Add PanamaServer.com to your .htaccess or iptables blocklists

For the past several weeks I have seen a huge increase in the volume of spam email promoting the fake Canadian Pharmacy. I write about it in my weekly reports about the classifications of spam, according to the anti-spam program MailWasher Pro and my custom MailWasher spam filters.

Whenever a spam email makes it through my automatic deletion spam filters I analyze it's contents and add the appropriate words or regular expressions to existing filter rules, or create new ones. Since most spam messages contain links to the spamvertised websites I will perform a stealth investigation of the website in the spam links. So far, all of the links in a recent spate of fake Fox News spam email lead to the fake Canadian Pharmacy. There is also a huge amount of spam the begins with the words Canadian Pharmacy.

Each day, or multiple times per day, the links point to a different website where the spamvertised pharmacy resides. So, I lookup the domains every now and then, using commercial Whois tools. Sometimes the fake pharmacy is located on a zombie computer in a Botnet. These are easy to spot because the header of the website reveals that it is running on the Nginx web server. Nginx is a tiny http server, made in Russia, and a favorite tool for use by Russian criminals to install on zombie machines under their control. But, not all Whois reports lead to zombies.

A large number of Whois IP traces in Canadian Pharmacy and Male Enhancement scams now lead to websites hosted on PanamaServer.com. This server farm is a new favorite place for spamvertised websites, phishing website, malware hosting and other dodgy goings on. Normally, one would not even know about the existence of PanamaServer unless they rented space on them to do business, or did Whois lookups of spam domains. But all that changed today for me, in another way.

I read my raw access logs every day, looking for sources of abuse, or referring domains, or other matters of interest to a Webmaster. Today's log revealed a long list of hits from somebody trying to harvest my entire website and trying to post spam comments via my contact form (failed due to my security implementation). All of these hits came from one IP address: 200.63.42.91, which the Whois reports as belonging to PanamaServer.com. The IP range (CIDR) assigned to this company is 200.63.40.0/22, ranging from 200.63.40.0 to 200.63.43.255. I have added that CIDR to my published Exploited Servers Blocklists, in .htaccess form and in iptables form. If you have an Apache based website you can block this domain and all spammers and scammers operating through websites hosted there. Just add 200.63.40.0/22 to your deny from list in .htaccess, or to the iptables list. Or, just download my Exploited Servers blocklist in the format you can use and install the entire blocklist. You will be protected against a huge number of exploited servers.

In case you don't know which list applies to your server, here's how to decide. If you are the administrator of the server and have root access to the Linux operating system, go with the iptables blocklist. If you are a customer on a shared hosting server, you must use the .htaccess blocklist. Full instructions for use are included on each blocklist.

I also maintain other country wide blocklists, in both .htaccess and iptables form. The landing pages for these blocklists are found at htaccess-blocklists.html and at iptables-blocklists.html.