Block Website Content Thieves, Proxy Services & Exploited Servers, with this Apache Server ".htaccess" Blocklist
The IP addresses and CIDR ranges in this blocklist deny access to blog spammers, web page content scrapers, proxy browsing services and server exploiters, using compromised servers to sabotage websites hosted on Apache Servers.
Compiled by Wizcrafts Computer Services (see website links in footer)
Notice: The Russian Blocklist has been moved to a separate file: russian-blocklist.html
I read my raw access logs every day, watching for undesirable activity, such as hacking attempts, from humans and bots; unwanted foreign or privately owned indexing spiders; log and blog spam scripts; content scraping harvesters and last, but not least - proxy servers - that hide the IP of the person, or script, that is requesting access to a web page. Circumventor proxy services and servers are being used to bypass IP or host name filters, purposely put in place to block unwanted traffic. Sometimes spammers hide behind circumvertor proxies to spam your logs or blogs. Others, known as "CGI proxies," may steal your website's ranking in search results, by passing all of your web pages through proxy scripts on their servers, usually replacing your ads with theirs, depriving you of potential sales and advertising revenue you might have earned had these visitors landed on your actual website.
When I detect hostile or unwanted activity in my access logs I note the IP addresses from which these events emanated. Then I run them through specialized lookup tools to determine whether they came from residential or business computers - via an ISP, or from a web hosting company's servers, a proxy service, or from a co-located server in a data center. Since residential customers usually have dynamic or semi-static IP addresses, which are frequently changed by their ISPs, it makes no sense to block them. The next person who is assigned that IP may be a potential customer! Instead, I concentrate most of my efforts on blocking servers, which have static (non-changing) IP's. Additionally, I identify businesses with static IP's, who have compromised workstations and file servers that are controlled by hackers and spammers and which are trying to mess with my logs or my website security. With the exception of co-located and privately owned servers, almost all of these offending visitors (human and robot) come from companies that are assigned ranges of IP addresses, which are called a CIDR. Some CIDRs are very small (4 to 8 IP's), while others may include thousands of usable addresses. Once I determine that a hostile action came from a server and not an ISP, I lookup the CIDR to which it belongs and add it to a blocklist.
The work I put into my websites is meant to be consumed by human visitors who are interested in my information and services. People visit websites through ISPs, not through servers. When I see obvious attempts to spam my blog, or access log, I trace the origin and quite often I discover that the unwanted traffic comes from web hosting servers, some with active websites, which should never be trying to contact my web server. I created my blocklists to see to it that exploited and hostile servers only get an "Access Denied" page, when they try to exploit my websites. This is an ongoing fight and I sometimes add IPs to the list on a daily basis, as I identify traffic coming from hostile and exploited servers or business networks.
These IP blocklists are also available in iptables format, for use in Linux based firewalls.
If you are just trying to block scams and spam from your email inbox, read this section.
Apache web servers use a special access control file named .htaccess, which uses a combination of directives to allow or deny access to files or folders on the server. The .htaccess file is also used to create custom redirect rules for files, folders and entire websites that have been moved, deleted, or are temporarily or permanently gone. The proper location for your .htaccess file is in the web root. This is typically a directory named public_html, or web, depending on your hosting company.
The .htaccess file begins with a period, which makes it appear to have no prefix to Windows users. However, to a Unix based web server any file that begins with a period is considered a hidden system file. If you manage your website by using an FTP Client (program) to upload files it may require you to enter a special code, or check a box that allows hidden server files to be displayed. For example, WS_FTP (a very popular FTP Client) has a place to add the code -al (that is a lowercase L) in the startup configuration of sites that are added to the Site list. This code tells the server to display hidden files like .htaccess. If you are using WS_FTP open the Site Manager, create a website connection, or select an existing one (left click once), click the Edit button to open the Site Options, then click on the Startup link in Site Options. Find the input field named "Remote file mask" and type -al in it, then click OK to save the change. Now, when you log onto the website you will be able to view, edit, upload or download normally hidden files like .htaccess.
If you do not use an FTP Client to upload files, but are using a web-based control panel, it is entirely up to your web host as to whether or not you can view, alter, or upload .htaccess files.
Important Notice! Be careful when creating, editing, or pasting codes into a .htaccess file, because if you type an invalid term, directive, or character, or add an unescaped space in a regular expression, you may cause a Server 500 error to occur, locking everybody out of the website, except via FTP access (with login credentials).
