NCC-ARIN
RTechName: RIPE NCC Hostmaster
RTechPhone: +31 20 535 4444
RTechEmail: search-ripe-ncc-not-arin@ripe.net

Categories: Drupal 4.7.x

Comments

Xano’s picture

Xano
he/they
Primary language English
Location Southampton
commented

How did you get those stats? That phone number is from a place in Amsterdam, The Netherlands, but when I do a lookup I get one from Ukraine...

phow4rd’s picture

phow4rd commented

...but I think you need to go to admin > access control > access rules > add rule.

For "access type", select "deny", and for "rule type", choose "host".

Enter the IP address in the "mask" field and click "add rule".

Your mysterious visitor should now be blocked. (I think. Like I said, I haven't had the need yet. Please let us know if it works.)

gybanez’s picture

gybanez commented

Thanks phow4rd, it's working. So far last night no mysterious empty comments. Unfortunately, I'm near SF California and if I didn't allow Anonymous comments, my site would be dead.

Also, I did a who is lookup to that IP by using ARIN.NET and that is how I got that information.

Thanks again for everyone's help. Hopefully this guy won't change his IP because I'll have to hunt for it again. :)

gurpreet2000’s picture

gurpreet2000 commented

thanks it's really work without installing addition module.

narres’s picture

narres commented

Should work from admin/logs/visitors

There is the operation ban available, too.

Thomas Narres
Keep the sunny side up

joemoraca’s picture

joemoraca commented

this person needs to get outside more ..

but I have anon comments turned off

Joe Moraca
http://www.moraca.org

gybanez’s picture

gybanez commented

omg the same exact IP is also doing that to you? It's amazing that this user/company is attacking drupal powered sites? Oh well, you're lucky you can turn off anonymous.

Heine’s picture

Heine commented

This IP is running a spambot. Because of the strange submissions (empty instead of spam), the person behind the spambot is either 1) testing, 2) having trouble with drupal or 3) really stupid.

See
http://incredibill.blogspot.com/2006/06/stupid-spammers-snared.html

Search google for the IP and you'll see some typical spam posts.
--
The Manual | Troubleshooting FAQ | Tips for posting | Make Backups! | Consider creating a Test site.

gybanez’s picture

gybanez commented

You are right, I have spambots hitting my site. At least 2-5 a day. Is there a way to stop them? I have been adding their IP to my list of denied IP's. Is there a better way to battle these idiots?

IncrediBILL’s picture

IncrediBILL commented

Just install or enable a captcha on your comment post page as that seems to stop the automated spam dead but you'll still get the occassional hand made spam.

FYI, when you run whois and it whos RIPE or APNIC or something like that you're not looking at the actual source, you're looking at the registrar of internet numbers for tha area.

To further refine your query, if done from command line, needs be the following:

whois -h whois.ripe.net 195.225.177.6

You can also go to ripe.net's website and do the whois from their website.

inetnum: 195.225.176.0 - 195.225.179.255
netname: NETCATHOST
descr: NetcatHosting
country: UA
admin-c: VS1142-RIPE
tech-c: VS1142-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: NETCATHOST-MNT
mnt-routes: NETCATHOST-MNT
source: RIPE # Filtered
remarks: ****************************************
remarks: * Abuse contacts: abuse@netcathost.com *
remarks: ****************************************

person: Vsevolod Stetsinsky
address: 01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 206.
phone: +38 050 6226676
e-mail: vs@netcathost.com
nic-hdl: VS1142-RIPE
source: RIPE # Filtered

% Information related to '195.225.176.0/22AS31159'

route: 195.225.176.0/22
descr: NETCATHOST (full block)
origin: AS31159
mnt-by: NETCATHOST-MNT
remarks: ****************************************
remarks: * Abuse contacts: abuse@netcathost.com *
remarks: ****************************************
source: RIPE # Filtered

Francewhoa’s picture

Francewhoa
he/him
Primary language French
Location Sept-Îles, Québec, 🇨🇦
commented

Comparison of contributed modules for dealing with troublesome users http://drupal.org/node/645216

Or build in Drupal http://drupal.org/node/645218

Loving back your Drupal community result in multiple benefits for you