Blocking IP addresses for comment spam

Question

I've been receiving spam from a range of IP addresses, below is an example:

XX.XX.XX.123
XX.XX.XX.217
XX.XX.XX.179

Is it possible to look up the owner of a range of IP addresses or am I safe blocking a range when the first 3 blocks are the same like this:

XX.XX.XX.100 - XX.XX.XX.255

IP addresses only go upto .255 and those are public IP addresses. (FYI) — CustomX, Feb 11 '15 at 14:57

score 1 · Accepted Answer · answered Feb 11 '15 at 18:18

There are five Regional Internet Registrars (RIRs) that are delegated control over the IP space. Each of them hosts information on owners via whois, which you can query. From the command line, this would be:

$ whois 55.55.55.100
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=55.55.55.100?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       55.0.0.0 - 55.255.255.255
CIDR:           55.0.0.0/8
NetName:        CONUS-RCAS
NetHandle:      NET-55-0-0-0-1
Parent:          ()
NetType:        Direct Allocation
OriginAS:       
Organization:   Headquarters, USAISC (HEADQU-3)
RegDate:        1996-10-26
Updated:        2011-02-23
Ref:            http://whois.arin.net/rest/net/NET-55-0-0-0-1


OrgName:        Headquarters, USAISC
OrgId:          HEADQU-3
Address:        NETC-ANC CONUS TNOSC
City:           Fort Huachuca
StateProv:      AZ
PostalCode:     85613
Country:        US
RegDate:        1990-03-26
Updated:        2011-08-17
Ref:            http://whois.arin.net/rest/org/HEADQU-3

OrgAbuseHandle: REGIS10-ARIN
OrgAbuseName:   Registration
OrgAbusePhone:  +1-800-365-3642 
OrgAbuseEmail:  disa.columbus.ns.mbx.arin-registrations@mail.mil
OrgAbuseRef:    http://whois.arin.net/rest/poc/REGIS10-ARIN

OrgTechHandle: REGIS10-ARIN
OrgTechName:   Registration
OrgTechPhone:  +1-800-365-3642 
OrgTechEmail:  disa.columbus.ns.mbx.arin-registrations@mail.mil
OrgTechRef:    http://whois.arin.net/rest/poc/REGIS10-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#

There aren't the best of methods for programmatically querying this information since most ISPs rate limit your query volume due to potential abuse. There are also several web sites that can provide more information on IP owners, such as Robtex or SenderBase.

As you can see from the whois information posted above, there is no useful content there. You do not want to block a /8 CIDR (2²⁴ addresses, ¹/₂₅₆th of the IPv4 space).

This is why spam-specific lookups, like SenderBase, can help, as they can tell you mail volume and mail sender reputation. (Though, if the examples you gave are real, they are not known to SenderBase.)

Bottom line: No, it is not safe to block a large range of IPs in the IPv4 space you named.

I actually changed my post because the spam is not coming from the 55.55.55.xxx IP address that I used in my example. — brandozz, Feb 11 '15 at 18:22

Blocking IP addresses for comment spam

1 Answers1