The .htaccess file below has been tested and is in use on my own server. It should not cause any Server 500 errors on most Apache installations, but use it at your own risk. It is always a good idea to upload a new .htaccess file to a test directory and try to access a file in it from your browser. If you are not blocked from viewing the test file your .htaccess is probably good to go.
The rest of this page revolves around using the Apache module mod_authz_host to block unwanted traffic from exploiter servers and business networks. If you don't know if a custom .htaccess file, or the use of mod_authz_host is allowed/supported on your web server, ask the hosting company's support department (send an example of the code from here).
Add (copy and paste) this list to your existing .htaccess file on your Apache server, or copy all the content between the horizontal lines into a new text file, in Notepad (or equivilant), save as a plain .txt file, then rename it .htaccess, and upload it in ASCII mode to your web server, to the root directory where your publicly viewable html files reside (not above the public web root, nor in a sub-directory). This directory may be called /web or /public_html, etc.
We can create custom blocklists for Apache based websites, based on your particular needs, at reasonable hourly rates. If you want to hire us to create a custom blocklist, or install this .htaccess blocklist on your server for you, contact us through our Webmaster Services contact form.
And now, a word from one of our sponsors:
Lines beginning with the # sign are comments, and are not interpreted by the server. Comments (#) can be used to temporarily activate or deactivate individual directives, or entire "deny from" lines, by adding or removing a # from the beginning of that line. DO NOT REMOVE THE # SIGNS FROM TEXT COMMENTS! That will cause a Server 500 error! If you don't need the comments remove them entirely.
Any IP address falling within a CIDR range covered by this list will be denied all access to your Apache server, except for a 403 "Forbidden" message, or your custom 403 page. If you use a custom 403 page be sure to "allow" it in a "SetEnvIf" directive (e.g. SetEnvIf 403\.shtml allowit), and add an "allow from env=allowit" statement to the end of the blocklist.
Everything between the horizontal lines is .htaccess directives, comments (#) and IP deny lists. This list will be updated whenever a new shared, dedicated, or co-located server is traced to spammers or exploiters, or if an IP range is removed after further research (to protect the innocent). The last directive forbids web visitors from viewing your .htaccess file online, as a security measure.
Caution: Use this list at your own risk! If you misspell a directive, or add a space where there shouldn't be one, or remove the spaces between IP ranges, you may cause a Server 500 lockout error (stay logged into your FTP program just in case). Wizcrafts will not be responsible for any problems that may arise from the use of this blocklist.
This blocklist was last updated on Wednesday, 03-Apr-2013 10:38:00 MDT
|Monitor this page for changes|
<Files *> order deny,allow ##### READ THIS BEFORE USING THE LISTS BELOW HERE! ### If your website, or dedicated server, has an IP address falling within the ones below and you use absolute URLs in your includes or links, those pages will be blocked from loading. ### If this occurs you should find the IP of your website, or server, and allow it, using the example form: allow from (your IP address(es)) ### You can find your website's IP address by logging into your website's Control Panel (e.g. Cpanel, Plesk, vDeck, Ensim) and it should be displayed on the control panel home page. ### You can also run a Whois lookup, at - http://whois.domaintools.com - on your domain name, to see the IP where it is hosted. ### Example of a page that might be blocked: You use PHP (or SSI) includes for headers, navigation links, or footers, using this form: <php include('http://www.example.com/folder/filename'); ### If your web server is covered by this blocklist the included page will get a 403 forbidden server status. ### If you host multiple web pages and they communicate with each other using http scripts, the communication will break if either is listed, unless you add "allow from" directives on each web site's blocklist, for the other's specific IP address(es). ### You can also avoid having your own includes or linked pages blocked, by using relative URLs instead. E.g: <php include('/folder/filename'); ## Servers should not be contacting other servers, trying to spam or exploit them. That's how they got on these lists in the first place! ## There are a lot of commonly used web servers covered by the following "deny from" lists! Your website may be hosted on an