This is officially getting ridiculous. Not only are my blogs getting a lot of comment spam, but my personal blog site is burning huge amounts of bandwidth, as particular (I assume zombie) hosts hit the site.
Below are the top ten bandwidth users of danielbowen.com for June:
| Top 10 of 15312 Total Sites By KBytes | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| # | Hits | Files | KBytes | Visits | Hostname | ||||
| 1 | 14380 | 4.10% | 3801 | 1.77% | 111235 | 2.22% | 159 | 0.24% | host-148-244-150-58.block.alestra.net.mx |
| 2 | 17558 | 5.01% | 3191 | 1.48% | 99441 | 1.98% | 157 | 0.24% | host-207-248-240-119.block.alestra.net.mx |
| 3 | 3927 | 1.12% | 3640 | 1.69% | 75989 | 1.51% | 3 | 0.00% | csr010.goo.ne.jp |
| 4 | 3062 | 0.87% | 2797 | 1.30% | 74881 | 1.49% | 171 | 0.26% | rrcs-24-97-174-130.nys.biz.rr.com |
| 5 | 3057 | 0.87% | 2200 | 1.02% | 62547 | 1.25% | 392 | 0.60% | msnbot.msn.com |
| 6 | 2691 | 0.77% | 2248 | 1.04% | 60684 | 1.21% | 153 | 0.23% | 64.124.85.78.become.com |
| 7 | 2256 | 0.64% | 2082 | 0.97% | 56383 | 1.12% | 124 | 0.19% | 98-101-196-200.linkexpress.com.br |
| 8 | 2146 | 0.61% | 2033 | 0.94% | 51665 | 1.03% | 279 | 0.43% | dsl-250-198.monet.no |
| 9 | 2001 | 0.57% | 1755 | 0.82% | 47605 | 0.95% | 23 | 0.04% | host133.sprintnetops.net |
| 10 | 1686 | 0.48% | 1571 | 0.73% | 35979 | 0.72% | 325 | 0.50% | corporativos |
It’s not like this site is hosting pr0n or something — there’s just no reason why any single host would need to grab 110Mb of traffic in a single month. In total traffic topped 4Gb for the month, which is ludicrous for a diary site with a few photos on it. 4Gb is actually my monthly limit — thankfully my web ISP isn’t too strict about charging extra for hitting that, but there’s always the risk if this is consistent that it’ll be costing me real money.
As a result I’ve started a list of bandwidth hogs’ IP addresses, which I’m putting in the .htaccess file. Anything with lots of hits and grabbing above about 5Mb per month is going onto the list, and the list is being duplicated (manually unfortunately) across to the other WordPress sites that I run.
Inspection of the access_log is particularly enlightening, with at present a staggering number of requests coming in with a referer at poker-related sites. Of the 6665 hits in the file for today (covering about 13 hours) there are 674 from texasholdemcenteral.com (note the wonky spelling) and 1212 from sportscribe.com. All of these too are now being blocked with a 403 (forbidden) via .htaccess.
Sigh. I suppose it’s just too much to expect people to place nice?
.htaccess extract – Feel free to copy for your own site to block miscreants.
# List of IP addresses grabbing excessive data
<Limit GET>
order allow,deny
deny from 38.144.36.
deny from 59.167.12.184
deny from 59.167.72.195
deny from 62.63.177.216
deny from 63.230.254.
deny from 64.142.38.
deny from 65.19.150.226
deny from 65.214.
deny from 66.191.171.78
deny from 68.111.233.
deny from 70.106.118.
deny from 81.240.255.
deny from 98.101.196.
deny from 128.178.155.
deny from 148.244.
deny from 194.224.199.
deny from 200.106.160.
deny from 202.28.204.
deny from 202.83.175.
deny from 202.83.167.
deny from 202.175.234.163
deny from 203.43.58.210
deny from 203.98.57.97
deny from 203.185.195.121
deny from 203.217.39.
deny from 203.144.216.211
deny from 207.234.146.
deny from 207.248.
deny from 209.145.93.100
deny from 209.203.205.90
deny from 213.146.157.75
deny from 213.179.170.
deny from 217.63.142.
deny from 229.70.85.116
allow from all
</Limit>
# Block referrers from poker sites
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} texasholdemcenteral\.com [NC,OR]
RewriteCond %{HTTP_REFERER} favorite-casino\.com [NC,OR]
RewriteCond %{HTTP_REFERER} sportscribe\.com [NC,OR]
RewriteCond %{HTTP_REFERER} poker-4all\.com
RewriteRule .* - [F]