How to block this spamming site?

Hi,

I have been getting inundated with email optins, checking my server logs I find this:

46.105.100.149 - - [19/Apr/2017:23:56:42 +0000] "GET / HTTP/1.1" 200 16239 "-" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
46.105.100.149 - - [19/Apr/2017:23:56:44 +0000] "POST /newsletter/subscriber/new/ HTTP/1.1" 302 46 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
46.105.100.149 - - [19/Apr/2017:23:56:44 +0000] "GET / HTTP/1.1" 200 16253 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
89.234.157.254 - - [20/Apr/2017:00:12:53 +0000] "GET / HTTP/1.1" 200 17799 "-" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
178.63.97.34 - - [20/Apr/2017:00:12:57 +0000] "POST /newsletter/subscriber/new/ HTTP/1.1" 302 46 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
178.63.97.34 - - [20/Apr/2017:00:12:57 +0000] "GET / HTTP/1.1" 200 16316 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
109.163.234.2 - - [20/Apr/2017:00:13:15 +0000] "POST /newsletter/subscriber/new/ HTTP/1.1" 302 46 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
163.172.142.15 - - [20/Apr/2017:00:41:38 +0000] "POST /newsletter/subscriber/new/ HTTP/1.1" 302 46 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"

Each with a different IP. I noticed that they all have Gecko/20100101 in common. How can I block these?

Thanks

Are you certain you want to block desktop Firefox users?

Gecko/geckotrail indicates that the browser is based on Gecko.
On Desktop, geckotrail is the fixed string “20100101”

1 Like

No : )

I didn’t know what that meant, now I do.

That botnet has been active for the last few weeks and at it’s peak, just one of my site blocked access to over 150 different IPs in the group in a single 24 hour period.

I handle it by blocking via user agent in my script. Luckily, the writer of the script was too lazy to pull from a pool of different user agents so you can block every single with a single match.

You can see some of them that got grabbed in the last 24 hours:

I chose “Firefox/7.0.1” to match against since I could be fairly confident that nobody would be browsing my site with Firefox 7 :smiley:

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.