IP in these blocklists. # The web servers blocked here are being used as proxy servers, for attacking other servers, or for harvesting, scraping, spamming, phishing, or hosting hostile scripts used to infect personal computers. As such they are threats to your website, even if you are with a host on this list. # These are not ISPs or PCs. They are website hosting servers, parked domain hosts and datacenters. ### Removed entire existing list of exploited servers on Dec 19, 2012, to start afresh ############################################## Blocklist Begins ############################################### ###### Exploited - shared, VPS and dedicated web servers, listed by the entire CIDR assigned to each hosting company. # Miscellaneous badware and exploiting hosts and servers: deny from 126.96.36.199/19 188.8.131.52/18 # Psychz Networks - Spam and attack friendly web hosting company that turns a blind eye to abuse reports deny from 184.108.40.206/21 220.127.116.11/20 18.104.22.168/20 22.214.171.124/22 126.96.36.199/21 188.8.131.52/22 184.108.40.206/20 220.127.116.11/20 # Proxy servers and services and hosting companies with proxy server clients, listed by the full CIDR of the hosting company. deny from 18.104.22.168/24 22.214.171.124/23 126.96.36.199/16 188.8.131.52/16 184.108.40.206/16 220.127.116.11/17 18.104.22.168/29 22.214.171.124/29 126.96.36.199/24 188.8.131.52/16 184.108.40.206/29 220.127.116.11/29 18.104.22.168/29 22.214.171.124/15 126.96.36.199/24 188.8.131.52 184.108.40.206/25 220.127.116.11/26 18.104.22.168/20 22.214.171.124/24 126.96.36.199/20 188.8.131.52/20 184.108.40.206/26 220.127.116.11/18 18.104.22.168/16 22.214.171.124/23 126.96.36.199/17 188.8.131.52/18 184.108.40.206/29 220.127.116.11/20 # Individual Proxy Server IPs deny from 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 # Cyveillance, Performance Systems International (PSI) and associated companies (Internet Content Spies) deny from 126.96.36.199/24 188.8.131.52/29 184.108.40.206/28 220.127.116.11/26 18.104.22.168/26 # Removed Schlund US, including SIM.ORG from the exploited servers list on Jan 20, 2009 allow from 22.214.171.124/17 126.96.36.199/27 ####################################################### # We occasionally move some of the individual proxy IP addresses into the Exploited Servers list, as their host's CIDR is confirmed as not belonging to an ISP. # The IP addresses in this blocklist belong to various types of web hosting companies, server farms and datacenters. # Add other blocked domain names or IP addresses here, starting with "deny from " without quotes # If you find that you need to poke a hole in the blocklist for legitimate visitors, follow this example: allow from 123.456.789.0 # Add "allow from" IP addresses, or CIDR Ranges, after all of the "deny from" items, just before the closing Files tag. # Everything not included within these deny from ranges is PERMITTED by the allow portion of the directive. # If some or all of your own webpages are 403'd by this blocklist, place your server's IP address(es)s after "allow from" below, then remove the comment before it. # allow from #your server's IP </Files> # This prevents web browsers or spiders from seeing your .htaccess directives: <Files .htaccess> deny from all </Files> # End of file
If you find these blocklists useful, please Donate to Wizcrafts. Contributions from people like you, who benefit from these blocklists, will enable this work to continue. Donate via PayPal
Anti-Spam email filtering solutions for companies and end-users
If you are tired of receiving spam, viruses and Phishing schemes in your personal computer's email inbox, why not give Mailwasher Pro a try? Mailwasher Pro is a program that intercepts and analyzes incoming email before it is delivered to your Eudora, IncrediMail, Outlook (Express), Thunderbird, or equivilant email client's inbox. Mailwasher uses a combination of Bayesian Learning Filters, a user controlled Whitelist and Blacklist, user created filters and rules, including regular expressions rules, DNS Blocklists like the Spamcop SBL, and the FirstAlert! Database of known spam as identified and reported by other Mailwasher Pro users around the World, to identify and deal with spam, scams, schemes and viruses. More details about MailWasher Pro.
This blocklist is compiled and maintained by Wizcrafts Computer Services. Use it at your own risk.
No warranties are implied or stated and we are not liable for any problems that may arise from it's use.
We provide Webmaster and website security consulting services on a freelance paid basis.
This page was last updated on: Wednesday, 03-Apr-2013 10:38:00 MDT
If you wish to contribute new IP addresses to this list, or hire us install a custom .htaccess file for you, please contact us via our Webmaster inquiries form.